I enabled the retro changelog and discovered that it was no longer possible to change passwords. This is because the retro changelog adds a top-level "namingContexts" entry. ipa_kpasswd searches for namingContexts and takes the first one without checking that it is a dc= entry. It then can't find the user in that tree leading to issue #1655.
Metadata Update from @ssieb:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 2.1.1 (bug fixing)
to comment on this ticket.