This is a follow up to changes done in #4521. FreeIPA server now allow by default entryusn and modifytimestamp for all entries. However, as tracked in RHEL downstream Bugzilla, older SSSD clients break as when they do deref call for authenticating user, they get entryusn, but not objectclass attribute.
entryusn
modifytimestamp
objectclass
It would make sense for FreeIPA to either show objectclass, entryusn and modifytimestamp for all entries or for none of them. Without this change, all unpatched SSSD clients will not be able talk to FreeIPA 4.0.x server (or it's replicas).
Discussed on freeipa-devel thread.
Starting review
This is blocking Fedora 21, it needs to be fixed in 4.0.x.
master:
ipa-4-1:
ipa-4-0:
Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1141334
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1141334 (Fedora)
Metadata Update from @mkosek: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 4.0.3
Login to comment on this ticket.