Upstream ticket: https://fedorahosted.org/freeipa/ticket/4534 This is a follow up to changes done in #4521. FreeIPA server now allow by default entryusn and modifytimestamp for all entries. However, as tracked in RHEL downstream Bugzilla, older SSSD clients break as when they do deref call for authenticating user, they get entryusn, but not objectclass attribute. It would make sense for FreeIPA to either show objectclass, entryusn and modifytimestamp for all entries or for none of them. Without this change, all unpatched SSSD clients will not be able talk to FreeIPA 4.0.x server (or it's replicas).
Fixed in upstream 4.0.3
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4534
python-qrcode-5.0.1-1.fc21, freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/FEDORA-2014-10811/389-ds-base-1.3.3.3-1.fc21,python-qrcode-5.0.1-1.fc21,freeipa-4.0.3-1.fc21
Package freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21, python-qrcode-5.0.1-2.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-4.0.3-1.fc21 389-ds-base-1.3.3.3-1.fc21 python-qrcode-5.0.1-2.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-10811/389-ds-base-1.3.3.3-1.fc21,python-qrcode-5.0.1-2.fc21,freeipa-4.0.3-1.fc21 then log in and leave karma (feedback).
freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21, python-qrcode-5.0.1-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.