To enable PAC generation, the "MS-PAC" value has to be set for "ipaKrbAuthzData" in "cn=ipaConfig,cn=etc,$SUFFIX".

However, the LDIF file is using the "addifnew" instruction, which is skipped in case the attribute already exists. This is not the behaviour we want. "MS-PAC" should be added unconditionally, especially now on RHEL 8 where the PAC is required by the Bronze-Bit attack detection mechanism. Not supporting the PAC breaks the IPA API on this RHEL version.