Always require SSL in the Kerberos authorization block.

This also corrects a slight bug where if add is True then we always
re-update the file.

https://fedorahosted.org/freeipa/ticket/1755

install/conf/ipa.conf

@@ -1,5 +1,5 @@
 #
-# VERSION 2 - DO NOT REMOVE THIS LINE
+# VERSION 3 - DO NOT REMOVE THIS LINE
 #
 # LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
@@ -45,6 +45,7 @@ WSGIScriptReloading Off
 
 # Protect /ipa with Kerberos
 <Location "/ipa">
+  NSSRequireSSL
   AuthType Kerberos
   AuthName "Kerberos Login"
   KrbMethodNegotiate on

install/tools/ipa-upgradeconfig

@@ -116,7 +116,7 @@ def upgrade(sub_dict, filename, template, add=False):
     if new < 0:
         print "%s not found." % template
 
-    if old < new or add:
+    if old < new:
         backup_file(filename, new)
         update_conf(sub_dict, filename, template)
         print "Upgraded %s to version %d" % (filename, new)