diff --git a/SOURCES/0089-Ticket-47888-DES-to-AES-password-conversion-fails-if.patch b/SOURCES/0089-Ticket-47888-DES-to-AES-password-conversion-fails-if.patch
new file mode 100644
index 0000000..8e36a84
--- /dev/null
+++ b/SOURCES/0089-Ticket-47888-DES-to-AES-password-conversion-fails-if.patch
@@ -0,0 +1,160 @@
+From e40a6ef764f13b6efcf573a6181b6747bb029b90 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Thu, 24 Mar 2016 09:46:11 -0400
+Subject: [PATCH] Ticket 47888 - DES to AES password conversion fails if a
+ backend is empty
+
+Bug Description:  The process of converting DES passwords to AES can incorrectly
+                  disable the DES plugin if an error is encountered.  In this case
+                  it was because a backend was defined but was missing the top entry
+                  which lead to an error 32 when searching for DES passwords.  This
+                  causes the existing DES passwords to fail to decode.
+
+Fix Description:  There are two issues here.  One, we should ignore errors when
+                  searching all the backends for passwords.  Two, we should only
+                  disable the DES plugin if all the DES passwords were successfully
+                  converted.
+
+https://fedorahosted.org/389/ticket/48777
+
+Reviewed by: nhosoi(Thanks!)
+
+(cherry picked from commit 6b7f980e80af3803bc395e50bd4228ded9bceb00)
+(cherry picked from commit c6eaf691c6ff3330dc1a3dcbf4dcc31af52c2919)
+---
+ ldap/servers/slapd/daemon.c | 53 ++++++++++++++++++++++-----------------------
+ 1 file changed, 26 insertions(+), 27 deletions(-)
+
+diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
+index d25c44d..d702129 100644
+--- a/ldap/servers/slapd/daemon.c
++++ b/ldap/servers/slapd/daemon.c
+@@ -694,7 +694,8 @@ convert_pbe_des_to_aes()
+     char **attrs = NULL;
+     char **backends = NULL;
+     char *val = NULL;
+-    int converted_des = 0;
++    int converted_des_passwd = 0;
++    int disable_des = 1;
+     int result = -1;
+     int have_aes = 0;
+     int have_des = 0;
+@@ -739,7 +740,7 @@ convert_pbe_des_to_aes()
+         char *cookie = NULL;
+ 
+         LDAPDebug(LDAP_DEBUG_ANY, "convert_pbe_des_to_aes:  "
+-                "Converting DES passwords to AES...\n",0,0,0);
++                "Checking for DES passwords to convert to AES...\n",0,0,0);
+ 
+         be = slapi_get_first_backend(&cookie);
+         while (be){
+@@ -777,10 +778,13 @@ convert_pbe_des_to_aes()
+                 slapi_search_internal_pb(pb);
+                 slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
+                 if (LDAP_SUCCESS != result) {
+-                    LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
+-                            "failed to search for password on (%s) error (%d)\n",
+-                            backends[be_idx], result, 0);
+-                    goto done;
++                    slapi_log_error(SLAPI_LOG_TRACE, "convert_pbe_des_to_aes: ",
++                        "Failed to search for password attribute (%s) error (%d), skipping suffix (%s)\n",
++                        attrs[i], result, backends[be_idx]);
++                    slapi_free_search_results_internal(pb);
++                    slapi_pblock_destroy(pb);
++                    pb = NULL;
++                    continue;
+                 }
+                 slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
+                 for (ii = 0; entries && entries[ii]; ii++){
+@@ -799,9 +803,9 @@ convert_pbe_des_to_aes()
+                             /* decode the DES password */
+                             if(pw_rever_decode(val, &passwd, attrs[i]) == -1){
+                                 LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
+-                                        "failed to decode existing DES password for (%s)\n",
++                                        "Failed to decode existing DES password for (%s)\n",
+                                         slapi_entry_get_dn(entries[ii]), 0, 0);
+-                                converted_des = 0;
++                                disable_des = 0;
+                                 goto done;
+                             }
+ 
+@@ -813,7 +817,7 @@ convert_pbe_des_to_aes()
+                                         slapi_entry_get_dn(entries[ii]), 0, 0);
+                                 slapi_ch_free_string(&passwd);
+                                 slapi_value_free(&sval);
+-                                converted_des = 0;
++                                disable_des = 0;
+                                 goto done;
+                             }
+ 
+@@ -834,22 +838,18 @@ convert_pbe_des_to_aes()
+                             slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
+                             if (LDAP_SUCCESS != result) {
+                                 LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
+-                                        "failed to convert password for (%s) error (%d)\n",
++                                        "Failed to convert password for (%s) error (%d)\n",
+                                         slapi_entry_get_dn(entries[ii]), result, 0);
+-                                converted_des = -1;
++                                disable_des = 0;
+                             } else {
+                                 LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
+-                                        "successfully converted password for (%s)\n",
++                                        "Successfully converted password for (%s)\n",
+                                          slapi_entry_get_dn(entries[ii]), result, 0);
+-                                converted_des = 1;
+-
++                                converted_des_passwd = 1;
+                             }
+                             slapi_ch_free_string(&passwd);
+                             slapi_value_free(&sval);
+                             slapi_pblock_destroy(mod_pb);
+-                            if(result){
+-                                goto done;
+-                            }
+                         }
+                         slapi_ch_free_string(&val);
+                     }
+@@ -860,6 +860,10 @@ convert_pbe_des_to_aes()
+             }
+             slapi_ch_free_string(&filter);
+         }
++        if (!converted_des_passwd){
++            slapi_log_error(SLAPI_LOG_FATAL, "convert_pbe_des_to_aes",
++                "No DES passwords found to convert.\n");
++        }
+     }
+ 
+ done:
+@@ -870,9 +874,9 @@ done:
+ 
+     if (have_aes && have_des){
+         /*
+-         * If a conversion attempt did not fail, disable DES plugin
++         * If a conversion attempt did not fail then we can disable the DES plugin
+          */
+-        if(converted_des != -1){
++        if(converted_des_passwd && disable_des){
+             /*
+              * Disable the DES plugin - this also prevents potentially expensive
+              * searches at every server startup.
+@@ -905,14 +909,9 @@ done:
+                         des_dn, 0, 0);
+             }
+             slapi_pblock_destroy(pb);
+-        }
+-        if(converted_des == 1){
+-             LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
+-                    "Finished - all DES passwords have been converted to AES.\n",
+-                    0, 0, 0);
+-        } else if (converted_des == 0){
+-            LDAPDebug(LDAP_DEBUG_ANY, "convert_pbe_des_to_aes:  "
+-                    "Finished - no DES passwords to convert.\n",0,0,0);
++            LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
++                      "All DES passwords have been converted to AES.\n",
++                      0, 0, 0);
+         }
+     }
+ }
+-- 
+2.4.3
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index 08b39f4..2777cec 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -34,7 +34,7 @@
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
 Version:          1.3.4.0
-Release:          %{?relprefix}29%{?prerel}%{?dist}
+Release:          %{?relprefix}30%{?prerel}%{?dist}
 License:          GPLv3+
 URL:              http://port389.org/
 Group:            System Environment/Daemons
@@ -211,6 +211,7 @@ Patch84:          0085-Ticket-48536-Crash-in-slapi_get_object_extension.patch
 Patch85:          0086-Ticket-48445-keep-alive-entries-can-break-replicatio.patch
 Patch86:          0087-Ticket-48420-change-severity-of-some-messages-relate.patch
 Patch87:          0088-Ticket-48757-License-tag-does-not-match-actual-licen.patch
+Patch88:          0089-Ticket-47888-DES-to-AES-password-conversion-fails-if.patch
 
 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@@ -362,6 +363,7 @@ cp %{SOURCE2} README.devel
 %patch85 -p1
 %patch86 -p1
 %patch87 -p1
+%patch88 -p1
 
 %build
 %if %{use_nunc_stans}
@@ -556,6 +558,10 @@ fi
 %endif
 
 %changelog
+* Wed Mar 30 2016 Noriko Hosoi <nhosoi@redhat.com> - 1.3.4.0-30
+- release 1.3.4.0-30
+- Resolves: bug 1321891 - DES to AES password conversion fails if a backend is empty (DS 48777)
+
 * Thu Mar 10 2016 Noriko Hosoi <nhosoi@redhat.com> - 1.3.4.0-29
 - release 1.3.4.0-29
 - Resolves: bug 1316552 - License tag does not match actual license of code (DS 48757)