--- /usr/share/pyshared/univention/admin/handlers/users/user.py.orig	2018-07-12 12:54:56.620098825 +0200
+++ /usr/share/pyshared/univention/admin/handlers/users/user.py	2018-07-12 12:54:47.204435041 +0200
@@ -2177,7 +2177,8 @@
 #			elif self['locked'] == '1':  # lock kerberos password
 #				krb_kdcflags |= (1 << 17)
 
-			ml.append(('krb5KDCFlags', str(old_kdcflags), str(krb_kdcflags)))
+			if str(old_kdcflags) != str(krb_kdcflags):
+				ml.append(('krb5KDCFlags', str(old_kdcflags), str(krb_kdcflags)))
 		return ml
 
 	## If you change anything here, please also check users/ldap.py
@@ -2197,7 +2198,8 @@
 			password_crypt = univention.admin.password.lock_password(password)
 			if self['disabled'] != '1':
 				password_crypt = univention.admin.password.unlock_password(password_crypt)
-			ml.append(('userPassword', old_password, password_crypt))
+			if old_password != password_crypt:
+				ml.append(('userPassword', old_password, password_crypt))
 		return ml
 
 	def _modlist_pwd_account_locked_time(self, ml):
@@ -2251,7 +2253,7 @@
 			else:
 				shadowExpire = ''
 
-			old_shadowExpire = self.oldattr.get('shadowExpire', '')
+			old_shadowExpire = self.oldattr.get('shadowExpire', [''])[0]
 			if old_shadowExpire != shadowExpire:
 				ml.append(('shadowExpire', old_shadowExpire, shadowExpire))
 		return ml