diff --git a/SOURCES/0089-Ticket-47888-DES-to-AES-password-conversion-fails-if.patch b/SOURCES/0089-Ticket-47888-DES-to-AES-password-conversion-fails-if.patch
new file mode 100644
index 0000000..8e36a84
--- /dev/null
+++ b/SOURCES/0089-Ticket-47888-DES-to-AES-password-conversion-fails-if.patch
@@ -0,0 +1,160 @@
+From e40a6ef764f13b6efcf573a6181b6747bb029b90 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Thu, 24 Mar 2016 09:46:11 -0400
+Subject: [PATCH] Ticket 47888 - DES to AES password conversion fails if a
+ backend is empty
+
+Bug Description: The process of converting DES passwords to AES can incorrectly
+ disable the DES plugin if an error is encountered. In this case
+ it was because a backend was defined but was missing the top entry
+ which lead to an error 32 when searching for DES passwords. This
+ causes the existing DES passwords to fail to decode.
+
+Fix Description: There are two issues here. One, we should ignore errors when
+ searching all the backends for passwords. Two, we should only
+ disable the DES plugin if all the DES passwords were successfully
+ converted.
+
+https://fedorahosted.org/389/ticket/48777
+
+Reviewed by: nhosoi(Thanks!)
+
+(cherry picked from commit 6b7f980e80af3803bc395e50bd4228ded9bceb00)
+(cherry picked from commit c6eaf691c6ff3330dc1a3dcbf4dcc31af52c2919)
+---
+ ldap/servers/slapd/daemon.c | 53 ++++++++++++++++++++++-----------------------
+ 1 file changed, 26 insertions(+), 27 deletions(-)
+
+diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
+index d25c44d..d702129 100644
+--- a/ldap/servers/slapd/daemon.c
++++ b/ldap/servers/slapd/daemon.c
+@@ -694,7 +694,8 @@ convert_pbe_des_to_aes()
+ char **attrs = NULL;
+ char **backends = NULL;
+ char *val = NULL;
+- int converted_des = 0;
++ int converted_des_passwd = 0;
++ int disable_des = 1;
+ int result = -1;
+ int have_aes = 0;
+ int have_des = 0;
+@@ -739,7 +740,7 @@ convert_pbe_des_to_aes()
+ char *cookie = NULL;
+
+ LDAPDebug(LDAP_DEBUG_ANY, "convert_pbe_des_to_aes: "
+- "Converting DES passwords to AES...\n",0,0,0);
++ "Checking for DES passwords to convert to AES...\n",0,0,0);
+
+ be = slapi_get_first_backend(&cookie);
+ while (be){
+@@ -777,10 +778,13 @@ convert_pbe_des_to_aes()
+ slapi_search_internal_pb(pb);
+ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
+ if (LDAP_SUCCESS != result) {
+- LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
+- "failed to search for password on (%s) error (%d)\n",
+- backends[be_idx], result, 0);
+- goto done;
++ slapi_log_error(SLAPI_LOG_TRACE, "convert_pbe_des_to_aes: ",
++ "Failed to search for password attribute (%s) error (%d), skipping suffix (%s)\n",
++ attrs[i], result, backends[be_idx]);
++ slapi_free_search_results_internal(pb);
++ slapi_pblock_destroy(pb);
++ pb = NULL;
++ continue;
+ }
+ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
+ for (ii = 0; entries && entries[ii]; ii++){
+@@ -799,9 +803,9 @@ convert_pbe_des_to_aes()
+ /* decode the DES password */
+ if(pw_rever_decode(val, &passwd, attrs[i]) == -1){
+ LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
+- "failed to decode existing DES password for (%s)\n",
++ "Failed to decode existing DES password for (%s)\n",
+ slapi_entry_get_dn(entries[ii]), 0, 0);
+- converted_des = 0;
++ disable_des = 0;
+ goto done;
+ }
+
+@@ -813,7 +817,7 @@ convert_pbe_des_to_aes()
+ slapi_entry_get_dn(entries[ii]), 0, 0);
+ slapi_ch_free_string(&passwd);
+ slapi_value_free(&sval);
+- converted_des = 0;
++ disable_des = 0;
+ goto done;
+ }
+
+@@ -834,22 +838,18 @@ convert_pbe_des_to_aes()
+ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
+ if (LDAP_SUCCESS != result) {
+ LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
+- "failed to convert password for (%s) error (%d)\n",
++ "Failed to convert password for (%s) error (%d)\n",
+ slapi_entry_get_dn(entries[ii]), result, 0);
+- converted_des = -1;
++ disable_des = 0;
+ } else {
+ LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
+- "successfully converted password for (%s)\n",
++ "Successfully converted password for (%s)\n",
+ slapi_entry_get_dn(entries[ii]), result, 0);
+- converted_des = 1;
+-
++ converted_des_passwd = 1;
+ }
+ slapi_ch_free_string(&passwd);
+ slapi_value_free(&sval);
+ slapi_pblock_destroy(mod_pb);
+- if(result){
+- goto done;
+- }
+ }
+ slapi_ch_free_string(&val);
+ }
+@@ -860,6 +860,10 @@ convert_pbe_des_to_aes()
+ }
+ slapi_ch_free_string(&filter);
+ }
++ if (!converted_des_passwd){
++ slapi_log_error(SLAPI_LOG_FATAL, "convert_pbe_des_to_aes",
++ "No DES passwords found to convert.\n");
++ }
+ }
+
+ done:
+@@ -870,9 +874,9 @@ done:
+
+ if (have_aes && have_des){
+ /*
+- * If a conversion attempt did not fail, disable DES plugin
++ * If a conversion attempt did not fail then we can disable the DES plugin
+ */
+- if(converted_des != -1){
++ if(converted_des_passwd && disable_des){
+ /*
+ * Disable the DES plugin - this also prevents potentially expensive
+ * searches at every server startup.
+@@ -905,14 +909,9 @@ done:
+ des_dn, 0, 0);
+ }
+ slapi_pblock_destroy(pb);
+- }
+- if(converted_des == 1){
+- LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
+- "Finished - all DES passwords have been converted to AES.\n",
+- 0, 0, 0);
+- } else if (converted_des == 0){
+- LDAPDebug(LDAP_DEBUG_ANY, "convert_pbe_des_to_aes: "
+- "Finished - no DES passwords to convert.\n",0,0,0);
++ LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
++ "All DES passwords have been converted to AES.\n",
++ 0, 0, 0);
+ }
+ }
+ }
+--
+2.4.3
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index 08b39f4..2777cec 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -34,7 +34,7 @@
Summary: 389 Directory Server (base)
Name: 389-ds-base
Version: 1.3.4.0
-Release: %{?relprefix}29%{?prerel}%{?dist}
+Release: %{?relprefix}30%{?prerel}%{?dist}
License: GPLv3+
URL: http://port389.org/
Group: System Environment/Daemons
@@ -211,6 +211,7 @@ Patch84: 0085-Ticket-48536-Crash-in-slapi_get_object_extension.patch
Patch85: 0086-Ticket-48445-keep-alive-entries-can-break-replicatio.patch
Patch86: 0087-Ticket-48420-change-severity-of-some-messages-relate.patch
Patch87: 0088-Ticket-48757-License-tag-does-not-match-actual-licen.patch
+Patch88: 0089-Ticket-47888-DES-to-AES-password-conversion-fails-if.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
@@ -362,6 +363,7 @@ cp %{SOURCE2} README.devel
%patch85 -p1
%patch86 -p1
%patch87 -p1
+%patch88 -p1
%build
%if %{use_nunc_stans}
@@ -556,6 +558,10 @@ fi
%endif
%changelog
+* Wed Mar 30 2016 Noriko Hosoi <nhosoi@redhat.com> - 1.3.4.0-30
+- release 1.3.4.0-30
+- Resolves: bug 1321891 - DES to AES password conversion fails if a backend is empty (DS 48777)
+
* Thu Mar 10 2016 Noriko Hosoi <nhosoi@redhat.com> - 1.3.4.0-29
- release 1.3.4.0-29
- Resolves: bug 1316552 - License tag does not match actual license of code (DS 48757)