FWIW this was entirely down to a problem in the GCDS tool (or my use of it). Although GCDS bundles it's own JRE and keystore, it had defaulted to using the system JRE and keystore. Adding "-Djavax.net.ssl.trustStore=/opt/GoogleCloudDirSync/jre/lib/security/cacerts" to config-manager.vmoptions (in the GCDS base directory) got it working (after adding the ca cert).
I imagine using the GCDS documented method of adding a CA (but referencing the system keystore) would have a similar result.
_______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org