From 2192db58db9d4c34fead83d2f4738cbf7cdd1ee3 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Tue, 20 Dec 2016 08:06:46 +0000
Subject: [PATCH] Allow id.fp.o use

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/ipa/server/files/use_id_fp_o.ldif | 4 ++++
 roles/ipa/server/tasks/main.yml         | 2 ++
 2 files changed, 6 insertions(+)
 create mode 100644 roles/ipa/server/files/use_id_fp_o.ldif

diff --git a/roles/ipa/server/files/use_id_fp_o.ldif b/roles/ipa/server/files/use_id_fp_o.ldif
new file mode 100644
index 0000000000..e24ebf974e
--- /dev/null
+++ b/roles/ipa/server/files/use_id_fp_o.ldif
@@ -0,0 +1,4 @@
+dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=fedoraproject,dc=org
+changetype: modify
+add: memberPrincipal
+memberPrincipal: HTTP/id.fedoraproject.org@FEDORAPROJECT.ORG
diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index 77821b77cf..dba9915dd1 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -203,6 +203,7 @@
   with_items:
   - grant_anonymous_replication_view.ldif
   - grant_fas_sync.ldif
+  - use_id_fp_o.ldif
   tags:
   - ipa/server
   - config
@@ -212,6 +213,7 @@
            -f /root/ldif/{{item}}.ldif
   with_items:
   - grant_fas_sync
+  - use_id_fp_o
   when: inventory_hostname.startswith("ipa01")
   tags:
   - ipa/server