An issue was encountered with FreeIPA where mods for the unhashed#user#password attribute are removed from the mods list before their 389 DS password policy plug-in is called. This plug-in expects the unhashed#user#password mod to be present. After some investigation, it turns out that we correctly move the cleartext password into an unhashed#user#password mod just before we call the preop plug-ins in modify.c. By the time the FreeIPA password policy plug-in is called, the unhashed#user#password mod has been removed from the list of mods. It turns out that this happens when the FreeIPA UUID plug-in passes the mods out and resets them in the pblock: ----------------------------------------------------------- (gdb) c Continuing. [Switching to Thread 0x7f36667e4700 (LWP 1862)] Hardware watchpoint 7: pb->pb_op->o_params.p.p_modify.modify_mods[9] Old value = (LDAPMod *) 0x7f36993eb140 New value = (LDAPMod *) 0x0 slapi_ch_free (ptr=ptr@entry=0x7f3699776098) at ldap/servers/slapd/ch_malloc.c:365 365 if(!counters_created) (gdb) bt #0 slapi_ch_free (ptr=ptr@entry=0x7f3699776098) at ldap/servers/slapd/ch_malloc.c:365 #1 0x00007f3698929834 in pack_mods (modsp=modsp@entry=0x7f3699a144f0) at ldap/servers/slapd/modutil.c:504 #2 0x00007f369892a01e in slapi_mods_get_ldapmods_passout (smods=0x7f3699a144f0) at ldap/servers/slapd/modutil.c:545 #3 0x00007f368dd16bb1 in ipauuid_pre_op (pb=<optimized out>, modtype=4) at ipa_uuid.c:1180 #4 0x00007f3698936255 in plugin_call_func (list=0x7f369945c080, operation=operation@entry=405, pb=pb@entry=0x7f36999641c0, call_one=call_one@entry=0) at ldap/servers/slapd/plugin.c:1453 #5 0x00007f36989363ba in plugin_call_list (pb=0x7f36999641c0, operation=405, list=<optimized out>) at ldap/servers/slapd/plugin.c:1415 #6 plugin_call_plugins (pb=pb@entry=0x7f36999641c0, whichfunction=whichfunction@entry=405) at ldap/servers/slapd/plugin.c:398 #7 0x00007f36989267dd in op_shared_modify (pb=pb@entry=0x7f36999641c0, pw_change=pw_change@entry=1, old_pw=0x0) at ldap/servers/slapd/modify.c:1052 #8 0x00007f3698927db2 in do_modify (pb=0x7f36999641c0) at ldap/servers/slapd/modify.c:415 #9 0x00007f3698df4d58 in connection_threadmain () at ldap/servers/slapd/connection.c:596 #10 0x00007f3696f2ae6d in _pt_root (arg=0x7f3699960ca0) at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:191 #11 0x00007f36968ccc53 in start_thread (arg=0x7f36667e4700) at pthread_create.c:308 #12 0x00007f36965f9ecd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 ----------------------------------------------------------- The issue here is that pack_mods() is removing mods for attributes that have the "ignore" flag set. The unhashed#user#password mod has this flag set, so it gets removed. This was caused by the patch for ticket #47391. The unhashed#user#password mod can't be deleted, as it's needed for plug-ins like the FreeIPA password policy plug-in and for the replication changelog.