After installing and IPA client, the /etc/openldap/ldap.conf file looks something like:
#File modified by ipa-client-install URI ldaps://ipa.example.com BASE dc=example,dc=com TLS_CACERT /etc/ipa/ca.crt
Unfortunately, this alters the default use of command line ldapsearch and other tools in terms of accessing other non-IPA ldap servers with TLS. In my own environment, what I've been doing for every client is adding
TLS_CACERTDIR /etc/mss/certs
with /etc/pki/tls/certs/ca-bundle.crt linked into that directory, then using /usr/sbin/cacertdir_rehash from authconfig to hash the directory.
This seems to work well.
What I'm wondering is whether if would be possible for ipa-client-install to do this by default.
Thanks for the consideration.
Related ticket: #3582.
Fixing together with #3582
Metadata Update from @amessina: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.