diff --git a/SOURCES/0019-Ticket-49543-fix-certmap-dn-comparison.patch b/SOURCES/0019-Ticket-49543-fix-certmap-dn-comparison.patch
new file mode 100644
index 0000000..3ee748e
--- /dev/null
+++ b/SOURCES/0019-Ticket-49543-fix-certmap-dn-comparison.patch
@@ -0,0 +1,435 @@
+From 66c96b915dd4a82ebd4228cba61d7c4bae96cbca Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Fri, 16 Mar 2018 15:16:56 +1000
+Subject: [PATCH] Ticket 49543 - fix certmap dn comparison
+
+Bug Description: Differences in DN string representations between
+the value included in certmap.conf, and the stringified value of the
+Issuer DN produced by NSS, as well as buggy DN normalisation code in
+389 itself, cause 389 to wrongly reject the correct certmap
+configuration to use.  Authentication fails.  This behaviour was
+observed when there is an escaped comma in an attribute value.
+
+Fix Description: Instead of comparing stringified DNs, parse the DN
+represented in certmap.conf into an NSS CertNAME.  Use the NSS DN
+comparison routine when comparing certificate Issuer DNs against the
+certmap configurations.  Remove the buggy DN normalisation routine.
+
+https://pagure.io/389-ds-base/issue/49543
+
+Author: Fraser Tweedale <ftweedal@redhat.com>
+
+Review by: ???
+---
+ include/ldaputil/certmap.h   |  20 +++--
+ include/ldaputil/ldaputil.h  |   2 +-
+ lib/ldaputil/cert.c          |  27 ++++--
+ lib/ldaputil/certmap.c       | 162 ++++++-----------------------------
+ lib/ldaputil/examples/init.c |   3 +-
+ 5 files changed, 62 insertions(+), 152 deletions(-)
+
+diff --git a/include/ldaputil/certmap.h b/include/ldaputil/certmap.h
+index fec2dd931..50fd4d158 100644
+--- a/include/ldaputil/certmap.h
++++ b/include/ldaputil/certmap.h
+@@ -16,6 +16,7 @@
+ /* What was extcmap.h begins ... */
+ 
+ #include <ldap.h>
++#include <nss3/cert.h>
+ 
+ #ifndef NSAPI_PUBLIC
+ #define NSAPI_PUBLIC
+@@ -156,7 +157,7 @@ typedef int (*CertVerifyFn_t)(void *cert, LDAP *ld, void *certmap_info, LDAPMess
+  *  otherwise return LDAPU_CERT_MAP_INITFN_FAILED.  The server startup will be
+  *  aborted if the return value is not LDAPU_SUCCESS.
+  */
+-typedef int (*CertMapInitFn_t)(void *certmap_info, const char *issuerName, const char *issuerDN, const char *libname);
++typedef int (*CertMapInitFn_t)(void *certmap_info, const char *issuerName, const CERTName *issuerDN, const char *libname);
+ 
+ /*
+  * Refer to the description of the function ldapu_get_cert_ava_val
+@@ -209,27 +210,30 @@ extern "C" {
+ 
+ NSAPI_PUBLIC int ldapu_cert_to_ldap_entry(void *cert, LDAP *ld, const char *basedn, LDAPMessage **res);
+ 
+-NSAPI_PUBLIC int ldapu_set_cert_mapfn(const char *issuerDN,
++NSAPI_PUBLIC int ldapu_set_cert_mapfn(const CERTName *issuerDN,
+                                       CertMapFn_t mapfn);
+ 
+ 
+-NSAPI_PUBLIC CertMapFn_t ldapu_get_cert_mapfn(const char *issuerDN);
++NSAPI_PUBLIC CertMapFn_t ldapu_get_cert_mapfn(const CERTName *issuerDN);
+ 
+-NSAPI_PUBLIC int ldapu_set_cert_searchfn(const char *issuerDN,
++NSAPI_PUBLIC int ldapu_set_cert_searchfn(const CERTName *issuerDN,
+                                          CertSearchFn_t searchfn);
+ 
+ 
+-NSAPI_PUBLIC CertSearchFn_t ldapu_get_cert_searchfn(const char *issuerDN);
++NSAPI_PUBLIC CertSearchFn_t ldapu_get_cert_searchfn(const CERTName *issuerDN);
+ 
+-NSAPI_PUBLIC int ldapu_set_cert_verifyfn(const char *issuerDN,
++NSAPI_PUBLIC int ldapu_set_cert_verifyfn(const CERTName *issuerDN,
+                                          CertVerifyFn_t verifyFn);
+ 
+-NSAPI_PUBLIC CertVerifyFn_t ldapu_get_cert_verifyfn(const char *issuerDN);
++NSAPI_PUBLIC CertVerifyFn_t ldapu_get_cert_verifyfn(const CERTName *issuerDN);
+ 
+ 
+ NSAPI_PUBLIC int ldapu_get_cert_subject_dn(void *cert, char **subjectDN);
+ 
+ 
++NSAPI_PUBLIC CERTName *ldapu_get_cert_issuer_dn_as_CERTName(CERTCertificate *cert);
++
++
+ NSAPI_PUBLIC int ldapu_get_cert_issuer_dn(void *cert, char **issuerDN);
+ 
+ 
+@@ -242,7 +246,7 @@ NSAPI_PUBLIC int ldapu_free_cert_ava_val(char **val);
+ NSAPI_PUBLIC int ldapu_get_cert_der(void *cert, unsigned char **derCert, unsigned int *len);
+ 
+ 
+-NSAPI_PUBLIC int ldapu_issuer_certinfo(const char *issuerDN,
++NSAPI_PUBLIC int ldapu_issuer_certinfo(const CERTName *issuerDN,
+                                        void **certmap_info);
+ 
+ 
+diff --git a/include/ldaputil/ldaputil.h b/include/ldaputil/ldaputil.h
+index e0e028c5c..b172819b0 100644
+--- a/include/ldaputil/ldaputil.h
++++ b/include/ldaputil/ldaputil.h
+@@ -48,7 +48,7 @@ enum
+ typedef struct
+ {
+     char *issuerName;            /* issuer (symbolic/short) name */
+-    char *issuerDN;              /* cert issuer's DN */
++    CERTName *issuerDN;          /* cert issuer's DN */
+     LDAPUPropValList_t *propval; /* pointer to the prop-val pairs list */
+     CertMapFn_t mapfn;           /* cert to ldapdn & filter mapping func */
+     CertVerifyFn_t verifyfn;     /* verify cert function */
+diff --git a/lib/ldaputil/cert.c b/lib/ldaputil/cert.c
+index 65a481541..73abba12a 100644
+--- a/lib/ldaputil/cert.c
++++ b/lib/ldaputil/cert.c
+@@ -54,15 +54,30 @@ ldapu_get_cert_subject_dn(void *cert_in, char **subjectDN)
+     return *subjectDN ? LDAPU_SUCCESS : LDAPU_ERR_EXTRACT_SUBJECTDN_FAILED;
+ }
+ 
++/*
++ * Return the Issuer DN as a CERTName.
++ * The CERTName is owned by the CERTCertificate.
++ */
++NSAPI_PUBLIC CERTName *
++ldapu_get_cert_issuer_dn_as_CERTName(CERTCertificate *cert_in)
++{
++    return &cert_in->issuer;
++}
++
++/*
++ * Return the Issuer DN as a string.
++ * The string should be freed by the caller.
++ */
+ NSAPI_PUBLIC int
+ ldapu_get_cert_issuer_dn(void *cert_in, char **issuerDN)
+ {
+-    CERTCertificate *cert = (CERTCertificate *)cert_in;
+-    char *cert_issuer = CERT_NameToAscii(&cert->issuer);
+-
+-    *issuerDN = strdup(cert_issuer);
+-    PR_Free(cert_issuer);
+-
++    *issuerDN = NULL;
++    CERTName *dn = ldapu_get_cert_issuer_dn_as_CERTName((CERTCertificate *)cert_in);
++    if (dn != NULL) {
++        char *cert_issuer = CERT_NameToAscii(dn);
++        *issuerDN = strdup(cert_issuer);
++        PR_Free(cert_issuer);
++    }
+     return *issuerDN ? LDAPU_SUCCESS : LDAPU_ERR_EXTRACT_ISSUERDN_FAILED;
+ }
+ 
+diff --git a/lib/ldaputil/certmap.c b/lib/ldaputil/certmap.c
+index 78bb3635b..0db2de12b 100644
+--- a/lib/ldaputil/certmap.c
++++ b/lib/ldaputil/certmap.c
+@@ -52,7 +52,6 @@ static char this_dllname[256];
+ static const char *LIB_DIRECTIVE = "certmap";
+ static const int LIB_DIRECTIVE_LEN = 7; /* strlen("LIB_DIRECTIVE") */
+ 
+-static char *ldapu_dn_normalize(char *dn);
+ static void *ldapu_propval_free(void *propval_in, void *arg);
+ 
+ typedef struct
+@@ -337,8 +336,13 @@ dbinfo_to_certinfo(DBConfDBInfo_t *db_info,
+     certinfo->issuerName = db_info->dbname;
+     db_info->dbname = 0;
+ 
+-    certinfo->issuerDN = ldapu_dn_normalize(db_info->url);
+-    db_info->url = 0;
++    /* Parse the Issuer DN. */
++    certinfo->issuerDN = CERT_AsciiToName(db_info->url);
++    if (NULL == certinfo->issuerDN                            /* invalid DN */
++            && ldapu_strcasecmp(db_info->url, "default") != 0 /* not "default" */) {
++        rv = LDAPU_ERR_MALFORMED_SUBJECT_DN;
++        goto error;
++    }
+ 
+     /* hijack actual prop-vals from dbinfo -- to avoid strdup calls */
+     if (db_info->firstprop) {
+@@ -890,24 +894,26 @@ ldapu_cert_searchfn_default(void *cert, LDAP *ld, void *certmap_info_in, const c
+ }
+ 
+ NSAPI_PUBLIC int
+-ldapu_issuer_certinfo(const char *issuerDN, void **certmap_info)
++ldapu_issuer_certinfo(const CERTName *issuerDN, void **certmap_info)
+ {
+     *certmap_info = 0;
+ 
+-    if (!issuerDN || !*issuerDN || !ldapu_strcasecmp(issuerDN, "default")) {
+-        *certmap_info = default_certmap_info;
+-    } else if (certmap_listinfo) {
+-        char *n_issuerDN = ldapu_dn_normalize(ldapu_strdup(issuerDN));
++    if (certmap_listinfo) {
+         LDAPUListNode_t *cur = certmap_listinfo->head;
+         while (cur) {
+-            if (!ldapu_strcasecmp(n_issuerDN, ((LDAPUCertMapInfo_t *)cur->info)->issuerDN)) {
++            LDAPUCertMapInfo_t *info = (LDAPUCertMapInfo_t *)cur->info;
++
++            if (NULL == info->issuerDN) {
++                /* no DN to compare to (probably the default certmap info) */
++                continue;
++            }
++
++            if (CERT_CompareName(issuerDN, info->issuerDN) == SECEqual) {
+                 *certmap_info = cur->info;
+                 break;
+             }
+             cur = cur->next;
+         }
+-        if (n_issuerDN)
+-            ldapu_free(n_issuerDN);
+     }
+     return *certmap_info ? LDAPU_SUCCESS : LDAPU_FAILED;
+ }
+@@ -1128,7 +1134,7 @@ ldapu_cert_mapfn_default(void *cert_in, LDAP *ld __attribute__((unused)), void *
+ }
+ 
+ NSAPI_PUBLIC int
+-ldapu_set_cert_mapfn(const char *issuerDN,
++ldapu_set_cert_mapfn(const CERTName *issuerDN,
+                      CertMapFn_t mapfn)
+ {
+     LDAPUCertMapInfo_t *certmap_info;
+@@ -1161,7 +1167,7 @@ ldapu_get_cert_mapfn_sub(LDAPUCertMapInfo_t *certmap_info)
+ }
+ 
+ NSAPI_PUBLIC CertMapFn_t
+-ldapu_get_cert_mapfn(const char *issuerDN)
++ldapu_get_cert_mapfn(const CERTName *issuerDN)
+ {
+     LDAPUCertMapInfo_t *certmap_info = 0;
+ 
+@@ -1173,7 +1179,7 @@ ldapu_get_cert_mapfn(const char *issuerDN)
+ }
+ 
+ NSAPI_PUBLIC int
+-ldapu_set_cert_searchfn(const char *issuerDN,
++ldapu_set_cert_searchfn(const CERTName *issuerDN,
+                         CertSearchFn_t searchfn)
+ {
+     LDAPUCertMapInfo_t *certmap_info;
+@@ -1206,7 +1212,7 @@ ldapu_get_cert_searchfn_sub(LDAPUCertMapInfo_t *certmap_info)
+ }
+ 
+ NSAPI_PUBLIC CertSearchFn_t
+-ldapu_get_cert_searchfn(const char *issuerDN)
++ldapu_get_cert_searchfn(const CERTName *issuerDN)
+ {
+     LDAPUCertMapInfo_t *certmap_info = 0;
+ 
+@@ -1218,7 +1224,7 @@ ldapu_get_cert_searchfn(const char *issuerDN)
+ }
+ 
+ NSAPI_PUBLIC int
+-ldapu_set_cert_verifyfn(const char *issuerDN,
++ldapu_set_cert_verifyfn(const CERTName *issuerDN,
+                         CertVerifyFn_t verifyfn)
+ {
+     LDAPUCertMapInfo_t *certmap_info;
+@@ -1251,7 +1257,7 @@ ldapu_get_cert_verifyfn_sub(LDAPUCertMapInfo_t *certmap_info)
+ }
+ 
+ NSAPI_PUBLIC CertVerifyFn_t
+-ldapu_get_cert_verifyfn(const char *issuerDN)
++ldapu_get_cert_verifyfn(const CERTName *issuerDN)
+ {
+     LDAPUCertMapInfo_t *certmap_info = 0;
+ 
+@@ -1288,7 +1294,6 @@ static int ldapu_certinfo_copy (const LDAPUCertMapInfo_t *from,
+ NSAPI_PUBLIC int
+ ldapu_cert_to_ldap_entry(void *cert, LDAP *ld, const char *basedn, LDAPMessage **res)
+ {
+-    char *issuerDN = 0;
+     char *ldapDN = 0;
+     char *filter = 0;
+     LDAPUCertMapInfo_t *certmap_info;
+@@ -1308,14 +1313,14 @@ ldapu_cert_to_ldap_entry(void *cert, LDAP *ld, const char *basedn, LDAPMessage *
+         certmap_attrs[3] = 0;
+     }
+ 
+-    rv = ldapu_get_cert_issuer_dn(cert, &issuerDN);
++    CERTName *issuerDN = ldapu_get_cert_issuer_dn_as_CERTName(cert);
++    /*        ^ don't need to free this; it will be freed with ^ the cert */
+ 
+-    if (rv != LDAPU_SUCCESS)
++    if (NULL == issuerDN)
+         return LDAPU_ERR_NO_ISSUERDN_IN_CERT;
+ 
+     /* don't free the certmap_info -- its a pointer to an internal structure */
+     rv = ldapu_issuer_certinfo(issuerDN, (void **)&certmap_info);
+-    free(issuerDN);
+ 
+     if (!certmap_info)
+         certmap_info = default_certmap_info;
+@@ -1604,118 +1609,3 @@ ldapu_realloc(void *ptr, int size)
+ {
+     return realloc(ptr, size);
+ }
+-
+-#define DNSEPARATOR(c) (c == ',' || c == ';')
+-#define SEPARATOR(c) (c == ',' || c == ';' || c == '+')
+-#define SPACE(c) (c == ' ' || c == '\n')
+-#define NEEDSESCAPE(c) (c == '\\' || c == '"')
+-#define B4TYPE 0
+-#define INTYPE 1
+-#define B4EQUAL 2
+-#define B4VALUE 3
+-#define INVALUE 4
+-#define INQUOTEDVALUE 5
+-#define B4SEPARATOR 6
+-
+-static char *
+-ldapu_dn_normalize(char *dn)
+-{
+-    char *d, *s;
+-    int state, gotesc;
+-
+-    gotesc = 0;
+-    state = B4TYPE;
+-    for (d = s = dn; *s; s++) {
+-        switch (state) {
+-        case B4TYPE:
+-            if (!SPACE(*s)) {
+-                state = INTYPE;
+-                *d++ = *s;
+-            }
+-            break;
+-        case INTYPE:
+-            if (*s == '=') {
+-                state = B4VALUE;
+-                *d++ = *s;
+-            } else if (SPACE(*s)) {
+-                state = B4EQUAL;
+-            } else {
+-                *d++ = *s;
+-            }
+-            break;
+-        case B4EQUAL:
+-            if (*s == '=') {
+-                state = B4VALUE;
+-                *d++ = *s;
+-            } else if (!SPACE(*s)) {
+-                /* not a valid dn - but what can we do here? */
+-                *d++ = *s;
+-            }
+-            break;
+-        case B4VALUE:
+-            if (*s == '"') {
+-                state = INQUOTEDVALUE;
+-                *d++ = *s;
+-            } else if (!SPACE(*s)) {
+-                state = INVALUE;
+-                *d++ = *s;
+-            }
+-            break;
+-        case INVALUE:
+-            if (!gotesc && SEPARATOR(*s)) {
+-                while (SPACE(*(d - 1)))
+-                    d--;
+-                state = B4TYPE;
+-                if (*s == '+') {
+-                    *d++ = *s;
+-                } else {
+-                    *d++ = ',';
+-                }
+-            } else if (gotesc && !NEEDSESCAPE(*s) &&
+-                       !SEPARATOR(*s)) {
+-                *--d = *s;
+-                d++;
+-            } else {
+-                *d++ = *s;
+-            }
+-            break;
+-        case INQUOTEDVALUE:
+-            if (!gotesc && *s == '"') {
+-                state = B4SEPARATOR;
+-                *d++ = *s;
+-            } else if (gotesc && !NEEDSESCAPE(*s)) {
+-                *--d = *s;
+-                d++;
+-            } else {
+-                *d++ = *s;
+-            }
+-            break;
+-        case B4SEPARATOR:
+-            if (SEPARATOR(*s)) {
+-                state = B4TYPE;
+-                if (*s == '+') {
+-                    *d++ = *s;
+-                } else {
+-                    *d++ = ',';
+-                }
+-            }
+-            break;
+-        default:
+-            break;
+-        }
+-        if (*s == '\\') {
+-            gotesc = 1;
+-        } else {
+-            gotesc = 0;
+-        }
+-    }
+-    *d = '\0';
+-
+-    /* Trim trailing spaces */
+-    d--;
+-    while (d >= dn && *d == ' ') {
+-        *d-- = '\0';
+-    }
+-
+-    return (dn);
+-}
+diff --git a/lib/ldaputil/examples/init.c b/lib/ldaputil/examples/init.c
+index 74db9775c..fd1edc97e 100644
+--- a/lib/ldaputil/examples/init.c
++++ b/lib/ldaputil/examples/init.c
+@@ -15,12 +15,13 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <nss3/cert.h>
+ #include "certmap.h" /* Public Certmap API */
+ #include "plugin.h"  /* must define extern "C" functions */
+ 
+ 
+ NSAPI_PUBLIC int
+-plugin_init_fn(void *certmap_info, const char *issuerName, const char *issuerDN, const char *libname)
++plugin_init_fn(void *certmap_info, const char *issuerName, const CERTName *issuerDN, const char *libname)
+ {
+     static int initialized = 0;
+     int rv;
+-- 
+2.17.2
+
diff --git a/SOURCES/0020-Ticket-50117-after-certain-failed-import-operation-i.patch b/SOURCES/0020-Ticket-50117-after-certain-failed-import-operation-i.patch
new file mode 100644
index 0000000..a178a31
--- /dev/null
+++ b/SOURCES/0020-Ticket-50117-after-certain-failed-import-operation-i.patch
@@ -0,0 +1,63 @@
+From 90ba52ac8f655cb5d6cfd3f201c15f8004eb8414 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Fri, 4 Jan 2019 12:24:56 +0100
+Subject: [PATCH] Ticket 50117 - after certain failed import operation,
+ impossible to replay an import operation
+
+Bug Description:
+	At the beginning of an import, a flag is set to mark the target backend is busy.
+	Then import tests if there are pending operations. If such operations exist the import can not proceed and fails.
+	The problem is that in such case of pending operations, the import fails without resetting the busy flag.
+	It let the backend busy (until next reboot) and prevent new import.
+
+Fix Description:
+	It needs to reset the busy flag if there are pending operations
+
+https://pagure.io/389-ds-base/issue/50117
+
+Reviewed by: Mark Reynolds, William Brown
+
+Platforms tested: F27
+
+Flag Day: no
+
+Doc impact: no
+
+(cherry picked from commit ff00b07402747aac403478a157adab75e306d7d1)
+(cherry picked from commit 630940ec119a90c3bbfc7cd3464eb02ab779b474)
+---
+ ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
+index 16b87ee6b..69a2af9cf 100644
+--- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
++++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
+@@ -704,12 +704,22 @@ ldbm_back_ldif2ldbm(Slapi_PBlock *pb)
+     }
+ 
+     /* check if an import/restore is already ongoing... */
+-    if ((instance_set_busy(inst) != 0) ||
+-        (slapi_counter_get_value(inst->inst_ref_count) > 0)) {
++    if ((instance_set_busy(inst) != 0)) {
+         slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_ldif2ldbm", "ldbm: '%s' is already in the middle of "
+                                                             "another task and cannot be disturbed.\n",
+                       inst->inst_name);
+         return -1;
++    } else {
++        uint64_t refcnt;
++        refcnt = slapi_counter_get_value(inst->inst_ref_count);
++        if (refcnt > 0) {
++            slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_ldif2ldbm", "ldbm: '%s' there are %d pending operation(s)."
++                    " Import can not proceed until they are completed.\n",
++                    inst->inst_name,
++                    refcnt);
++            instance_set_not_busy(inst);
++            return -1;
++        }
+     }
+ 
+     if ((task_flags & SLAPI_TASK_RUNNING_FROM_COMMANDLINE)) {
+-- 
+2.17.2
+
diff --git a/SOURCES/0021-Ticket-49540-Fix-compiler-warning-in-ldif2ldbm.patch b/SOURCES/0021-Ticket-49540-Fix-compiler-warning-in-ldif2ldbm.patch
new file mode 100644
index 0000000..d212998
--- /dev/null
+++ b/SOURCES/0021-Ticket-49540-Fix-compiler-warning-in-ldif2ldbm.patch
@@ -0,0 +1,31 @@
+From 9ab11ef54c378772982ef65cba3ea6718942899c Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Tue, 15 Jan 2019 13:55:18 -0500
+Subject: [PATCH] Ticket 49540 - FIx compiler warning in ldif2ldbm
+
+https://pagure.io/389-ds-base/issue/49540
+
+Reviewed by: mreynolds(one line commit rule)
+
+(cherry picked from commit 58be90b8bf96a7a0e10740b122035ea03fa13e0f)
+(cherry picked from commit c9580477ffe22a08c0094378e81a6927d0dc4ffc)
+---
+ ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
+index 69a2af9cf..11c020af0 100644
+--- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
++++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
+@@ -713,7 +713,7 @@ ldbm_back_ldif2ldbm(Slapi_PBlock *pb)
+         uint64_t refcnt;
+         refcnt = slapi_counter_get_value(inst->inst_ref_count);
+         if (refcnt > 0) {
+-            slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_ldif2ldbm", "ldbm: '%s' there are %d pending operation(s)."
++            slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_ldif2ldbm", "ldbm: '%s' there are %" PRIu64 " pending operation(s)."
+                     " Import can not proceed until they are completed.\n",
+                     inst->inst_name,
+                     refcnt);
+-- 
+2.17.2
+
diff --git a/SOURCES/0022-Ticket-50078-cannot-add-cenotaph-in-read-only-consum.patch b/SOURCES/0022-Ticket-50078-cannot-add-cenotaph-in-read-only-consum.patch
new file mode 100644
index 0000000..6a80c19
--- /dev/null
+++ b/SOURCES/0022-Ticket-50078-cannot-add-cenotaph-in-read-only-consum.patch
@@ -0,0 +1,108 @@
+From 7b4cb7aebdf5264e12e4ffad96fd21b3d7d2a14f Mon Sep 17 00:00:00 2001
+From: Ludwig Krispenz <lkrispen@redhat.com>
+Date: Tue, 11 Dec 2018 11:06:44 +0100
+Subject: [PATCH] Ticket 50078 - cannot add cenotaph in read only consumer
+
+Bug: For modrdn operations a cenotaph entry is created to be used in later conflict
+     resolution procedures, this is done by an internal add operation and
+     fails on hubs and consumers
+
+Fix: Add the "bypass referral" flag to the internal add operation to allow it
+
+Reviewed by: Thierry, thanks
+---
+ dirsrvtests/tests/tickets/ticket50078_test.py | 68 +++++++++++++++++++
+ ldap/servers/plugins/replication/urp.c        |  2 +-
+ 2 files changed, 69 insertions(+), 1 deletion(-)
+ create mode 100644 dirsrvtests/tests/tickets/ticket50078_test.py
+
+diff --git a/dirsrvtests/tests/tickets/ticket50078_test.py b/dirsrvtests/tests/tickets/ticket50078_test.py
+new file mode 100644
+index 000000000..3f6c5ec2d
+--- /dev/null
++++ b/dirsrvtests/tests/tickets/ticket50078_test.py
+@@ -0,0 +1,68 @@
++import pytest
++from lib389.utils import *
++from lib389.topologies import topology_m1h1c1
++from lib389.idm.user import UserAccounts
++
++from lib389._constants import (DEFAULT_SUFFIX, REPLICA_RUV_FILTER, defaultProperties,
++                              REPLICATION_BIND_DN, REPLICATION_BIND_PW, REPLICATION_BIND_METHOD,
++                              REPLICATION_TRANSPORT, SUFFIX, RA_NAME, RA_BINDDN, RA_BINDPW,
++                              RA_METHOD, RA_TRANSPORT_PROT, SUFFIX)
++
++logging.getLogger(__name__).setLevel(logging.DEBUG)
++log = logging.getLogger(__name__)
++
++TEST_USER = "test_user"
++
++def test_ticket50078(topology_m1h1c1):
++    """
++    Test that for a MODRDN operation the cenotaph entry is created on
++    a hub or consumer.
++    """
++
++    M1 = topology_m1h1c1.ms["master1"]
++    H1 = topology_m1h1c1.hs["hub1"]
++    C1 = topology_m1h1c1.cs["consumer1"]
++    #
++    # Test replication is working
++    #
++    if M1.testReplication(DEFAULT_SUFFIX, topology_m1h1c1.cs["consumer1"]):
++        log.info('Replication is working.')
++    else:
++        log.fatal('Replication is not working.')
++        assert False
++
++    ua = UserAccounts(M1, DEFAULT_SUFFIX)
++    ua.create(properties={
++            'uid': "%s%d" % (TEST_USER, 1),
++            'cn' : "%s%d" % (TEST_USER, 1),
++            'sn' : 'user',
++            'uidNumber' : '1000',
++            'gidNumber' : '2000',
++            'homeDirectory' : '/home/testuser'
++            })
++
++    user = ua.get('%s1' % TEST_USER)
++    log.info("  Rename the test entry %s..." % user)
++    user.rename('uid=test_user_new')
++
++    # wait until replication is in sync
++    if M1.testReplication(DEFAULT_SUFFIX, topology_m1h1c1.cs["consumer1"]):
++        log.info('Replication is working.')
++    else:
++        log.fatal('Replication is not working.')
++        assert False
++
++    # check if cenotaph was created on hub and consumer
++    ents = H1.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, filterstr="(&(objectclass=nstombstone)(cenotaphid=*))")
++    assert len(ents) == 1
++
++    ents = C1.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, filterstr="(&(objectclass=nstombstone)(cenotaphid=*))")
++    assert len(ents) == 1
++
++
++
++if __name__ == '__main__':
++    # Run isolated
++    # -s for DEBUG mode
++    CURRENT_FILE = os.path.realpath(__file__)
++    pytest.main("-s %s" % CURRENT_FILE)
+diff --git a/ldap/servers/plugins/replication/urp.c b/ldap/servers/plugins/replication/urp.c
+index 11c5da7cf..37fe77379 100644
+--- a/ldap/servers/plugins/replication/urp.c
++++ b/ldap/servers/plugins/replication/urp.c
+@@ -911,7 +911,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn)
+                                     cenotaph,
+                                     NULL,
+                                     repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION),
+-                                    OP_FLAG_REPL_FIXUP|OP_FLAG_NOOP|OP_FLAG_CENOTAPH_ENTRY);
++                                    OP_FLAG_REPL_FIXUP|OP_FLAG_NOOP|OP_FLAG_CENOTAPH_ENTRY|SLAPI_OP_FLAG_BYPASS_REFERRALS);
+     slapi_add_internal_pb(add_pb);
+     slapi_pblock_get(add_pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
+ 
+-- 
+2.17.2
+
diff --git a/SOURCES/0023-Ticket-50177-import-task-should-not-be-deleted-too-r.patch b/SOURCES/0023-Ticket-50177-import-task-should-not-be-deleted-too-r.patch
new file mode 100644
index 0000000..ab57e52
--- /dev/null
+++ b/SOURCES/0023-Ticket-50177-import-task-should-not-be-deleted-too-r.patch
@@ -0,0 +1,85 @@
+From aea4494eeb5351bcc26bf5e15411c28b96648445 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Fri, 1 Feb 2019 15:36:01 +0100
+Subject: [PATCH] Ticket 50177 - import task should not be deleted too rapidely
+ after import finishes to be able to query the status
+
+Bug Description:
+	scripts that create online import and export tasks do not define a Time To Life of the tasks.
+	As a consequence the task entry is cleared 2min (default value) after task completion.
+	This is too rapid and some admin scripts may miss the final task status.
+
+Fix Description:
+	The fix is to keep the entry of completed online import and export tasks for 1 day.
+	It also allows defines a default TTL to 1h (instead of 2min)
+
+https://pagure.io/389-ds-base/issue/50177
+
+Reviewed by: Mark Reynolds
+
+Platforms tested: F27
+
+Flag Day: no
+
+Doc impact: no
+---
+ ldap/admin/src/scripts/db2ldif.pl.in | 3 ++-
+ ldap/admin/src/scripts/ldif2db.pl.in | 3 ++-
+ ldap/servers/slapd/task.c            | 6 +++---
+ 3 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/ldap/admin/src/scripts/db2ldif.pl.in b/ldap/admin/src/scripts/db2ldif.pl.in
+index 0d220f00a..f7d12b48a 100644
+--- a/ldap/admin/src/scripts/db2ldif.pl.in
++++ b/ldap/admin/src/scripts/db2ldif.pl.in
+@@ -241,7 +241,8 @@ if ($decrypt_on_export != 0) { $nsexportdecrypt = "nsExportDecrypt: true\n"; }
+ $nsprintkey = "";
+ if ($printkey == 0) { $nsprintkey = "nsPrintKey: false\n"; }
+ $nsldiffile = "nsFilename: ${ldiffile}\n";
+-$entry = "${dn}${misc}${cn}${nsinstance}${nsincluded}${nsexcluded}${nsreplica}${nsnobase64}${nsnowrap}${nsnoversion}${nsnouniqueid}${nsuseid2entry}${nsonefile}${nsexportdecrypt}${nsprintkey}${nsldiffile}";
++$ttl = "ttl: 86400";
++$entry = "${dn}${misc}${cn}${nsinstance}${nsincluded}${nsexcluded}${nsreplica}${nsnobase64}${nsnowrap}${nsnoversion}${nsnouniqueid}${nsuseid2entry}${nsonefile}${nsexportdecrypt}${nsprintkey}${nsldiffile}${ttl}";
+ 
+ print("Exporting to ldif file: ${ldiffile}\n");
+ $rc = DSUtil::ldapmod($entry, %info);
+diff --git a/ldap/admin/src/scripts/ldif2db.pl.in b/ldap/admin/src/scripts/ldif2db.pl.in
+index a5d834f8e..486dcd053 100644
+--- a/ldap/admin/src/scripts/ldif2db.pl.in
++++ b/ldap/admin/src/scripts/ldif2db.pl.in
+@@ -192,7 +192,8 @@ $nsmergechunksiz = "nsImportChunkSize: ${mergechunksiz}\n";
+ $nsgenuniqid = "nsUniqueIdGenerator: ${genuniqid}\n"; 
+ $nsuniqidname = "";
+ if ($uniqidname ne "") { $nsuniqidname = "nsUniqueIdGeneratorNamespace: ${uniqidname}\n"; }
+-$entry = "${dn}${misc}${cn}${nsinstance}${nsincluded}${nsexcluded}${nsldiffiles}${nsnoattrindexes}${nsimportencrypt}${nsmergechunksiz}${nsgenuniqid}${nsuniqidname}";
++$ttl = "ttl: 86400";
++$entry = "${dn}${misc}${cn}${nsinstance}${nsincluded}${nsexcluded}${nsldiffiles}${nsnoattrindexes}${nsimportencrypt}${nsmergechunksiz}${nsgenuniqid}${nsuniqidname}${ttl}";
+ 
+ $rc = DSUtil::ldapmod($entry, %info);
+ 
+diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c
+index 698ee19b9..8c48c05b8 100644
+--- a/ldap/servers/slapd/task.c
++++ b/ldap/servers/slapd/task.c
+@@ -46,7 +46,7 @@ static int shutting_down = 0;
+ #define TASK_PROGRESS_NAME "nsTaskCurrentItem"
+ #define TASK_WORK_NAME "nsTaskTotalItems"
+ 
+-#define DEFAULT_TTL "120"                        /* seconds */
++#define DEFAULT_TTL "3600"                        /* seconds */
+ #define TASK_SYSCONFIG_FILE_ATTR "sysconfigfile" /* sysconfig reload task file attr */
+ #define TASK_SYSCONFIG_LOGCHANGES_ATTR "logchanges"
+ #define TASK_TOMBSTONE_FIXUP "fixup tombstones task"
+@@ -387,8 +387,8 @@ slapi_task_status_changed(Slapi_Task *task)
+         if (e == NULL)
+             return;
+         ttl = atoi(fetch_attr(e, "ttl", DEFAULT_TTL));
+-        if (ttl > 3600)
+-            ttl = 3600; /* be reasonable. */
++        if (ttl > (24*3600))
++            ttl = (24*3600); /* be reasonable, allow to check task status not longer than one day  */
+         expire = time(NULL) + ttl;
+         task->task_flags |= SLAPI_TASK_DESTROYING;
+         /* queue an event to destroy the state info */
+-- 
+2.17.2
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index 200a9de..6c2b417 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -39,7 +39,7 @@
 Summary:          389 Directory Server (%{variant})
 Name:             389-ds-base
 Version:          1.3.8.4
-Release:          %{?relprefix}22%{?prerel}%{?dist}
+Release:          %{?relprefix}23%{?prerel}%{?dist}
 License:          GPLv3+
 URL:              https://www.port389.org/
 Group:            System Environment/Daemons
@@ -164,8 +164,12 @@ Patch14:          0014-Ticket-49950-PassSync-not-setting-pwdLastSet-attribu.patc
 Patch15:          0015-Ticket-49915-fix-compiler-warnings.patch
 Patch16:          0016-Ticket-49915-fix-compiler-warnings-2nd.patch
 Patch17:          0017-Ticket-49618-Increase-cachememsize-and-dncachememsize.patch
-Patch21:          0018-Ticket-50020-during-MODRDN-referential-integrity-can.patch
-
+Patch18:          0018-Ticket-50020-during-MODRDN-referential-integrity-can.patch
+Patch19:          0019-Ticket-49543-fix-certmap-dn-comparison.patch
+Patch20:          0020-Ticket-50117-after-certain-failed-import-operation-i.patch
+Patch21:          0021-Ticket-49540-Fix-compiler-warning-in-ldif2ldbm.patch
+Patch22:          0022-Ticket-50078-cannot-add-cenotaph-in-read-only-consum.patch
+Patch23:          0023-Ticket-50177-import-task-should-not-be-deleted-too-r.patch
 
 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@@ -394,7 +398,6 @@ if [ $1 -eq 0 ]; then # Final removal
 fi
 
 %postun
-/sbin/ldconfig
 if [ $1 = 0 ]; then # Final removal
     rm -rf /var/run/%{pkgname}
 fi
@@ -514,6 +517,12 @@ fi
 %{_sysconfdir}/%{pkgname}/dirsrvtests
 
 %changelog
+* Wed Feb 6 2019 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-23
+- Bump version to 1.3.8.4-23
+- Resolves: Bug 1672173 - import task should not be deleted after import finishes to be able to query the status
+- Resolves: Bug 1672177 - after certain failed import operation, impossible to replay an import operation.
+- Resolves: Bug 1672179 - cannot add cenotaph in read only consumer 
+
 * Mon Dec 17 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-22
 - Bump version to 1.3.8.4-22
 - Resolves: Bug 1660120 - certmap fails when Issuer DN has comma in name