Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available.

If minssf is set in configuration and this is not set then clients won't
be able to detect the available namingContexts, defaultNamingContext,
capabilities, etc.

https://fedorahosted.org/freeipa/ticket/2542

install/updates/10-config.update

@@ -38,3 +38,7 @@ only:nsslapd-anonlimitsdn:'cn=anonymous-limits,cn=etc,$SUFFIX'
 # doesn't support it generates a non-fatal error.
 dn: cn=config
 add:nsslapd-defaultNamingContext:'$SUFFIX'
+
+# Allow the root DSE to be searched even with minssf set
+dn: cn=config
+only:nsslapd-minssf-exclude-rootdse:on

ipaserver/ipaldap.py

@@ -540,7 +540,7 @@ class IPAdmin(IPAEntryLDAPObject):
 
         # Some attributes, like those in cn=config, need to be replaced
         # not deleted/added.
-        FORCE_REPLACE_ON_UPDATE_ATTRS = ('nsslapd-ssl-check-hostname', 'nsslapd-lookthroughlimit', 'nsslapd-idlistscanlimit', 'nsslapd-anonlimitsdn')
+        FORCE_REPLACE_ON_UPDATE_ATTRS = ('nsslapd-ssl-check-hostname', 'nsslapd-lookthroughlimit', 'nsslapd-idlistscanlimit', 'nsslapd-anonlimitsdn', 'nsslapd-minssf-exclude-rootdse')
         modlist = []
 
         old_entry = ipautil.CIDict(old_entry)