Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available.
If minssf is set in configuration and this is not set then clients won't
be able to detect the available namingContexts, defaultNamingContext,
capabilities, etc.
https://fedorahosted.org/freeipa/ticket/2542