From f80ccb1a3c85afd8d5aa03191ef5c323a35293de Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 19 Jul 2011 16:07:05 +0300
Subject: [PATCH] Fix sssd.conf to always have IPA certificate for the domain.

Fixes https://fedorahosted.org/freeipa/ticket/1476

SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
Note that SSSD will force StartTLS because the channel is later used for
authentication as well if password migration is enabled. Thus set the option
unconditionally.
---
 ipa-client/ipa-install/ipa-client-install |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 07459bfd65c93bdf0f435c571d8e68a1856e30e5..4610583d7a314ba0fa67ed86d243ea4676ba39b4 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -550,6 +550,12 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
 
     domain.set_option('cache_credentials', True)
 
+    # SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
+    # Note that SSSD will force StartTLS because the channel is later used for
+    # authentication as well if password migration is enabled. Thus set the option
+    # unconditionally.
+    domain.set_option('ldap_tls_cacert', '/etc/ipa/ca.crt')
+
     if options.dns_updates:
         domain.set_option('ipa_dyndns_update', True)
     if options.krb5_offline_passwords:
-- 
1.7.6