[Freeipa-devel] [freeipa] #3668: CA-less install fails when intermediate CA is used

[John Dennis]

On 06/07/2013 08:57 AM, Jan Cholasta wrote:
> Yes, this is correct. The DS certificate must be directly signed by the
> CA trusted by IPA (specified by --root-ca-cert in ipa-server-install),
> there may be no intermediate CAs, because ldapsearch and friends and
> python-ldap don't like them.

That doesn't sound right. Do we understand why a chain length > 1 is 
failing?

John