diff --git a/SOURCES/0113-Always-return-absolute-idnsname-in-dnszone-commands.patch b/SOURCES/0113-Always-return-absolute-idnsname-in-dnszone-commands.patch
new file mode 100644
index 0000000..ea41cde
--- /dev/null
+++ b/SOURCES/0113-Always-return-absolute-idnsname-in-dnszone-commands.patch
@@ -0,0 +1,103 @@
+From 9b01d87626de2c5a0cb9b5e0d10959b13f03fbba Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Thu, 15 Jan 2015 13:13:55 +0100
+Subject: [PATCH] Always return absolute idnsname in dnszone commands
+
+Ticket: https://fedorahosted.org/freeipa/ticket/4722
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipalib/plugins/dns.py | 36 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
+index 34afc189866993481229bb68a5edd77e0a4eaff3..ea4c212b42631e8513a13d2a7f5a859b2176376b 100644
+--- a/ipalib/plugins/dns.py
++++ b/ipalib/plugins/dns.py
+@@ -1848,6 +1848,18 @@ class DNSZoneBase(LDAPObject):
+             except errors.NotFound:
+                 raise e  # re-raise original exception
+ 
++    def _make_zonename_absolute(self, entry_attrs, **options):
++        """
++        Zone names can be relative in IPA < 4.0, make sure we always return
++        absolute zone name from ldap
++        """
++        if options.get('raw'):
++            return
++
++        if "idnsname" in entry_attrs:
++            entry_attrs.single_value['idnsname'] = (
++                entry_attrs.single_value['idnsname'].make_absolute())
++
+ 
+ class DNSZoneBase_add(LDAPCreate):
+ 
+@@ -1895,6 +1907,11 @@ class DNSZoneBase_del(LDAPDelete):
+ class DNSZoneBase_mod(LDAPUpdate):
+     has_output_params = LDAPUpdate.has_output_params + dnszone_output_params
+ 
++    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
++        assert isinstance(dn, DN)
++        self.obj._make_zonename_absolute(entry_attrs, **options)
++        return dn
++
+ 
+ class DNSZoneBase_find(LDAPSearch):
+     __doc__ = _('Search for DNS zones (SOA records).')
+@@ -1929,6 +1946,11 @@ class DNSZoneBase_find(LDAPSearch):
+         filter = _create_idn_filter(self, ldap, *args, **options)
+         return (filter, base_dn, scope)
+ 
++    def post_callback(self, ldap, entries, truncated, *args, **options):
++        for entry_attrs in entries:
++            self.obj._make_zonename_absolute(entry_attrs, **options)
++        return truncated
++
+ 
+ class DNSZoneBase_show(LDAPRetrieve):
+     has_output_params = LDAPRetrieve.has_output_params + dnszone_output_params
+@@ -1939,6 +1961,11 @@ class DNSZoneBase_show(LDAPRetrieve):
+             self.obj.handle_not_found(*keys)
+         return dn
+ 
++    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
++        assert isinstance(dn, DN)
++        self.obj._make_zonename_absolute(entry_attrs, **options)
++        return dn
++
+ 
+ class DNSZoneBase_disable(LDAPQuery):
+     has_output = output.standard_value
+@@ -2539,7 +2566,8 @@ class dnszone_mod(DNSZoneBase_mod):
+         return result
+ 
+     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+-        assert isinstance(dn, DN)
++        dn = super(dnszone_mod, self).post_callback(ldap, dn, entry_attrs,
++                                                    *keys, **options)
+         self.obj._rr_zone_postprocess(entry_attrs, **options)
+         return dn
+ 
+@@ -2576,6 +2604,9 @@ class dnszone_find(DNSZoneBase_find):
+         return (filter, base_dn, scope)
+ 
+     def post_callback(self, ldap, entries, truncated, *args, **options):
++        truncated = super(dnszone_find, self).post_callback(ldap, entries,
++                                                            truncated, *args,
++                                                            **options)
+         for entry_attrs in entries:
+             self.obj._rr_zone_postprocess(entry_attrs, **options)
+         return truncated
+@@ -2592,7 +2623,8 @@ class dnszone_show(DNSZoneBase_show):
+         return result
+ 
+     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+-        assert isinstance(dn, DN)
++        dn = super(dnszone_show, self).post_callback(ldap, dn, entry_attrs,
++                                                     *keys, **options)
+         self.obj._rr_zone_postprocess(entry_attrs, **options)
+         return dn
+ 
+-- 
+2.1.0
+
diff --git a/SOURCES/0114-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch b/SOURCES/0114-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch
new file mode 100644
index 0000000..9ffb3ce
--- /dev/null
+++ b/SOURCES/0114-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch
@@ -0,0 +1,30 @@
+From b46e3a309e8aa9a629037afb6ca7972d98e943e9 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 10 Dec 2014 14:59:38 +0200
+Subject: [PATCH] ipa-kdb: reject principals from disabled domains as a KDC
+ policy
+
+Fixes https://fedorahosted.org/freeipa/ticket/4788
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+Reviewed-By: Simo Sorce <ssorce@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index a4500070760e83994c8155a12ee6414b5ebee9e0..e3215db4ea11632dce8f039fc6b89c4a09acd87a 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -1375,7 +1375,7 @@ static krb5_error_code filter_logon_info(krb5_context context,
+                                    &domain->parent->sid_blacklist_incoming[k], true);
+             if (result) {
+                 filter_logon_info_log_message(info->info->info3.base.domain_sid);
+-                return EINVAL;
++                return KRB5KDC_ERR_POLICY;
+             }
+         }
+     }
+-- 
+2.1.0
+
diff --git a/SOURCES/0115-ipalib-Make-sure-correct-attribute-name-is-reference.patch b/SOURCES/0115-ipalib-Make-sure-correct-attribute-name-is-reference.patch
new file mode 100644
index 0000000..5a31c67
--- /dev/null
+++ b/SOURCES/0115-ipalib-Make-sure-correct-attribute-name-is-reference.patch
@@ -0,0 +1,47 @@
+From ce31d4124e20261cbd561f688110046945b082c1 Mon Sep 17 00:00:00 2001
+From: Tomas Babej <tbabej@redhat.com>
+Date: Thu, 19 Feb 2015 17:10:37 +0100
+Subject: [PATCH] ipalib: Make sure correct attribute name is referenced for
+ fax
+
+Fixes the invalid attribute name reference in the
+'System: Read User Addressbook Attributes' permission.
+
+https://fedorahosted.org/freeipa/ticket/4883
+
+Reviewed-By: Martin Kosek <mkosek@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ACI.txt                | 2 +-
+ ipalib/plugins/user.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ACI.txt b/ACI.txt
+index 67d583fabc295deb8aa5aab329bce5100c1b9088..fa1dcc4a8c9fd0c610dadcb2c368f700d26d4011 100644
+--- a/ACI.txt
++++ b/ACI.txt
+@@ -255,7 +255,7 @@ aci: (targetattr = "businesscategory || carlicense || cn || description || displ
+ dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
+ aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+ dn: cn=users,cn=accounts,dc=ipa,dc=example
+-aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
++aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || facsimiletelephonenumber || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
+ dn: dc=ipa,dc=example
+ aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
+ dn: cn=users,cn=accounts,dc=ipa,dc=example
+diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
+index 56585b9f86593c0c5879139103bc71707b88e15f..abe5ee26b8e48681eeb0cbb3bcff8617e212225c 100644
+--- a/ipalib/plugins/user.py
++++ b/ipalib/plugins/user.py
+@@ -276,7 +276,7 @@ class user(LDAPObject):
+             'ipapermright': {'read', 'search', 'compare'},
+             'ipapermdefaultattr': {
+                 'seealso', 'telephonenumber',
+-                'fax', 'l', 'ou', 'st', 'postalcode', 'street',
++                'facsimiletelephonenumber', 'l', 'ou', 'st', 'postalcode', 'street',
+                 'destinationindicator', 'internationalisdnnumber',
+                 'physicaldeliveryofficename', 'postaladdress', 'postofficebox',
+                 'preferreddeliverymethod', 'registeredaddress',
+-- 
+2.1.0
+
diff --git a/SOURCES/0116-Restore-default.conf-and-use-it-to-build-API.patch b/SOURCES/0116-Restore-default.conf-and-use-it-to-build-API.patch
new file mode 100644
index 0000000..59ba9e7
--- /dev/null
+++ b/SOURCES/0116-Restore-default.conf-and-use-it-to-build-API.patch
@@ -0,0 +1,164 @@
+From 0dfae3e9f16d91116a6769e25bbbee0ef1e485d2 Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Wed, 4 Mar 2015 10:06:47 -0500
+Subject: [PATCH] Restore default.conf and use it to build API.
+
+When restoring ipa after uninstallation we need to extract and load
+configuration of the restored environment.
+
+https://fedorahosted.org/freeipa/ticket/4896
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/ipa_restore.py | 64 ++++++++++++++++++++++++++++++----------
+ 1 file changed, 48 insertions(+), 16 deletions(-)
+
+diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
+index efe3b9b1c0c10775b3a72b9d843924263526209a..a5ecd5f62bc85918fe697d98109bd3a82120f355 100644
+--- a/ipaserver/install/ipa_restore.py
++++ b/ipaserver/install/ipa_restore.py
+@@ -27,7 +27,7 @@ from ConfigParser import SafeConfigParser
+ import ldif
+ import itertools
+ 
+-from ipalib import api, errors
++from ipalib import api, errors, constants
+ from ipapython import version, ipautil, certdb, dogtag
+ from ipapython.ipautil import run, user_input
+ from ipapython import admintool
+@@ -203,15 +203,12 @@ class Restore(admintool.AdminTool):
+         options = self.options
+         super(Restore, self).run()
+ 
+-        api.bootstrap(in_server=False, context='restore')
+-        api.finalize()
+-
+         self.backup_dir = self.args[0]
+         if not os.path.isabs(self.backup_dir):
+             self.backup_dir = os.path.join(BACKUP_DIR, self.backup_dir)
+ 
+         self.log.info("Preparing restore from %s on %s",
+-                      self.backup_dir, api.env.host)
++                      self.backup_dir, constants.FQDN)
+ 
+         self.header = os.path.join(self.backup_dir, 'header')
+ 
+@@ -225,9 +222,6 @@ class Restore(admintool.AdminTool):
+         else:
+             restore_type = self.backup_type
+ 
+-        instances = [realm_to_serverid(api.env.realm), 'PKI-IPA']
+-        backends = ['userRoot', 'ipaca']
+-
+         # These checks would normally be in the validate method but
+         # we need to know the type of backup we're dealing with.
+         if restore_type == 'FULL':
+@@ -241,6 +235,8 @@ class Restore(admintool.AdminTool):
+         else:
+             installutils.check_server_configuration()
+ 
++            self.init_api()
++
+             if options.instance:
+                 instance_dir = (paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
+                                 options.instance)
+@@ -248,10 +244,10 @@ class Restore(admintool.AdminTool):
+                     raise admintool.ScriptError(
+                         "Instance %s does not exist" % options.instance)
+ 
+-                instances = [options.instance]
++                self.instances = [options.instance]
+ 
+             if options.backend:
+-                for instance in instances:
++                for instance in self.instances:
+                     db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
+                               (instance, options.backend))
+                     if os.path.exists(db_dir):
+@@ -260,9 +256,10 @@ class Restore(admintool.AdminTool):
+                     raise admintool.ScriptError(
+                         "Backend %s does not exist" % options.backend)
+ 
+-                backends = [options.backend]
++                self.backends = [options.backend]
+ 
+-            for instance, backend in itertools.product(instances, backends):
++            for instance, backend in itertools.product(self.instances,
++                                                       self.backends):
+                 db_dir = (paths.SLAPD_INSTANCE_DB_DIR_TEMPLATE %
+                           (instance, backend))
+                 if os.path.exists(db_dir):
+@@ -274,10 +271,10 @@ class Restore(admintool.AdminTool):
+         self.log.info("Performing %s restore from %s backup" %
+                       (restore_type, self.backup_type))
+ 
+-        if self.backup_host != api.env.host:
++        if self.backup_host != constants.FQDN:
+             raise admintool.ScriptError(
+                 "Host name %s does not match backup name %s" %
+-                (api.env.host, self.backup_host))
++                (constants.FQDN, self.backup_host))
+ 
+         if self.backup_ipa_version != str(version.VERSION):
+             self.log.warning(
+@@ -307,9 +304,13 @@ class Restore(admintool.AdminTool):
+ 
+             self.extract_backup(options.gpg_keyring)
+ 
++            if restore_type == 'FULL':
++                self.restore_default_conf()
++                self.init_api(confdir=self.dir + paths.ETC_IPA)
++
+             databases = []
+-            for instance in instances:
+-                for backend in backends:
++            for instance in self.instances:
++                for backend in self.backends:
+                     database = (instance, backend)
+                     ldiffile = os.path.join(self.dir, '%s-%s.ldif' % database)
+                     if os.path.exists(ldiffile):
+@@ -607,6 +608,30 @@ class Restore(admintool.AdminTool):
+                 self.log.critical("bak2db failed: %s" % stderr)
+ 
+ 
++    def restore_default_conf(self):
++        '''
++        Restore paths.IPA_DEFAULT_CONF to temporary directory.
++
++        Primary purpose of this method is to get cofiguration for api
++        finalization when restoring ipa after uninstall.
++        '''
++        cwd = os.getcwd()
++        os.chdir(self.dir)
++        args = ['tar',
++                '--xattrs',
++                '--selinux',
++                '-xzf',
++                os.path.join(self.dir, 'files.tar'),
++                paths.IPA_DEFAULT_CONF[1:],
++               ]
++
++        (stdout, stderr, rc) = run(args, raiseonerr=False)
++        if rc != 0:
++            self.log.critical('Restoring %s failed: %s' %
++                              (paths.IPA_DEFAULT_CONF, stderr))
++        os.chdir(cwd)
++
++
+     def file_restore(self, nologs=False):
+         '''
+         Restore all the files in the tarball.
+@@ -803,3 +828,10 @@ class Restore(admintool.AdminTool):
+         tasks.reload_systemwide_ca_store()
+ 
+         services.knownservices.certmonger.restart()
++
++    def init_api(self, **overrides):
++        api.bootstrap(in_server=False, context='restore', **overrides)
++        api.finalize()
++
++        self.instances = [realm_to_serverid(api.env.realm), 'PKI-IPA']
++        self.backends = ['userRoot', 'ipaca']
+-- 
+2.1.0
+
diff --git a/SOURCES/0117-Limit-deadlocks-between-DS-plugin-DNA-and-slapi-nis.patch b/SOURCES/0117-Limit-deadlocks-between-DS-plugin-DNA-and-slapi-nis.patch
new file mode 100644
index 0000000..2f75ad2
--- /dev/null
+++ b/SOURCES/0117-Limit-deadlocks-between-DS-plugin-DNA-and-slapi-nis.patch
@@ -0,0 +1,62 @@
+From 7a98d658d662f0cec33ba6207474d8271029b4bd Mon Sep 17 00:00:00 2001
+From: root <root@vm-035.idm.lab.eng.brq.redhat.com>
+Date: Wed, 4 Mar 2015 11:11:45 +0100
+Subject: [PATCH] Limit deadlocks between DS plugin DNA and slapi-nis
+
+	Deadlock can occur if DNA plugin (shared) config and Schema-compat plugin config
+	are updated at the same time.
+	Schema-compat should ignore update on DNA config.
+
+	https://fedorahosted.org/freeipa/ticket/4927
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ install/updates/10-schema_compat.update | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
+index b8c79012d121116f9cf53908fbe4eeeebe9d3d82..4484bdcce15736eeaffcc99edc694094b16fd0ed 100644
+--- a/install/updates/10-schema_compat.update
++++ b/install/updates/10-schema_compat.update
+@@ -22,6 +22,7 @@ remove: schema-compat-ignore-subtree: cn=changelog
+ remove: schema-compat-ignore-subtree: o=ipaca
+ add: schema-compat-restrict-subtree: '$SUFFIX'
+ add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
++add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX'
+ 
+ # Change padding for host and userCategory so the pad returns the same value
+ # as the original, '' or -.
+@@ -31,6 +32,7 @@ remove: schema-compat-ignore-subtree: cn=changelog
+ remove: schema-compat-ignore-subtree: o=ipaca
+ add: schema-compat-restrict-subtree: '$SUFFIX'
+ add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
++add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX'
+ 
+ dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
+ default:objectClass: top
+@@ -49,6 +51,7 @@ remove: schema-compat-ignore-subtree: cn=changelog
+ remove: schema-compat-ignore-subtree: o=ipaca
+ add: schema-compat-restrict-subtree: '$SUFFIX'
+ add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
++add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX'
+ 
+ dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
+ add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
+@@ -58,12 +61,14 @@ remove: schema-compat-ignore-subtree: cn=changelog
+ remove: schema-compat-ignore-subtree: o=ipaca
+ add: schema-compat-restrict-subtree: '$SUFFIX'
+ add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
++add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX'
+ 
+ dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
+ remove: schema-compat-ignore-subtree: cn=changelog
+ remove: schema-compat-ignore-subtree: o=ipaca
+ add: schema-compat-restrict-subtree: '$SUFFIX'
+ add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
++add: schema-compat-ignore-subtree: 'cn=dna,cn=ipa,cn=etc,$SUFFIX'
+ 
+ dn: cn=Schema Compatibility,cn=plugins,cn=config
+ # We need to run schema-compat pre-bind callback before
+-- 
+2.1.0
+
diff --git a/SOURCES/0118-Add-configure-check-for-cwrap-libraries.patch b/SOURCES/0118-Add-configure-check-for-cwrap-libraries.patch
new file mode 100644
index 0000000..6dfaf34
--- /dev/null
+++ b/SOURCES/0118-Add-configure-check-for-cwrap-libraries.patch
@@ -0,0 +1,53 @@
+From d6ea80f9c0a5b7d6bd44e32297af3718c1e782ff Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 24 Feb 2015 15:29:00 +0100
+Subject: [PATCH] Add configure check for cwrap libraries
+
+Currently only nss-wrapper is checked, checks for other crwap libraries
+can be added e.g. as
+
+AM_CHECK_WRAPPER(uid_wrapper, HAVE_UID_WRAPPER)
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/configure.ac | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/daemons/configure.ac b/daemons/configure.ac
+index e81aa60e381e035aff73bf27475fc0f101a5fbf9..932a8f7fd5230c90071cf26cc83f6aee5173457d 100644
+--- a/daemons/configure.ac
++++ b/daemons/configure.ac
+@@ -224,6 +224,30 @@ PKG_CHECK_EXISTS(cmocka,
+ )
+ AM_CONDITIONAL([HAVE_CMOCKA], [test x$have_cmocka = xyes])
+ 
++dnl A macro to check presence of a cwrap (http://cwrap.org) wrapper on the system
++dnl Usage:
++dnl     AM_CHECK_WRAPPER(name, conditional)
++dnl If the cwrap library is found, sets the HAVE_$name conditional
++AC_DEFUN([AM_CHECK_WRAPPER],
++[
++    FOUND_WRAPPER=0
++
++    AC_MSG_CHECKING([for $1])
++    PKG_CHECK_EXISTS([$1],
++                     [
++                        AC_MSG_RESULT([yes])
++                        FOUND_WRAPPER=1
++                     ],
++                     [
++                        AC_MSG_RESULT([no])
++                        AC_MSG_WARN([cwrap library $1 not found, some tests will not run])
++                     ])
++
++    AM_CONDITIONAL($2, [ test x$FOUND_WRAPPER = x1])
++])
++
++AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)
++
+ dnl -- dirsrv is needed for the extdom unit tests --
+ PKG_CHECK_MODULES([DIRSRV], [dirsrv  >= 1.3.0])
+ dnl -- sss_idmap is needed by the extdom exop --
+-- 
+2.1.0
+
diff --git a/SOURCES/0119-extdom-handle-ERANGE-return-code-for-getXXYYY_r-call.patch b/SOURCES/0119-extdom-handle-ERANGE-return-code-for-getXXYYY_r-call.patch
new file mode 100644
index 0000000..72bc2d4
--- /dev/null
+++ b/SOURCES/0119-extdom-handle-ERANGE-return-code-for-getXXYYY_r-call.patch
@@ -0,0 +1,776 @@
+From 14310dab1698da8afbc107c5c76a3c01c9aeb20e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 24 Feb 2015 15:33:39 +0100
+Subject: [PATCH] extdom: handle ERANGE return code for getXXYYY_r() calls
+
+The getXXYYY_r() calls require a buffer to store the variable data of
+the passwd and group structs. If the provided buffer is too small ERANGE
+is returned and the caller can try with a larger buffer again.
+
+Cmocka/cwrap based unit-tests for get*_r_wrapper() are added.
+
+Resolves https://fedorahosted.org/freeipa/ticket/4908
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ .../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am |  31 ++-
+ .../ipa-extdom-extop/ipa_extdom.h                  |   9 +
+ .../ipa-extdom-extop/ipa_extdom_cmocka_tests.c     | 226 +++++++++++++++
+ .../ipa-extdom-extop/ipa_extdom_common.c           | 309 +++++++++++++++------
+ .../ipa-extdom-extop/test_data/group               |   2 +
+ .../ipa-extdom-extop/test_data/passwd              |   2 +
+ .../ipa-extdom-extop/test_data/test_setup.sh       |   3 +
+ 7 files changed, 498 insertions(+), 84 deletions(-)
+ create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
+ create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group
+ create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd
+ create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+index 0008476796f5b20f62f2c32e7b291b787fa7a6fc..a1679812ef3c5de8c6e18433cbb991a99ad0b6c8 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+@@ -35,9 +35,20 @@ libipa_extdom_extop_la_LIBADD = 	\
+ 	$(SSSNSSIDMAP_LIBS)	\
+ 	$(NULL)
+ 
++TESTS =
++check_PROGRAMS =
++
+ if HAVE_CHECK
+-TESTS = extdom_tests
+-check_PROGRAMS = extdom_tests
++TESTS += extdom_tests
++check_PROGRAMS += extdom_tests
++endif
++
++if HAVE_CMOCKA
++if HAVE_NSS_WRAPPER
++TESTS_ENVIRONMENT = . ./test_data/test_setup.sh;
++TESTS += extdom_cmocka_tests
++check_PROGRAMS += extdom_cmocka_tests
++endif
+ endif
+ 
+ extdom_tests_SOURCES = 	\
+@@ -55,6 +66,22 @@ extdom_tests_LDADD = 		\
+ 	$(SSSNSSIDMAP_LIBS)	\
+ 	$(NULL)
+ 
++extdom_cmocka_tests_SOURCES = 		\
++	ipa_extdom_cmocka_tests.c	\
++	ipa_extdom_common.c		\
++	$(NULL)
++extdom_cmocka_tests_CFLAGS = $(CMOCKA_CFLAGS)
++extdom_cmocka_tests_LDFLAGS = 	\
++	-rpath $(shell pkg-config --libs-only-L dirsrv | sed -e 's/-L//') \
++	$(NULL)
++extdom_cmocka_tests_LDADD = 	\
++	$(CMOCKA_LIBS)		\
++	$(LDAP_LIBS)		\
++	$(DIRSRV_LIBS)		\
++	$(SSSNSSIDMAP_LIBS)	\
++	$(NULL)
++
++
+ appdir = $(IPA_DATA_DIR)
+ app_DATA =				\
+ 	ipa-extdom-extop-conf.ldif	\
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+index 56ca5009b1aa427f6c059b78ac392c768e461e2e..40bf933920fdd2ca19e5ef195aaa8fb820446cc5 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+@@ -174,4 +174,13 @@ int check_request(struct extdom_req *req, enum extdom_version version);
+ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
+                    struct berval **berval);
+ int pack_response(struct extdom_res *res, struct berval **ret_val);
++int get_buffer(size_t *_buf_len, char **_buf);
++int getpwnam_r_wrapper(size_t buf_max, const char *name,
++                       struct passwd *pwd, char **_buf, size_t *_buf_len);
++int getpwuid_r_wrapper(size_t buf_max, uid_t uid,
++                       struct passwd *pwd, char **_buf, size_t *_buf_len);
++int getgrnam_r_wrapper(size_t buf_max, const char *name,
++                       struct group *grp, char **_buf, size_t *_buf_len);
++int getgrgid_r_wrapper(size_t buf_max, gid_t gid,
++                       struct group *grp, char **_buf, size_t *_buf_len);
+ #endif /* _IPA_EXTDOM_H_ */
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
+new file mode 100644
+index 0000000000000000000000000000000000000000..d5bacd7e8c9dc0a71eea70162406c7e5b67384ad
+--- /dev/null
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
+@@ -0,0 +1,226 @@
++/*
++    Authors:
++        Sumit Bose <sbose@redhat.com>
++
++    Copyright (C) 2015 Red Hat
++
++    Extdom tests
++
++    This program is free software; you can redistribute it and/or modify
++    it under the terms of the GNU General Public License as published by
++    the Free Software Foundation; either version 3 of the License, or
++    (at your option) any later version.
++
++    This program is distributed in the hope that it will be useful,
++    but WITHOUT ANY WARRANTY; without even the implied warranty of
++    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++    GNU General Public License for more details.
++
++    You should have received a copy of the GNU General Public License
++    along with this program.  If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include <errno.h>
++#include <stdarg.h>
++#include <stddef.h>
++#include <setjmp.h>
++#include <cmocka.h>
++
++#include <sys/types.h>
++#include <pwd.h>
++
++
++#include "ipa_extdom.h"
++
++#define MAX_BUF (1024*1024*1024)
++
++void test_getpwnam_r_wrapper(void **state)
++{
++    int ret;
++    struct passwd pwd;
++    char *buf;
++    size_t buf_len;
++
++    ret = get_buffer(&buf_len, &buf);
++    assert_int_equal(ret, 0);
++
++    ret = getpwnam_r_wrapper(MAX_BUF, "non_exisiting_user", &pwd, &buf,
++                             &buf_len);
++    assert_int_equal(ret, ENOENT);
++
++    ret = getpwnam_r_wrapper(MAX_BUF, "user", &pwd, &buf, &buf_len);
++    assert_int_equal(ret, 0);
++    assert_string_equal(pwd.pw_name, "user");
++    assert_string_equal(pwd.pw_passwd, "x");
++    assert_int_equal(pwd.pw_uid, 12345);
++    assert_int_equal(pwd.pw_gid, 23456);
++    assert_string_equal(pwd.pw_gecos, "gecos");
++    assert_string_equal(pwd.pw_dir, "/home/user");
++    assert_string_equal(pwd.pw_shell, "/bin/shell");
++    free(buf);
++
++    ret = get_buffer(&buf_len, &buf);
++    assert_int_equal(ret, 0);
++
++    ret = getpwnam_r_wrapper(MAX_BUF, "user_big", &pwd, &buf, &buf_len);
++    assert_int_equal(ret, 0);
++    assert_string_equal(pwd.pw_name, "user_big");
++    assert_string_equal(pwd.pw_passwd, "x");
++    assert_int_equal(pwd.pw_uid, 12346);
++    assert_int_equal(pwd.pw_gid, 23457);
++    assert_int_equal(strlen(pwd.pw_gecos), 4000 * strlen("gecos"));
++    assert_string_equal(pwd.pw_dir, "/home/user_big");
++    assert_string_equal(pwd.pw_shell, "/bin/shell");
++    free(buf);
++
++    ret = get_buffer(&buf_len, &buf);
++    assert_int_equal(ret, 0);
++
++    ret = getpwnam_r_wrapper(1024, "user_big", &pwd, &buf, &buf_len);
++    assert_int_equal(ret, ERANGE);
++    free(buf);
++}
++
++void test_getpwuid_r_wrapper(void **state)
++{
++    int ret;
++    struct passwd pwd;
++    char *buf;
++    size_t buf_len;
++
++    ret = get_buffer(&buf_len, &buf);
++    assert_int_equal(ret, 0);
++
++    ret = getpwuid_r_wrapper(MAX_BUF, 99999, &pwd, &buf, &buf_len);
++    assert_int_equal(ret, ENOENT);
++
++    ret = getpwuid_r_wrapper(MAX_BUF, 12345, &pwd, &buf, &buf_len);
++    assert_int_equal(ret, 0);
++    assert_string_equal(pwd.pw_name, "user");
++    assert_string_equal(pwd.pw_passwd, "x");
++    assert_int_equal(pwd.pw_uid, 12345);
++    assert_int_equal(pwd.pw_gid, 23456);
++    assert_string_equal(pwd.pw_gecos, "gecos");
++    assert_string_equal(pwd.pw_dir, "/home/user");
++    assert_string_equal(pwd.pw_shell, "/bin/shell");
++    free(buf);
++
++    ret = get_buffer(&buf_len, &buf);
++    assert_int_equal(ret, 0);
++
++    ret = getpwuid_r_wrapper(MAX_BUF, 12346, &pwd, &buf, &buf_len);
++    assert_int_equal(ret, 0);
++    assert_string_equal(pwd.pw_name, "user_big");
++    assert_string_equal(pwd.pw_passwd, "x");
++    assert_int_equal(pwd.pw_uid, 12346);
++    assert_int_equal(pwd.pw_gid, 23457);
++    assert_int_equal(strlen(pwd.pw_gecos), 4000 * strlen("gecos"));
++    assert_string_equal(pwd.pw_dir, "/home/user_big");
++    assert_string_equal(pwd.pw_shell, "/bin/shell");
++    free(buf);
++
++    ret = get_buffer(&buf_len, &buf);
++    assert_int_equal(ret, 0);
++
++    ret = getpwuid_r_wrapper(1024, 12346, &pwd, &buf, &buf_len);
++    assert_int_equal(ret, ERANGE);
++    free(buf);
++}
++
++void test_getgrnam_r_wrapper(void **state)
++{
++    int ret;
++    struct group grp;
++    char *buf;
++    size_t buf_len;
++
++    ret = get_buffer(&buf_len, &buf);
++    assert_int_equal(ret, 0);
++
++    ret = getgrnam_r_wrapper(MAX_BUF, "non_exisiting_group", &grp, &buf, &buf_len);
++    assert_int_equal(ret, ENOENT);
++
++    ret = getgrnam_r_wrapper(MAX_BUF, "group", &grp, &buf, &buf_len);
++    assert_int_equal(ret, 0);
++    assert_string_equal(grp.gr_name, "group");
++    assert_string_equal(grp.gr_passwd, "x");
++    assert_int_equal(grp.gr_gid, 11111);
++    assert_string_equal(grp.gr_mem[0], "member0001");
++    assert_string_equal(grp.gr_mem[1], "member0002");
++    assert_null(grp.gr_mem[2]);
++    free(buf);
++
++    ret = get_buffer(&buf_len, &buf);
++    assert_int_equal(ret, 0);
++
++    ret = getgrnam_r_wrapper(MAX_BUF, "group_big", &grp, &buf, &buf_len);
++    assert_int_equal(ret, 0);
++    assert_string_equal(grp.gr_name, "group_big");
++    assert_string_equal(grp.gr_passwd, "x");
++    assert_int_equal(grp.gr_gid, 22222);
++    assert_string_equal(grp.gr_mem[0], "member0001");
++    assert_string_equal(grp.gr_mem[1], "member0002");
++    free(buf);
++
++    ret = get_buffer(&buf_len, &buf);
++    assert_int_equal(ret, 0);
++
++    ret = getgrnam_r_wrapper(1024, "group_big", &grp, &buf, &buf_len);
++    assert_int_equal(ret, ERANGE);
++    free(buf);
++}
++
++void test_getgrgid_r_wrapper(void **state)
++{
++    int ret;
++    struct group grp;
++    char *buf;
++    size_t buf_len;
++
++    ret = get_buffer(&buf_len, &buf);
++    assert_int_equal(ret, 0);
++
++    ret = getgrgid_r_wrapper(MAX_BUF, 99999, &grp, &buf, &buf_len);
++    assert_int_equal(ret, ENOENT);
++
++    ret = getgrgid_r_wrapper(MAX_BUF, 11111, &grp, &buf, &buf_len);
++    assert_int_equal(ret, 0);
++    assert_string_equal(grp.gr_name, "group");
++    assert_string_equal(grp.gr_passwd, "x");
++    assert_int_equal(grp.gr_gid, 11111);
++    assert_string_equal(grp.gr_mem[0], "member0001");
++    assert_string_equal(grp.gr_mem[1], "member0002");
++    assert_null(grp.gr_mem[2]);
++    free(buf);
++
++    ret = get_buffer(&buf_len, &buf);
++    assert_int_equal(ret, 0);
++
++    ret = getgrgid_r_wrapper(MAX_BUF, 22222, &grp, &buf, &buf_len);
++    assert_int_equal(ret, 0);
++    assert_string_equal(grp.gr_name, "group_big");
++    assert_string_equal(grp.gr_passwd, "x");
++    assert_int_equal(grp.gr_gid, 22222);
++    assert_string_equal(grp.gr_mem[0], "member0001");
++    assert_string_equal(grp.gr_mem[1], "member0002");
++    free(buf);
++
++    ret = get_buffer(&buf_len, &buf);
++    assert_int_equal(ret, 0);
++
++    ret = getgrgid_r_wrapper(1024, 22222, &grp, &buf, &buf_len);
++    assert_int_equal(ret, ERANGE);
++    free(buf);
++}
++
++int main(int argc, const char *argv[])
++{
++    const UnitTest tests[] = {
++        unit_test(test_getpwnam_r_wrapper),
++        unit_test(test_getpwuid_r_wrapper),
++        unit_test(test_getgrnam_r_wrapper),
++        unit_test(test_getgrgid_r_wrapper),
++    };
++
++    return run_tests(tests);
++}
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+index 20fdd62b20f28f5384cf83b8be5819f721c6c3db..cbe336963ffbafadd5a7b8029a65fafe506f75e8 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+@@ -49,6 +49,188 @@
+ 
+ #define MAX(a,b) (((a)>(b))?(a):(b))
+ #define SSSD_DOMAIN_SEPARATOR '@'
++#define MAX_BUF (1024*1024*1024)
++
++
++
++int get_buffer(size_t *_buf_len, char **_buf)
++{
++    long pw_max;
++    long gr_max;
++    size_t buf_len;
++    char *buf;
++
++    pw_max = sysconf(_SC_GETPW_R_SIZE_MAX);
++    gr_max = sysconf(_SC_GETGR_R_SIZE_MAX);
++
++    buf_len = MAX(16384, MAX(pw_max, gr_max));
++
++    buf = malloc(sizeof(char) * buf_len);
++    if (buf == NULL) {
++        return LDAP_OPERATIONS_ERROR;
++    }
++
++    *_buf_len = buf_len;
++    *_buf = buf;
++
++    return LDAP_SUCCESS;
++}
++
++static int inc_buffer(size_t buf_max, size_t *_buf_len, char **_buf)
++{
++    size_t tmp_len;
++    char *tmp_buf;
++
++    tmp_buf = *_buf;
++    tmp_len = *_buf_len;
++
++    tmp_len *= 2;
++    if (tmp_len > buf_max) {
++        return ERANGE;
++    }
++
++    tmp_buf = realloc(tmp_buf, tmp_len);
++    if (tmp_buf == NULL) {
++        return ENOMEM;
++    }
++
++    *_buf_len = tmp_len;
++    *_buf = tmp_buf;
++
++    return 0;
++}
++
++int getpwnam_r_wrapper(size_t buf_max, const char *name,
++                       struct passwd *pwd, char **_buf, size_t *_buf_len)
++{
++    char *buf = NULL;
++    size_t buf_len = 0;
++    int ret;
++    struct passwd *result = NULL;
++
++    buf = *_buf;
++    buf_len = *_buf_len;
++
++    while (buf != NULL
++            && (ret = getpwnam_r(name, pwd, buf, buf_len, &result)) == ERANGE) {
++        ret = inc_buffer(buf_max, &buf_len, &buf);
++        if (ret != 0) {
++            if (ret == ERANGE) {
++                LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n");
++            }
++            goto done;
++        }
++    }
++
++    if (ret == 0 && result == NULL) {
++        ret = ENOENT;
++    }
++
++done:
++    *_buf = buf;
++    *_buf_len = buf_len;
++
++    return ret;
++}
++
++int getpwuid_r_wrapper(size_t buf_max, uid_t uid,
++                       struct passwd *pwd, char **_buf, size_t *_buf_len)
++{
++    char *buf = NULL;
++    size_t buf_len = 0;
++    int ret;
++    struct passwd *result = NULL;
++
++    buf = *_buf;
++    buf_len = *_buf_len;
++
++    while (buf != NULL
++            && (ret = getpwuid_r(uid, pwd, buf, buf_len, &result)) == ERANGE) {
++        ret = inc_buffer(buf_max, &buf_len, &buf);
++        if (ret != 0) {
++            if (ret == ERANGE) {
++                LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n");
++            }
++            goto done;
++        }
++    }
++
++    if (ret == 0 && result == NULL) {
++        ret = ENOENT;
++    }
++
++done:
++    *_buf = buf;
++    *_buf_len = buf_len;
++
++    return ret;
++}
++
++int getgrnam_r_wrapper(size_t buf_max, const char *name,
++                       struct group *grp, char **_buf, size_t *_buf_len)
++{
++    char *buf = NULL;
++    size_t buf_len = 0;
++    int ret;
++    struct group *result = NULL;
++
++    buf = *_buf;
++    buf_len = *_buf_len;
++
++    while (buf != NULL
++            && (ret = getgrnam_r(name, grp, buf, buf_len, &result)) == ERANGE) {
++        ret = inc_buffer(buf_max, &buf_len, &buf);
++        if (ret != 0) {
++            if (ret == ERANGE) {
++                LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n");
++            }
++            goto done;
++        }
++    }
++
++    if (ret == 0 && result == NULL) {
++        ret = ENOENT;
++    }
++
++done:
++    *_buf = buf;
++    *_buf_len = buf_len;
++
++    return ret;
++}
++
++int getgrgid_r_wrapper(size_t buf_max, gid_t gid,
++                       struct group *grp, char **_buf, size_t *_buf_len)
++{
++    char *buf = NULL;
++    size_t buf_len = 0;
++    int ret;
++    struct group *result = NULL;
++
++    buf = *_buf;
++    buf_len = *_buf_len;
++
++    while (buf != NULL
++            && (ret = getgrgid_r(gid, grp, buf, buf_len, &result)) == ERANGE) {
++        ret = inc_buffer(buf_max, &buf_len, &buf);
++        if (ret != 0) {
++            if (ret == ERANGE) {
++                LOG("Buffer too small, increase ipaExtdomMaxNssBufSize.\n");
++            }
++            goto done;
++        }
++    }
++
++    if (ret == 0 && result == NULL) {
++        ret = ENOENT;
++    }
++
++done:
++    *_buf = buf;
++    *_buf_len = buf_len;
++
++    return ret;
++}
+ 
+ int parse_request_data(struct berval *req_val, struct extdom_req **_req)
+ {
+@@ -191,33 +373,6 @@ int check_request(struct extdom_req *req, enum extdom_version version)
+     return LDAP_SUCCESS;
+ }
+ 
+-static int get_buffer(size_t *_buf_len, char **_buf)
+-{
+-    long pw_max;
+-    long gr_max;
+-    size_t buf_len;
+-    char *buf;
+-
+-    pw_max = sysconf(_SC_GETPW_R_SIZE_MAX);
+-    gr_max = sysconf(_SC_GETGR_R_SIZE_MAX);
+-
+-    if (pw_max == -1 && gr_max == -1) {
+-        buf_len = 16384;
+-    } else {
+-        buf_len = MAX(pw_max, gr_max);
+-    }
+-
+-    buf = malloc(sizeof(char) * buf_len);
+-    if (buf == NULL) {
+-        return LDAP_OPERATIONS_ERROR;
+-    }
+-
+-    *_buf_len = buf_len;
+-    *_buf = buf;
+-
+-    return LDAP_SUCCESS;
+-}
+-
+ static int get_user_grouplist(const char *name, gid_t gid,
+                               size_t *_ngroups, gid_t **_groups )
+ {
+@@ -323,7 +478,6 @@ static int pack_ber_user(enum response_types response_type,
+     size_t buf_len;
+     char *buf = NULL;
+     struct group grp;
+-    struct group *grp_result;
+     size_t c;
+     char *locat;
+     char *short_user_name = NULL;
+@@ -375,13 +529,13 @@ static int pack_ber_user(enum response_types response_type,
+         }
+ 
+         for (c = 0; c < ngroups; c++) {
+-            ret = getgrgid_r(groups[c], &grp, buf, buf_len, &grp_result);
++            ret = getgrgid_r_wrapper(MAX_BUF, groups[c], &grp, &buf, &buf_len);
+             if (ret != 0) {
+-                ret = LDAP_NO_SUCH_OBJECT;
+-                goto done;
+-            }
+-            if (grp_result == NULL) {
+-                ret = LDAP_NO_SUCH_OBJECT;
++                if (ret == ENOMEM || ret == ERANGE) {
++                    ret = LDAP_OPERATIONS_ERROR;
++                } else {
++                    ret = LDAP_NO_SUCH_OBJECT;
++                }
+                 goto done;
+             }
+ 
+@@ -542,7 +696,6 @@ static int handle_uid_request(enum request_types request_type, uid_t uid,
+ {
+     int ret;
+     struct passwd pwd;
+-    struct passwd *pwd_result = NULL;
+     char *sid_str = NULL;
+     enum sss_id_type id_type;
+     size_t buf_len;
+@@ -568,13 +721,13 @@ static int handle_uid_request(enum request_types request_type, uid_t uid,
+ 
+         ret = pack_ber_sid(sid_str, berval);
+     } else {
+-        ret = getpwuid_r(uid, &pwd, buf, buf_len, &pwd_result);
++        ret = getpwuid_r_wrapper(MAX_BUF, uid, &pwd, &buf, &buf_len);
+         if (ret != 0) {
+-            ret = LDAP_NO_SUCH_OBJECT;
+-            goto done;
+-        }
+-        if (pwd_result == NULL) {
+-            ret = LDAP_NO_SUCH_OBJECT;
++            if (ret == ENOMEM || ret == ERANGE) {
++                ret = LDAP_OPERATIONS_ERROR;
++            } else {
++                ret = LDAP_NO_SUCH_OBJECT;
++            }
+             goto done;
+         }
+ 
+@@ -610,7 +763,6 @@ static int handle_gid_request(enum request_types request_type, gid_t gid,
+ {
+     int ret;
+     struct group grp;
+-    struct group *grp_result = NULL;
+     char *sid_str = NULL;
+     enum sss_id_type id_type;
+     size_t buf_len;
+@@ -635,13 +787,13 @@ static int handle_gid_request(enum request_types request_type, gid_t gid,
+ 
+         ret = pack_ber_sid(sid_str, berval);
+     } else {
+-        ret = getgrgid_r(gid, &grp, buf, buf_len, &grp_result);
++        ret = getgrgid_r_wrapper(MAX_BUF, gid, &grp, &buf, &buf_len);
+         if (ret != 0) {
+-            ret = LDAP_NO_SUCH_OBJECT;
+-            goto done;
+-        }
+-        if (grp_result == NULL) {
+-            ret = LDAP_NO_SUCH_OBJECT;
++            if (ret == ENOMEM || ret == ERANGE) {
++                ret = LDAP_OPERATIONS_ERROR;
++            } else {
++                ret = LDAP_NO_SUCH_OBJECT;
++            }
+             goto done;
+         }
+ 
+@@ -676,9 +828,7 @@ static int handle_sid_request(enum request_types request_type, const char *sid,
+ {
+     int ret;
+     struct passwd pwd;
+-    struct passwd *pwd_result = NULL;
+     struct group grp;
+-    struct group *grp_result = NULL;
+     char *domain_name = NULL;
+     char *fq_name = NULL;
+     char *object_name = NULL;
+@@ -724,14 +874,13 @@ static int handle_sid_request(enum request_types request_type, const char *sid,
+     switch(id_type) {
+     case SSS_ID_TYPE_UID:
+     case SSS_ID_TYPE_BOTH:
+-        ret = getpwnam_r(fq_name, &pwd, buf, buf_len, &pwd_result);
++        ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len);
+         if (ret != 0) {
+-            ret = LDAP_NO_SUCH_OBJECT;
+-            goto done;
+-        }
+-
+-        if (pwd_result == NULL) {
+-            ret = LDAP_NO_SUCH_OBJECT;
++            if (ret == ENOMEM || ret == ERANGE) {
++                ret = LDAP_OPERATIONS_ERROR;
++            } else {
++                ret = LDAP_NO_SUCH_OBJECT;
++            }
+             goto done;
+         }
+ 
+@@ -755,14 +904,13 @@ static int handle_sid_request(enum request_types request_type, const char *sid,
+                             pwd.pw_shell, kv_list, berval);
+         break;
+     case SSS_ID_TYPE_GID:
+-        ret = getgrnam_r(fq_name, &grp, buf, buf_len, &grp_result);
++        ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len);
+         if (ret != 0) {
+-            ret = LDAP_NO_SUCH_OBJECT;
+-            goto done;
+-        }
+-
+-        if (grp_result == NULL) {
+-            ret = LDAP_NO_SUCH_OBJECT;
++            if (ret == ENOMEM || ret == ERANGE) {
++                ret = LDAP_OPERATIONS_ERROR;
++            } else {
++                ret = LDAP_NO_SUCH_OBJECT;
++            }
+             goto done;
+         }
+ 
+@@ -806,9 +954,7 @@ static int handle_name_request(enum request_types request_type,
+     int ret;
+     char *fq_name = NULL;
+     struct passwd pwd;
+-    struct passwd *pwd_result = NULL;
+     struct group grp;
+-    struct group *grp_result = NULL;
+     char *sid_str = NULL;
+     enum sss_id_type id_type;
+     size_t buf_len;
+@@ -842,15 +988,8 @@ static int handle_name_request(enum request_types request_type,
+             goto done;
+         }
+ 
+-        ret = getpwnam_r(fq_name, &pwd, buf, buf_len, &pwd_result);
+-        if (ret != 0) {
+-            /* according to the man page there are a couple of error codes
+-             * which can indicate that the user was not found. To be on the
+-             * safe side we fail back to the group lookup on all errors. */
+-            pwd_result = NULL;
+-        }
+-
+-        if (pwd_result != NULL) {
++        ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len);
++        if (ret == 0) {
+             if (request_type == REQ_FULL_WITH_GROUPS) {
+                 ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type);
+                 if (ret != 0 || !(id_type == SSS_ID_TYPE_UID
+@@ -868,15 +1007,21 @@ static int handle_name_request(enum request_types request_type,
+                                 domain_name, pwd.pw_name, pwd.pw_uid,
+                                 pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
+                                 pwd.pw_shell, kv_list, berval);
++        } else if (ret == ENOMEM || ret == ERANGE) {
++            ret = LDAP_OPERATIONS_ERROR;
++            goto done;
+         } else { /* no user entry found */
+-            ret = getgrnam_r(fq_name, &grp, buf, buf_len, &grp_result);
++            /* according to the getpwnam() man page there are a couple of
++             * error codes which can indicate that the user was not found. To
++             * be on the safe side we fail back to the group lookup on all
++             * errors. */
++            ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len);
+             if (ret != 0) {
+-                ret = LDAP_NO_SUCH_OBJECT;
+-                goto done;
+-            }
+-
+-            if (grp_result == NULL) {
+-                ret = LDAP_NO_SUCH_OBJECT;
++                if (ret == ENOMEM || ret == ERANGE) {
++                    ret = LDAP_OPERATIONS_ERROR;
++                } else {
++                    ret = LDAP_NO_SUCH_OBJECT;
++                }
+                 goto done;
+             }
+ 
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group
+new file mode 100644
+index 0000000000000000000000000000000000000000..8d1b012871b21cc9d5ffdba2168f35ef3e8a5f81
+--- /dev/null
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group
+@@ -0,0 +1,2 @@
++group:x:11111:member0001,member0002
++group_big:x:22222:member0001,member0002,member0003,member0004,member0005,member0006,member0007,member0008,member0009,member0010,member0011,member0012,member0013,member0014,member0015,member0016,member0017,member0018,member0019,member0020,member0021,member0022,member0023,member0024,member0025,member0026,member0027,member0028,member0029,member0030,member0031,member0032,member0033,member0034,member0035,member0036,member0037,member0038,member0039,member0040,member0041,member0042,member0043,member0044,member0045,member0046,member0047,member0048,member0049,member0050,member0051,member0052,member0053,member0054,member0055,member0056,member0057,member0058,member0059,member0060,member0061,member0062,member0063,member0064,member0065,member0066,member0067,member0068,member0069,member0070,member0071,member0072,member0073,member0074,member0075,member0076,member0077,member0078,member0079,member0080,member0081,member0082,member0083,member0084,member0085,member0086,member0087,member0088,member0089,member0090,member0091,member0092,member0093,member0094,member0095,member0096,member0097,member0098,member0099,member0100,member0101,member0102,member0103,member0104,member0105,member0106,member0107,member0108,member0109,member0110,member0111,member0112,member0113,member0114,member0115,member0116,member0117,member0118,member0119,member0120,member0121,member0122,member0123,member0124,member0125,member0126,member0127,member0128,member0129,member0130,member0131,member0132,member0133,member0134,member0135,member0136,member0137,member0138,member0139,member0140,member0141,member0142,member0143,member0144,member0145,member0146,member0147,member0148,member0149,member0150,member0151,member0152,member0153,member0154,member0155,member0156,member0157,member0158,member0159,member0160,member0161,member0162,member0163,member0164,member0165,member0166,member0167,member0168,member0169,member0170,member0171,member0172,member0173,member0174,member0175,member0176,member0177,member0178,member0179,member0180,member0181,member0182,member0183,member0184,member0185,member0186,member0187,member0188,member0189,member0190,member0191,member0192,member0193,member0194,member0195,member0196,member0197,member0198,member0199,member0200,member0201,member0202,member0203,member0204,member0205,member0206,member0207,member0208,member0209,member0210,member0211,member0212,member0213,member0214,member0215,member0216,member0217,member0218,member0219,member0220,member0221,member0222,member0223,member0224,member0225,member0226,member0227,member0228,member0229,member0230,member0231,member0232,member0233,member0234,member0235,member0236,member0237,member0238,member0239,member0240,member0241,member0242,member0243,member0244,member0245,member0246,member0247,member0248,member0249,member0250,member0251,member0252,member0253,member0254,member0255,member0256,member0257,member0258,member0259,member0260,member0261,member0262,member0263,member0264,member0265,member0266,member0267,member0268,member0269,member0270,member0271,member0272,member0273,member0274,member0275,member0276,member0277,member0278,member0279,member0280,member0281,member0282,member0283,member0284,member0285,member0286,member0287,member0288,member0289,member0290,member0291,member0292,member0293,member0294,member0295,member0296,member0297,member0298,member0299,member0300,member0301,member0302,member0303,member0304,member0305,member0306,member0307,member0308,member0309,member0310,member0311,member0312,member0313,member0314,member0315,member0316,member0317,member0318,member0319,member0320,member0321,member0322,member0323,member0324,member0325,member0326,member0327,member0328,member0329,member0330,member0331,member0332,member0333,member0334,member0335,member0336,member0337,member0338,member0339,member0340,member0341,member0342,member0343,member0344,member0345,member0346,member0347,member0348,member0349,member0350,member0351,member0352,member0353,member0354,member0355,member0356,member0357,member0358,member0359,member0360,member0361,member0362,member0363,member0364,member0365,member0366,member0367,member0368,member0369,member0370,member0371,member0372,member0373,member0374,member0375,member0376,member0377,member0378,member0379,member0380,member0381,member0382,member0383,member0384,member0385,member0386,member0387,member0388,member0389,member0390,member0391,member0392,member0393,member0394,member0395,member0396,member0397,member0398,member0399,member0400,member0401,member0402,member0403,member0404,member0405,member0406,member0407,member0408,member0409,member0410,member0411,member0412,member0413,member0414,member0415,member0416,member0417,member0418,member0419,member0420,member0421,member0422,member0423,member0424,member0425,member0426,member0427,member0428,member0429,member0430,member0431,member0432,member0433,member0434,member0435,member0436,member0437,member0438,member0439,member0440,member0441,member0442,member0443,member0444,member0445,member0446,member0447,member0448,member0449,member0450,member0451,member0452,member0453,member0454,member0455,member0456,member0457,member0458,member0459,member0460,member0461,member0462,member0463,member0464,member0465,member0466,member0467,member0468,member0469,member0470,member0471,member0472,member0473,member0474,member0475,member0476,member0477,member0478,member0479,member0480,member0481,member0482,member0483,member0484,member0485,member0486,member0487,member0488,member0489,member0490,member0491,member0492,member0493,member0494,member0495,member0496,member0497,member0498,member0499,member0500,member0501,member0502,member0503,member0504,member0505,member0506,member0507,member0508,member0509,member0510,member0511,member0512,member0513,member0514,member0515,member0516,member0517,member0518,member0519,member0520,member0521,member0522,member0523,member0524,member0525,member0526,member0527,member0528,member0529,member0530,member0531,member0532,member0533,member0534,member0535,member0536,member0537,member0538,member0539,member0540,member0541,member0542,member0543,member0544,member0545,member0546,member0547,member0548,member0549,member0550,member0551,member0552,member0553,member0554,member0555,member0556,member0557,member0558,member0559,member0560,member0561,member0562,member0563,member0564,member0565,member0566,member0567,member0568,member0569,member0570,member0571,member0572,member0573,member0574,member0575,member0576,member0577,member0578,member0579,member0580,member0581,member0582,member0583,member0584,member0585,member0586,member0587,member0588,member0589,member0590,member0591,member0592,member0593,member0594,member0595,member0596,member0597,member0598,member0599,member0600,member0601,member0602,member0603,member0604,member0605,member0606,member0607,member0608,member0609,member0610,member0611,member0612,member0613,member0614,member0615,member0616,member0617,member0618,member0619,member0620,member0621,member0622,member0623,member0624,member0625,member0626,member0627,member0628,member0629,member0630,member0631,member0632,member0633,member0634,member0635,member0636,member0637,member0638,member0639,member0640,member0641,member0642,member0643,member0644,member0645,member0646,member0647,member0648,member0649,member0650,member0651,member0652,member0653,member0654,member0655,member0656,member0657,member0658,member0659,member0660,member0661,member0662,member0663,member0664,member0665,member0666,member0667,member0668,member0669,member0670,member0671,member0672,member0673,member0674,member0675,member0676,member0677,member0678,member0679,member0680,member0681,member0682,member0683,member0684,member0685,member0686,member0687,member0688,member0689,member0690,member0691,member0692,member0693,member0694,member0695,member0696,member0697,member0698,member0699,member0700,member0701,member0702,member0703,member0704,member0705,member0706,member0707,member0708,member0709,member0710,member0711,member0712,member0713,member0714,member0715,member0716,member0717,member0718,member0719,member0720,member0721,member0722,member0723,member0724,member0725,member0726,member0727,member0728,member0729,member0730,member0731,member0732,member0733,member0734,member0735,member0736,member0737,member0738,member0739,member0740,member0741,member0742,member0743,member0744,member0745,member0746,member0747,member0748,member0749,member0750,member0751,member0752,member0753,member0754,member0755,member0756,member0757,member0758,member0759,member0760,member0761,member0762,member0763,member0764,member0765,member0766,member0767,member0768,member0769,member0770,member0771,member0772,member0773,member0774,member0775,member0776,member0777,member0778,member0779,member0780,member0781,member0782,member0783,member0784,member0785,member0786,member0787,member0788,member0789,member0790,member0791,member0792,member0793,member0794,member0795,member0796,member0797,member0798,member0799,member0800,member0801,member0802,member0803,member0804,member0805,member0806,member0807,member0808,member0809,member0810,member0811,member0812,member0813,member0814,member0815,member0816,member0817,member0818,member0819,member0820,member0821,member0822,member0823,member0824,member0825,member0826,member0827,member0828,member0829,member0830,member0831,member0832,member0833,member0834,member0835,member0836,member0837,member0838,member0839,member0840,member0841,member0842,member0843,member0844,member0845,member0846,member0847,member0848,member0849,member0850,member0851,member0852,member0853,member0854,member0855,member0856,member0857,member0858,member0859,member0860,member0861,member0862,member0863,member0864,member0865,member0866,member0867,member0868,member0869,member0870,member0871,member0872,member0873,member0874,member0875,member0876,member0877,member0878,member0879,member0880,member0881,member0882,member0883,member0884,member0885,member0886,member0887,member0888,member0889,member0890,member0891,member0892,member0893,member0894,member0895,member0896,member0897,member0898,member0899,member0900,member0901,member0902,member0903,member0904,member0905,member0906,member0907,member0908,member0909,member0910,member0911,member0912,member0913,member0914,member0915,member0916,member0917,member0918,member0919,member0920,member0921,member0922,member0923,member0924,member0925,member0926,member0927,member0928,member0929,member0930,member0931,member0932,member0933,member0934,member0935,member0936,member0937,member0938,member0939,member0940,member0941,member0942,member0943,member0944,member0945,member0946,member0947,member0948,member0949,member0950,member0951,member0952,member0953,member0954,member0955,member0956,member0957,member0958,member0959,member0960,member0961,member0962,member0963,member0964,member0965,member0966,member0967,member0968,member0969,member0970,member0971,member0972,member0973,member0974,member0975,member0976,member0977,member0978,member0979,member0980,member0981,member0982,member0983,member0984,member0985,member0986,member0987,member0988,member0989,member0990,member0991,member0992,member0993,member0994,member0995,member0996,member0997,member0998,member0999,member1000,member1001,member1002,member1003,member1004,member1005,member1006,member1007,member1008,member1009,member1010,member1011,member1012,member1013,member1014,member1015,member1016,member1017,member1018,member1019,member1020,member1021,member1022,member1023,member1024,member1025,member1026,member1027,member1028,member1029,member1030,member1031,member1032,member1033,member1034,member1035,member1036,member1037,member1038,member1039,member1040,member1041,member1042,member1043,member1044,member1045,member1046,member1047,member1048,member1049,member1050,member1051,member1052,member1053,member1054,member1055,member1056,member1057,member1058,member1059,member1060,member1061,member1062,member1063,member1064,member1065,member1066,member1067,member1068,member1069,member1070,member1071,member1072,member1073,member1074,member1075,member1076,member1077,member1078,member1079,member1080,member1081,member1082,member1083,member1084,member1085,member1086,member1087,member1088,member1089,member1090,member1091,member1092,member1093,member1094,member1095,member1096,member1097,member1098,member1099,member1100,member1101,member1102,member1103,member1104,member1105,member1106,member1107,member1108,member1109,member1110,member1111,member1112,member1113,member1114,member1115,member1116,member1117,member1118,member1119,member1120,member1121,member1122,member1123,member1124,member1125,member1126,member1127,member1128,member1129,member1130,member1131,member1132,member1133,member1134,member1135,member1136,member1137,member1138,member1139,member1140,member1141,member1142,member1143,member1144,member1145,member1146,member1147,member1148,member1149,member1150,member1151,member1152,member1153,member1154,member1155,member1156,member1157,member1158,member1159,member1160,member1161,member1162,member1163,member1164,member1165,member1166,member1167,member1168,member1169,member1170,member1171,member1172,member1173,member1174,member1175,member1176,member1177,member1178,member1179,member1180,member1181,member1182,member1183,member1184,member1185,member1186,member1187,member1188,member1189,member1190,member1191,member1192,member1193,member1194,member1195,member1196,member1197,member1198,member1199,member1200,member1201,member1202,member1203,member1204,member1205,member1206,member1207,member1208,member1209,member1210,member1211,member1212,member1213,member1214,member1215,member1216,member1217,member1218,member1219,member1220,member1221,member1222,member1223,member1224,member1225,member1226,member1227,member1228,member1229,member1230,member1231,member1232,member1233,member1234,member1235,member1236,member1237,member1238,member1239,member1240,member1241,member1242,member1243,member1244,member1245,member1246,member1247,member1248,member1249,member1250,member1251,member1252,member1253,member1254,member1255,member1256,member1257,member1258,member1259,member1260,member1261,member1262,member1263,member1264,member1265,member1266,member1267,member1268,member1269,member1270,member1271,member1272,member1273,member1274,member1275,member1276,member1277,member1278,member1279,member1280,member1281,member1282,member1283,member1284,member1285,member1286,member1287,member1288,member1289,member1290,member1291,member1292,member1293,member1294,member1295,member1296,member1297,member1298,member1299,member1300,member1301,member1302,member1303,member1304,member1305,member1306,member1307,member1308,member1309,member1310,member1311,member1312,member1313,member1314,member1315,member1316,member1317,member1318,member1319,member1320,member1321,member1322,member1323,member1324,member1325,member1326,member1327,member1328,member1329,member1330,member1331,member1332,member1333,member1334,member1335,member1336,member1337,member1338,member1339,member1340,member1341,member1342,member1343,member1344,member1345,member1346,member1347,member1348,member1349,member1350,member1351,member1352,member1353,member1354,member1355,member1356,member1357,member1358,member1359,member1360,member1361,member1362,member1363,member1364,member1365,member1366,member1367,member1368,member1369,member1370,member1371,member1372,member1373,member1374,member1375,member1376,member1377,member1378,member1379,member1380,member1381,member1382,member1383,member1384,member1385,member1386,member1387,member1388,member1389,member1390,member1391,member1392,member1393,member1394,member1395,member1396,member1397,member1398,member1399,member1400,member1401,member1402,member1403,member1404,member1405,member1406,member1407,member1408,member1409,member1410,member1411,member1412,member1413,member1414,member1415,member1416,member1417,member1418,member1419,member1420,member1421,member1422,member1423,member1424,member1425,member1426,member1427,member1428,member1429,member1430,member1431,member1432,member1433,member1434,member1435,member1436,member1437,member1438,member1439,member1440,member1441,member1442,member1443,member1444,member1445,member1446,member1447,member1448,member1449,member1450,member1451,member1452,member1453,member1454,member1455,member1456,member1457,member1458,member1459,member1460,member1461,member1462,member1463,member1464,member1465,member1466,member1467,member1468,member1469,member1470,member1471,member1472,member1473,member1474,member1475,member1476,member1477,member1478,member1479,member1480,member1481,member1482,member1483,member1484,member1485,member1486,member1487,member1488,member1489,member1490,member1491,member1492,member1493,member1494,member1495,member1496,member1497,member1498,member1499,member1500,member1501,member1502,member1503,member1504,member1505,member1506,member1507,member1508,member1509,member1510,member1511,member1512,member1513,member1514,member1515,member1516,member1517,member1518,member1519,member1520,member1521,member1522,member1523,member1524,member1525,member1526,member1527,member1528,member1529,member1530,member1531,member1532,member1533,member1534,member1535,member1536,member1537,member1538,member1539,member1540,member1541,member1542,member1543,member1544,member1545,member1546,member1547,member1548,member1549,member1550,member1551,member1552,member1553,member1554,member1555,member1556,member1557,member1558,member1559,member1560,member1561,member1562,member1563,member1564,member1565,member1566,member1567,member1568,member1569,member1570,member1571,member1572,member1573,member1574,member1575,member1576,member1577,member1578,member1579,member1580,member1581,member1582,member1583,member1584,member1585,member1586,member1587,member1588,member1589,member1590,member1591,member1592,member1593,member1594,member1595,member1596,member1597,member1598,member1599,member1600,member1601,member1602,member1603,member1604,member1605,member1606,member1607,member1608,member1609,member1610,member1611,member1612,member1613,member1614,member1615,member1616,member1617,member1618,member1619,member1620,member1621,member1622,member1623,member1624,member1625,member1626,member1627,member1628,member1629,member1630,member1631,member1632,member1633,member1634,member1635,member1636,member1637,member1638,member1639,member1640,member1641,member1642,member1643,member1644,member1645,member1646,member1647,member1648,member1649,member1650,member1651,member1652,member1653,member1654,member1655,member1656,member1657,member1658,member1659,member1660,member1661,member1662,member1663,member1664,member1665,member1666,member1667,member1668,member1669,member1670,member1671,member1672,member1673,member1674,member1675,member1676,member1677,member1678,member1679,member1680,member1681,member1682,member1683,member1684,member1685,member1686,member1687,member1688,member1689,member1690,member1691,member1692,member1693,member1694,member1695,member1696,member1697,member1698,member1699,member1700,member1701,member1702,member1703,member1704,member1705,member1706,member1707,member1708,member1709,member1710,member1711,member1712,member1713,member1714,member1715,member1716,member1717,member1718,member1719,member1720,member1721,member1722,member1723,member1724,member1725,member1726,member1727,member1728,member1729,member1730,member1731,member1732,member1733,member1734,member1735,member1736,member1737,member1738,member1739,member1740,member1741,member1742,member1743,member1744,member1745,member1746,member1747,member1748,member1749,member1750,member1751,member1752,member1753,member1754,member1755,member1756,member1757,member1758,member1759,member1760,member1761,member1762,member1763,member1764,member1765,member1766,member1767,member1768,member1769,member1770,member1771,member1772,member1773,member1774,member1775,member1776,member1777,member1778,member1779,member1780,member1781,member1782,member1783,member1784,member1785,member1786,member1787,member1788,member1789,member1790,member1791,member1792,member1793,member1794,member1795,member1796,member1797,member1798,member1799,member1800,member1801,member1802,member1803,member1804,member1805,member1806,member1807,member1808,member1809,member1810,member1811,member1812,member1813,member1814,member1815,member1816,member1817,member1818,member1819,member1820,member1821,member1822,member1823,member1824,member1825,member1826,member1827,member1828,member1829,member1830,member1831,member1832,member1833,member1834,member1835,member1836,member1837,member1838,member1839,member1840,member1841,member1842,member1843,member1844,member1845,member1846,member1847,member1848,member1849,member1850,member1851,member1852,member1853,member1854,member1855,member1856,member1857,member1858,member1859,member1860,member1861,member1862,member1863,member1864,member1865,member1866,member1867,member1868,member1869,member1870,member1871,member1872,member1873,member1874,member1875,member1876,member1877,member1878,member1879,member1880,member1881,member1882,member1883,member1884,member1885,member1886,member1887,member1888,member1889,member1890,member1891,member1892,member1893,member1894,member1895,member1896,member1897,member1898,member1899,member1900,member1901,member1902,member1903,member1904,member1905,member1906,member1907,member1908,member1909,member1910,member1911,member1912,member1913,member1914,member1915,member1916,member1917,member1918,member1919,member1920,member1921,member1922,member1923,member1924,member1925,member1926,member1927,member1928,member1929,member1930,member1931,member1932,member1933,member1934,member1935,member1936,member1937,member1938,member1939,member1940,member1941,member1942,member1943,member1944,member1945,member1946,member1947,member1948,member1949,member1950,member1951,member1952,member1953,member1954,member1955,member1956,member1957,member1958,member1959,member1960,member1961,member1962,member1963,member1964,member1965,member1966,member1967,member1968,member1969,member1970,member1971,member1972,member1973,member1974,member1975,member1976,member1977,member1978,member1979,member1980,member1981,member1982,member1983,member1984,member1985,member1986,member1987,member1988,member1989,member1990,member1991,member1992,member1993,member1994,member1995,member1996,member1997,member1998,member1999,member2000,
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd
+new file mode 100644
+index 0000000000000000000000000000000000000000..971e9bdb8a5d43d915ce0adc42ac29f2f95ade52
+--- /dev/null
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd
+@@ -0,0 +1,2 @@
++user:x:12345:23456:gecos:/home/user:/bin/shell
++user_big:x:12346:23457:gecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecosgecos:/home/user_big:/bin/shell
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh
+new file mode 100644
+index 0000000000000000000000000000000000000000..ad839f340efe989a91cd6902f59c9a41483f68e0
+--- /dev/null
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh
+@@ -0,0 +1,3 @@
++export LD_PRELOAD=$(pkg-config --libs nss_wrapper)
++export NSS_WRAPPER_PASSWD=./test_data/passwd
++export NSS_WRAPPER_GROUP=./test_data/group
+-- 
+2.1.0
+
diff --git a/SOURCES/0120-extdom-make-nss-buffer-configurable.patch b/SOURCES/0120-extdom-make-nss-buffer-configurable.patch
new file mode 100644
index 0000000..6d68642
--- /dev/null
+++ b/SOURCES/0120-extdom-make-nss-buffer-configurable.patch
@@ -0,0 +1,254 @@
+From 637807410ae730436f9ca647092250ead70faa1c Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 2 Mar 2015 10:59:34 +0100
+Subject: [PATCH] extdom: make nss buffer configurable
+
+The get*_r_wrapper() calls expect a maximum buffer size to avoid memory
+shortage if too many threads try to allocate buffers e.g. for large
+groups. With this patch this size can be configured by setting
+ipaExtdomMaxNssBufSize in the plugin config object
+cn=ipa_extdom_extop,cn=plugins,cn=config.
+
+Related to https://fedorahosted.org/freeipa/ticket/4908
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ .../ipa-extdom-extop/ipa_extdom.h                  |  1 +
+ .../ipa-extdom-extop/ipa_extdom_common.c           | 59 ++++++++++++++--------
+ .../ipa-extdom-extop/ipa_extdom_extop.c            | 10 ++++
+ 3 files changed, 48 insertions(+), 22 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+index 40bf933920fdd2ca19e5ef195aaa8fb820446cc5..d4c851169ddadc869a59c53075f9fc7f33321085 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+@@ -150,6 +150,7 @@ struct extdom_res {
+ struct ipa_extdom_ctx {
+     Slapi_ComponentId *plugin_id;
+     char *base_dn;
++    size_t max_nss_buf_size;
+ };
+ 
+ struct domain_info {
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+index cbe336963ffbafadd5a7b8029a65fafe506f75e8..47bcb179f04e08c64d92f55809b84f2d59622344 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+@@ -49,9 +49,6 @@
+ 
+ #define MAX(a,b) (((a)>(b))?(a):(b))
+ #define SSSD_DOMAIN_SEPARATOR '@'
+-#define MAX_BUF (1024*1024*1024)
+-
+-
+ 
+ int get_buffer(size_t *_buf_len, char **_buf)
+ {
+@@ -464,7 +461,8 @@ static int pack_ber_sid(const char *sid, struct berval **berval)
+ 
+ #define SSSD_SYSDB_SID_STR "objectSIDString"
+ 
+-static int pack_ber_user(enum response_types response_type,
++static int pack_ber_user(struct ipa_extdom_ctx *ctx,
++                         enum response_types response_type,
+                          const char *domain_name, const char *user_name,
+                          uid_t uid, gid_t gid,
+                          const char *gecos, const char *homedir,
+@@ -529,7 +527,8 @@ static int pack_ber_user(enum response_types response_type,
+         }
+ 
+         for (c = 0; c < ngroups; c++) {
+-            ret = getgrgid_r_wrapper(MAX_BUF, groups[c], &grp, &buf, &buf_len);
++            ret = getgrgid_r_wrapper(ctx->max_nss_buf_size,
++                                     groups[c], &grp, &buf, &buf_len);
+             if (ret != 0) {
+                 if (ret == ENOMEM || ret == ERANGE) {
+                     ret = LDAP_OPERATIONS_ERROR;
+@@ -691,7 +690,8 @@ static int pack_ber_name(const char *domain_name, const char *name,
+     return LDAP_SUCCESS;
+ }
+ 
+-static int handle_uid_request(enum request_types request_type, uid_t uid,
++static int handle_uid_request(struct ipa_extdom_ctx *ctx,
++                              enum request_types request_type, uid_t uid,
+                               const char *domain_name, struct berval **berval)
+ {
+     int ret;
+@@ -721,7 +721,8 @@ static int handle_uid_request(enum request_types request_type, uid_t uid,
+ 
+         ret = pack_ber_sid(sid_str, berval);
+     } else {
+-        ret = getpwuid_r_wrapper(MAX_BUF, uid, &pwd, &buf, &buf_len);
++        ret = getpwuid_r_wrapper(ctx->max_nss_buf_size, uid, &pwd, &buf,
++                                 &buf_len);
+         if (ret != 0) {
+             if (ret == ENOMEM || ret == ERANGE) {
+                 ret = LDAP_OPERATIONS_ERROR;
+@@ -744,7 +745,8 @@ static int handle_uid_request(enum request_types request_type, uid_t uid,
+             }
+         }
+ 
+-        ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER
++        ret = pack_ber_user(ctx,
++                            (request_type == REQ_FULL ? RESP_USER
+                                                       : RESP_USER_GROUPLIST),
+                             domain_name, pwd.pw_name, pwd.pw_uid,
+                             pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
+@@ -758,7 +760,8 @@ done:
+     return ret;
+ }
+ 
+-static int handle_gid_request(enum request_types request_type, gid_t gid,
++static int handle_gid_request(struct ipa_extdom_ctx *ctx,
++                              enum request_types request_type, gid_t gid,
+                               const char *domain_name, struct berval **berval)
+ {
+     int ret;
+@@ -787,7 +790,8 @@ static int handle_gid_request(enum request_types request_type, gid_t gid,
+ 
+         ret = pack_ber_sid(sid_str, berval);
+     } else {
+-        ret = getgrgid_r_wrapper(MAX_BUF, gid, &grp, &buf, &buf_len);
++        ret = getgrgid_r_wrapper(ctx->max_nss_buf_size, gid, &grp, &buf,
++                                 &buf_len);
+         if (ret != 0) {
+             if (ret == ENOMEM || ret == ERANGE) {
+                 ret = LDAP_OPERATIONS_ERROR;
+@@ -823,7 +827,8 @@ done:
+     return ret;
+ }
+ 
+-static int handle_sid_request(enum request_types request_type, const char *sid,
++static int handle_sid_request(struct ipa_extdom_ctx *ctx,
++                              enum request_types request_type, const char *sid,
+                               struct berval **berval)
+ {
+     int ret;
+@@ -874,7 +879,8 @@ static int handle_sid_request(enum request_types request_type, const char *sid,
+     switch(id_type) {
+     case SSS_ID_TYPE_UID:
+     case SSS_ID_TYPE_BOTH:
+-        ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len);
++        ret = getpwnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &pwd, &buf,
++                                 &buf_len);
+         if (ret != 0) {
+             if (ret == ENOMEM || ret == ERANGE) {
+                 ret = LDAP_OPERATIONS_ERROR;
+@@ -897,14 +903,16 @@ static int handle_sid_request(enum request_types request_type, const char *sid,
+             }
+         }
+ 
+-        ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER
++        ret = pack_ber_user(ctx,
++                            (request_type == REQ_FULL ? RESP_USER
+                                                       : RESP_USER_GROUPLIST),
+                             domain_name, pwd.pw_name, pwd.pw_uid,
+                             pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
+                             pwd.pw_shell, kv_list, berval);
+         break;
+     case SSS_ID_TYPE_GID:
+-        ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len);
++        ret = getgrnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &grp, &buf,
++                                 &buf_len);
+         if (ret != 0) {
+             if (ret == ENOMEM || ret == ERANGE) {
+                 ret = LDAP_OPERATIONS_ERROR;
+@@ -947,7 +955,8 @@ done:
+     return ret;
+ }
+ 
+-static int handle_name_request(enum request_types request_type,
++static int handle_name_request(struct ipa_extdom_ctx *ctx,
++                               enum request_types request_type,
+                                const char *name, const char *domain_name,
+                                struct berval **berval)
+ {
+@@ -988,7 +997,8 @@ static int handle_name_request(enum request_types request_type,
+             goto done;
+         }
+ 
+-        ret = getpwnam_r_wrapper(MAX_BUF, fq_name, &pwd, &buf, &buf_len);
++        ret = getpwnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &pwd, &buf,
++                                 &buf_len);
+         if (ret == 0) {
+             if (request_type == REQ_FULL_WITH_GROUPS) {
+                 ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type);
+@@ -1002,7 +1012,8 @@ static int handle_name_request(enum request_types request_type,
+                     goto done;
+                 }
+             }
+-            ret = pack_ber_user((request_type == REQ_FULL ? RESP_USER
++            ret = pack_ber_user(ctx,
++                                (request_type == REQ_FULL ? RESP_USER
+                                                           : RESP_USER_GROUPLIST),
+                                 domain_name, pwd.pw_name, pwd.pw_uid,
+                                 pwd.pw_gid, pwd.pw_gecos, pwd.pw_dir,
+@@ -1015,7 +1026,8 @@ static int handle_name_request(enum request_types request_type,
+              * error codes which can indicate that the user was not found. To
+              * be on the safe side we fail back to the group lookup on all
+              * errors. */
+-            ret = getgrnam_r_wrapper(MAX_BUF, fq_name, &grp, &buf, &buf_len);
++            ret = getgrnam_r_wrapper(ctx->max_nss_buf_size, fq_name, &grp, &buf,
++                                     &buf_len);
+             if (ret != 0) {
+                 if (ret == ENOMEM || ret == ERANGE) {
+                     ret = LDAP_OPERATIONS_ERROR;
+@@ -1061,20 +1073,23 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
+ 
+     switch (req->input_type) {
+     case INP_POSIX_UID:
+-        ret = handle_uid_request(req->request_type, req->data.posix_uid.uid,
++        ret = handle_uid_request(ctx, req->request_type,
++                                 req->data.posix_uid.uid,
+                                  req->data.posix_uid.domain_name, berval);
+ 
+         break;
+     case INP_POSIX_GID:
+-        ret = handle_gid_request(req->request_type, req->data.posix_gid.gid,
++        ret = handle_gid_request(ctx, req->request_type,
++                                 req->data.posix_gid.gid,
+                                  req->data.posix_uid.domain_name, berval);
+ 
+         break;
+     case INP_SID:
+-        ret = handle_sid_request(req->request_type, req->data.sid, berval);
++        ret = handle_sid_request(ctx, req->request_type, req->data.sid, berval);
+         break;
+     case INP_NAME:
+-        ret = handle_name_request(req->request_type, req->data.name.object_name,
++        ret = handle_name_request(ctx, req->request_type,
++                                  req->data.name.object_name,
+                                   req->data.name.domain_name, berval);
+ 
+         break;
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+index aa66c145bc6cf2b77fdfe37be18da67588dc0439..e53f968db040a37fbd6a193f87b3671eeabda89d 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+@@ -40,6 +40,8 @@
+ #include "ipa_extdom.h"
+ #include "util.h"
+ 
++#define DEFAULT_MAX_NSS_BUFFER (128*1024*1024)
++
+ Slapi_PluginDesc ipa_extdom_plugin_desc = {
+     IPA_EXTDOM_FEATURE_DESC,
+     "FreeIPA project",
+@@ -185,6 +187,14 @@ static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct ipa_extdom_ctx **_ctx)
+         goto done;
+     }
+ 
++    ctx->max_nss_buf_size = slapi_entry_attr_get_uint(e,
++                                                      "ipaExtdomMaxNssBufSize");
++    if (ctx->max_nss_buf_size == 0) {
++        ctx->max_nss_buf_size = DEFAULT_MAX_NSS_BUFFER;
++    }
++    LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size);
++
++    ret = 0;
+ 
+ done:
+     if (ret) {
+-- 
+2.1.0
+
diff --git a/SOURCES/0121-extdom-return-LDAP_NO_SUCH_OBJECT-to-the-client.patch b/SOURCES/0121-extdom-return-LDAP_NO_SUCH_OBJECT-to-the-client.patch
new file mode 100644
index 0000000..083a8c2
--- /dev/null
+++ b/SOURCES/0121-extdom-return-LDAP_NO_SUCH_OBJECT-to-the-client.patch
@@ -0,0 +1,32 @@
+From 0ce5d4e89e1a619bbae28105ece7033f8dbadce4 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 4 Mar 2015 13:39:04 +0100
+Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT to the client
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+index e53f968db040a37fbd6a193f87b3671eeabda89d..1ea0c1320accc66235d6f1a41055de434aeacab7 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+@@ -123,8 +123,12 @@ static int ipa_extdom_extop(Slapi_PBlock *pb)
+ 
+     ret = handle_request(ctx, req, &ret_val);
+     if (ret != LDAP_SUCCESS) {
+-        rc = LDAP_OPERATIONS_ERROR;
+-        err_msg = "Failed to handle the request.\n";
++        if (ret == LDAP_NO_SUCH_OBJECT) {
++            rc = LDAP_NO_SUCH_OBJECT;
++        } else {
++            rc = LDAP_OPERATIONS_ERROR;
++            err_msg = "Failed to handle the request.\n";
++        }
+         goto done;
+     }
+ 
+-- 
+2.1.0
+
diff --git a/SOURCES/0122-extdom-fix-memory-leak.patch b/SOURCES/0122-extdom-fix-memory-leak.patch
new file mode 100644
index 0000000..094b9fd
--- /dev/null
+++ b/SOURCES/0122-extdom-fix-memory-leak.patch
@@ -0,0 +1,25 @@
+From a19a8e4174560ca6c7a23aa821c14713415b4c5d Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 4 Mar 2015 17:53:08 +0100
+Subject: [PATCH] extdom: fix memory leak
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+index 1ea0c1320accc66235d6f1a41055de434aeacab7..dc7785877fc321ddaa5b6967d1c1b06cb454bbbf 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+@@ -154,6 +154,7 @@ done:
+         LOG("%s", err_msg);
+     }
+     slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL);
++    ber_bvfree(ret_val);
+     return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
+ }
+ 
+-- 
+2.1.0
+
diff --git a/SOURCES/0123-certstore-Make-certificate-retrieval-more-robust.patch b/SOURCES/0123-certstore-Make-certificate-retrieval-more-robust.patch
new file mode 100644
index 0000000..f177c08
--- /dev/null
+++ b/SOURCES/0123-certstore-Make-certificate-retrieval-more-robust.patch
@@ -0,0 +1,128 @@
+From 2805b17bb7f204c25ed27bea1ee4fb999ae3d9d7 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Tue, 17 Mar 2015 09:28:47 +0000
+Subject: [PATCH] certstore: Make certificate retrieval more robust
+
+https://fedorahosted.org/freeipa/ticket/4565
+
+Reviewed-By: David Kupka <dkupka@redhat.com>
+---
+ ipalib/certstore.py | 74 +++++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 52 insertions(+), 22 deletions(-)
+
+diff --git a/ipalib/certstore.py b/ipalib/certstore.py
+index 8a9b41015127fcb1b2b5e01da10f0defcee18265..3a5555c95251fdf3384c7dd21cb19d2125a469f5 100644
+--- a/ipalib/certstore.py
++++ b/ipalib/certstore.py
+@@ -239,6 +239,31 @@ def put_ca_cert(ldap, base_dn, dercert, nickname, trusted=None,
+         pass
+ 
+ 
++def make_compat_ca_certs(certs, realm, ipa_ca_subject):
++    """
++    Make CA certificates and associated key policy from DER certificates.
++    """
++    result = []
++
++    for cert in certs:
++        subject, issuer_serial, public_key_info = _parse_cert(cert)
++        subject = DN(subject)
++
++        if ipa_ca_subject is not None and subject == DN(ipa_ca_subject):
++            nickname = get_ca_nickname(realm)
++            ext_key_usage = {x509.EKU_SERVER_AUTH,
++                             x509.EKU_CLIENT_AUTH,
++                             x509.EKU_EMAIL_PROTECTION,
++                             x509.EKU_CODE_SIGNING}
++        else:
++            nickname = str(subject)
++            ext_key_usage = {x509.EKU_SERVER_AUTH}
++
++        result.append((cert, nickname, True, ext_key_usage))
++
++    return result
++
++
+ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
+                  filter_subject=None):
+     """
+@@ -250,6 +275,7 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
+         filter_subject = [str(subj).replace('\\;', '\\3b')
+                           for subj in filter_subject]
+ 
++    certs = []
+     config_dn = DN(('cn', 'ipa'), ('cn', 'etc'), base_dn)
+     container_dn = DN(('cn', 'certificates'), config_dn)
+     try:
+@@ -265,7 +291,6 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
+                         'ipaPublicKey', 'ipaKeyTrust', 'ipaKeyExtUsage',
+                         'cACertificate;binary'])
+ 
+-        certs = []
+         for entry in result:
+             nickname = entry.single_value['cn']
+             trusted = entry.single_value.get('ipaKeyTrust', 'unknown').lower()
+@@ -281,34 +306,39 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
+                 ext_key_usage.discard(x509.EKU_PLACEHOLDER)
+ 
+             for cert in entry.get('cACertificate;binary', []):
++                try:
++                    _parse_cert(cert)
++                except ValueError:
++                    certs = []
++                    break
+                 certs.append((cert, nickname, trusted, ext_key_usage))
+-
+-        return certs
+     except errors.NotFound:
+         try:
+             ldap.get_entry(container_dn, [''])
+         except errors.NotFound:
+-            pass
+-        else:
+-            return []
+-
+-        # Fallback to cn=CAcert,cn=ipa,cn=etc,SUFFIX
+-        dn = DN(('cn', 'CAcert'), config_dn)
+-        entry = ldap.get_entry(dn, ['cACertificate;binary'])
+-
+-        cert = entry.single_value['cACertificate;binary']
+-        subject, issuer_serial, public_key_info = _parse_cert(cert)
+-        if filter_subject is not None and subject not in filter_subject:
+-            return []
++            # Fallback to cn=CAcert,cn=ipa,cn=etc,SUFFIX
++            dn = DN(('cn', 'CAcert'), config_dn)
++            entry = ldap.get_entry(dn, ['cACertificate;binary'])
++
++            cert = entry.single_value['cACertificate;binary']
++            try:
++                subject, issuer_serial, public_key_info = _parse_cert(cert)
++            except ValueError:
++                pass
++            else:
++                if filter_subject is not None and subject not in filter_subject:
++                    raise errors.NotFound(reason="no matching entry found")
+ 
+-        nickname = get_ca_nickname(compat_realm)
+-        ext_key_usage = {x509.EKU_SERVER_AUTH}
+-        if compat_ipa_ca:
+-            ext_key_usage |= {x509.EKU_CLIENT_AUTH,
+-                              x509.EKU_EMAIL_PROTECTION,
+-                              x509.EKU_CODE_SIGNING}
++                if compat_ipa_ca:
++                    ca_subject = subject
++                else:
++                    ca_subject = None
++                certs = make_compat_ca_certs([cert], compat_realm, ca_subject)
+ 
+-        return [(cert, nickname, True, ext_key_usage)]
++    if certs:
++        return certs
++    else:
++        raise errors.NotFound(reason="no such entry")
+ 
+ 
+ def trust_flags_to_key_policy(trust_flags):
+-- 
+2.1.0
+
diff --git a/SOURCES/0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch b/SOURCES/0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch
new file mode 100644
index 0000000..c3f097b
--- /dev/null
+++ b/SOURCES/0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch
@@ -0,0 +1,60 @@
+From 175dbfb667a9989593eaef2f35586d2afbfdc66c Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Tue, 17 Mar 2015 09:29:21 +0000
+Subject: [PATCH] client-install: Do not crash on invalid CA certificate in
+ LDAP
+
+When CA certificates in LDAP are corrupted, use the otherwise acquired CA
+certificates from before.
+
+https://fedorahosted.org/freeipa/ticket/4565
+
+Reviewed-By: David Kupka <dkupka@redhat.com>
+---
+ ipa-client/ipa-install/ipa-client-install | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
+index 75a1711a7e1fdc9359ad02d55ad94d65af51ea93..c60124472005670834496569f550f0ffd986aa27 100755
+--- a/ipa-client/ipa-install/ipa-client-install
++++ b/ipa-client/ipa-install/ipa-client-install
+@@ -2585,14 +2585,15 @@ def install(options, env, fstore, statestore):
+     except ValueError:
+         pass
+ 
++    ca_certs = x509.load_certificate_list_from_file(CACERT)
++    ca_certs = [cert.der_data for cert in ca_certs]
++
+     with certdb.NSSDatabase() as tmp_db:
+         # Add CA certs to a temporary NSS database
+         try:
+             pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
+             tmp_db.create_db(pwd_file.name)
+ 
+-            ca_certs = x509.load_certificate_list_from_file(CACERT)
+-            ca_certs = [cert.der_data for cert in ca_certs]
+             for i, cert in enumerate(ca_certs):
+                 tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
+         except CalledProcessError, e:
+@@ -2665,8 +2666,16 @@ def install(options, env, fstore, statestore):
+         return CLIENT_INSTALL_ERROR
+ 
+     # Get CA certificates from the certificate store
+-    ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm,
+-                                   ca_enabled)
++    try:
++        ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm,
++                                       ca_enabled)
++    except errors.NoCertificateError:
++        if ca_enabled:
++            ca_subject = DN(('CN', 'Certificate Authority'), subject_base)
++        else:
++            ca_subject = None
++        ca_certs = certstore.make_compat_ca_certs(ca_certs, cli_realm,
++                                                  ca_subject)
+     ca_certs_trust = [(c, n, certstore.key_policy_to_trust_flags(t, True, u))
+                       for (c, n, t, u) in ca_certs]
+ 
+-- 
+2.1.0
+
diff --git a/SOURCES/0125-client-Fix-ca_is_enabled-calls.patch b/SOURCES/0125-client-Fix-ca_is_enabled-calls.patch
new file mode 100644
index 0000000..f5f8d22
--- /dev/null
+++ b/SOURCES/0125-client-Fix-ca_is_enabled-calls.patch
@@ -0,0 +1,53 @@
+From 424b8c73fa0c92ea8befe6e918c0bcaee384ed6b Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Tue, 17 Mar 2015 09:35:49 +0000
+Subject: [PATCH] client: Fix ca_is_enabled calls
+
+The command was added in API version 2.107. Old IPA servers may crash with
+NetworkError on ca_is_enabled, handle this case gracefully.
+
+https://fedorahosted.org/freeipa/ticket/4565
+
+Reviewed-By: David Kupka <dkupka@redhat.com>
+---
+ ipa-client/ipa-install/ipa-client-install | 4 ++--
+ ipa-client/ipaclient/ipa_certupdate.py    | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
+index c60124472005670834496569f550f0ffd986aa27..b7b3d05b6b6d1c9635084e0c01aa7443bb559db2 100755
+--- a/ipa-client/ipa-install/ipa-client-install
++++ b/ipa-client/ipa-install/ipa-client-install
+@@ -2645,10 +2645,10 @@ def install(options, env, fstore, statestore):
+     try:
+         result = api.Backend.rpcclient.forward(
+             'ca_is_enabled',
+-            version=u'2.0',
++            version=u'2.107',
+         )
+         ca_enabled = result['result']
+-    except errors.CommandError:
++    except (errors.CommandError, errors.NetworkError):
+         result = api.Backend.rpcclient.forward(
+             'env',
+             server=True,
+diff --git a/ipa-client/ipaclient/ipa_certupdate.py b/ipa-client/ipaclient/ipa_certupdate.py
+index 031a34c3a54a02d43978eedcb794678a1550702b..5ec5026f5ff7bf93227ce0a551fbf5cf60b9175d 100644
+--- a/ipa-client/ipaclient/ipa_certupdate.py
++++ b/ipa-client/ipaclient/ipa_certupdate.py
+@@ -63,10 +63,10 @@ class CertUpdate(admintool.AdminTool):
+             try:
+                 result = api.Backend.rpcclient.forward(
+                     'ca_is_enabled',
+-                    version=u'2.0',
++                    version=u'2.107',
+                 )
+                 ca_enabled = result['result']
+-            except errors.CommandError:
++            except (errors.CommandError, errors.NetworkError):
+                 result = api.Backend.rpcclient.forward(
+                     'env',
+                     server=True,
+-- 
+2.1.0
+
diff --git a/SOURCES/0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch b/SOURCES/0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch
new file mode 100644
index 0000000..6435cfd
--- /dev/null
+++ b/SOURCES/0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch
@@ -0,0 +1,106 @@
+From e6bdbe215ae3fba629eea69e4413c44fea7cd02b Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Tue, 17 Mar 2015 08:23:40 +0000
+Subject: [PATCH] upload_cacrt: Fix empty cACertificate in cn=CAcert
+
+https://fedorahosted.org/freeipa/ticket/4565
+
+Reviewed-By: David Kupka <dkupka@redhat.com>
+---
+ ipaserver/install/plugins/upload_cacrt.py | 54 +++++++++++++++++--------------
+ 1 file changed, 30 insertions(+), 24 deletions(-)
+
+diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
+index 66270ae7613e935fc8df4bc90aa5001296e1c06d..4d5ce52d4073660fc0c1c1ba09e993b250e11fcb 100644
+--- a/ipaserver/install/plugins/upload_cacrt.py
++++ b/ipaserver/install/plugins/upload_cacrt.py
+@@ -20,7 +20,7 @@
+ from ipaserver.install.plugins import MIDDLE
+ from ipaserver.install.plugins.baseupdate import PostUpdate
+ from ipaserver.install import certs
+-from ipalib import api, certstore
++from ipalib import api, errors, certstore
+ from ipapython import certdb
+ from ipapython.dn import DN
+ 
+@@ -45,7 +45,7 @@ class update_upload_cacrt(PostUpdate):
+                 if ca_chain:
+                     ca_nickname = ca_chain[-1]
+ 
+-        updates = {}
++        ldap = self.obj.backend
+ 
+         for nickname, trust_flags in db.list_certs():
+             if 'u' in trust_flags:
+@@ -53,40 +53,46 @@ class update_upload_cacrt(PostUpdate):
+             if nickname == ca_nickname and ca_enabled:
+                 trust_flags = 'CT,C,C'
+             cert = db.get_cert_from_db(nickname, pem=False)
++            trust, ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
++
++            dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'),
++                    ('cn','etc'), self.api.env.basedn)
++            entry = ldap.make_entry(dn)
++
+             try:
+-                dn, entry = self._make_entry(cert, nickname, trust_flags)
++                certstore.init_ca_entry(entry, cert, nickname, trust, eku)
+             except Exception, e:
+                 self.log.warning("Failed to create entry for %s: %s",
+                                  nickname, e)
+                 continue
+             if nickname == ca_nickname:
+                 ca_cert = cert
++                config = entry.setdefault('ipaConfigString', [])
+                 if ca_enabled:
+-                    entry.append('ipaConfigString:ipaCA')
+-                entry.append('ipaConfigString:compatCA')
+-            updates[dn] = {'dn': dn, 'default': entry}
++                    config.append('ipaCa')
++                config.append('ipaCa')
++
++            try:
++                ldap.add_entry(entry)
++            except errors.DuplicateEntry:
++                pass
+ 
+         if ca_cert:
+             dn = DN(('cn', 'CACert'), ('cn', 'ipa'), ('cn','etc'),
+                     self.api.env.basedn)
+-            entry = ['objectclass:nsContainer',
+-                     'objectclass:pkiCA',
+-                     'cn:CAcert',
+-                     'cACertificate;binary:%s' % ca_cert,
+-                    ]
+-            updates[dn] = {'dn': dn, 'default': entry}
+-
+-        return (False, True, [updates])
+-
+-    def _make_entry(self, cert, nickname, trust_flags):
+-        dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'),
+-                ('cn','etc'), self.api.env.basedn)
+-
+-        entry = dict()
+-        trust, ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
+-        certstore.init_ca_entry(entry, cert, nickname, trust, eku)
+-        entry = ['%s:%s' % (a, v) for a, vs in entry.iteritems() for v in vs]
++            try:
++                entry = ldap.get_entry(dn)
++            except errors.NotFound:
++                entry = ldap.make_entry(dn)
++                entry['objectclass'] = ['nsContainer', 'pkiCA']
++                entry.single_value['cn'] = 'CAcert'
++                entry.single_value['cACertificate;binary'] = ca_cert
++                ldap.add_entry(entry)
++            else:
++                if '' in entry['cACertificate;binary']:
++                    entry.single_value['cACertificate;binary'] = ca_cert
++                    ldap.update_entry(entry)
+ 
+-        return dn, entry
++        return (False, False, [])
+ 
+ api.register(update_upload_cacrt)
+-- 
+2.1.0
+
diff --git a/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch b/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch
index 29eb9cc..31e69f8 100644
--- a/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch
+++ b/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch
@@ -1,4 +1,4 @@
-From ec381c10fc6080b1e2594cbee857725c886566d4 Mon Sep 17 00:00:00 2001
+From d99f08c6b205edbbf5df68a088296b5fe029b049 Mon Sep 17 00:00:00 2001
 From: Jan Cholasta <jcholast@redhat.com>
 Date: Tue, 21 Oct 2014 14:56:28 +0200
 Subject: [PATCH] Do not allow installation in FIPS mode
@@ -61,10 +61,10 @@ index b1b0b6e26fa97cdc953c86eee22e160782b57379..56d24b0dab1770d23348f4c60db62bab
      try:
          check_IPA_configuration()
 diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
-index 75a1711a7e1fdc9359ad02d55ad94d65af51ea93..53d969ee0b607a4392a008daebaf3befc0785084 100755
+index b7b3d05b6b6d1c9635084e0c01aa7443bb559db2..82ac1d4db8bf969ba72113bc2802879fea5dcb01 100755
 --- a/ipa-client/ipa-install/ipa-client-install
 +++ b/ipa-client/ipa-install/ipa-client-install
-@@ -2865,6 +2865,10 @@ def main():
+@@ -2874,6 +2874,10 @@ def main():
  
      if not os.getegid() == 0:
          sys.exit("\nYou must be root to run ipa-client-install.\n")
diff --git a/SOURCES/1010-Disable-DNSSEC-support.patch b/SOURCES/1010-Disable-DNSSEC-support.patch
index e550f55..ef456e1 100644
--- a/SOURCES/1010-Disable-DNSSEC-support.patch
+++ b/SOURCES/1010-Disable-DNSSEC-support.patch
@@ -1,4 +1,4 @@
-From 80cae5f5ea38528caab01efae9100659e2ebb86e Mon Sep 17 00:00:00 2001
+From a19cb9b5477901efc08c00c122f08e3d5ed126ff Mon Sep 17 00:00:00 2001
 From: Jan Cholasta <jcholast@redhat.com>
 Date: Tue, 21 Oct 2014 14:25:50 +0200
 Subject: [PATCH] Disable DNSSEC support
@@ -373,10 +373,10 @@ index cd50edeecb055c71831fad806afde43c2779cdf8..cf85f58c26510fcd105b54126152a504
  
      if any(named_conf_changes):
 diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
-index 34afc189866993481229bb68a5edd77e0a4eaff3..d01dde31ad37f7d7aa4044de77704f4d560f0d30 100644
+index ea4c212b42631e8513a13d2a7f5a859b2176376b..60129f8b873fad1d3552ca749068f36db41108e9 100644
 --- a/ipalib/plugins/dns.py
 +++ b/ipalib/plugins/dns.py
-@@ -2362,7 +2362,9 @@ class dnszone(DNSZoneBase):
+@@ -2389,7 +2389,9 @@ class dnszone(DNSZoneBase):
              if options['idnssecinlinesigning'] is True:
                  messages.add_message(options['version'], result,
                      messages.DNSSECWarning(
diff --git a/SOURCES/1013-extdom-fix-wrong-realloc-size.patch b/SOURCES/1013-extdom-fix-wrong-realloc-size.patch
new file mode 100644
index 0000000..ed6a5cb
--- /dev/null
+++ b/SOURCES/1013-extdom-fix-wrong-realloc-size.patch
@@ -0,0 +1,25 @@
+From 0e76322666c91affc47387d88260a8774a634eaa Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 25 Feb 2015 10:28:22 +0100
+Subject: [PATCH] extdom: fix wrong realloc size
+
+---
+ daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+index 47bcb179f04e08c64d92f55809b84f2d59622344..686128e9bb6994cf442c1cc9ff725657584e17be 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+@@ -386,7 +386,7 @@ static int get_user_grouplist(const char *name, gid_t gid,
+ 
+     ret = getgrouplist(name, gid, groups, &ngroups);
+     if (ret == -1) {
+-        new_groups = realloc(groups, ngroups);
++        new_groups = realloc(groups, ngroups * sizeof(gid_t));
+         if (new_groups == NULL) {
+             free(groups);
+             return LDAP_OPERATIONS_ERROR;
+-- 
+2.1.0
+
diff --git a/SOURCES/1013-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch b/SOURCES/1013-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch
deleted file mode 100644
index 7eba1a2..0000000
--- a/SOURCES/1013-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 50b420b5f8ec1c4a6696b387ee5f3378dd0257bc Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 10 Dec 2014 14:59:38 +0200
-Subject: [PATCH] ipa-kdb: reject principals from disabled domains as a KDC
- policy
-
-Fixes https://fedorahosted.org/freeipa/ticket/4788
----
- daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index a4500070760e83994c8155a12ee6414b5ebee9e0..e3215db4ea11632dce8f039fc6b89c4a09acd87a 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -1375,7 +1375,7 @@ static krb5_error_code filter_logon_info(krb5_context context,
-                                    &domain->parent->sid_blacklist_incoming[k], true);
-             if (result) {
-                 filter_logon_info_log_message(info->info->info3.base.domain_sid);
--                return EINVAL;
-+                return KRB5KDC_ERR_POLICY;
-             }
-         }
-     }
--- 
-2.1.0
-
diff --git a/SOURCES/1014-fix-Makefile.am-for-daemons.patch b/SOURCES/1014-fix-Makefile.am-for-daemons.patch
new file mode 100644
index 0000000..3e46dd8
--- /dev/null
+++ b/SOURCES/1014-fix-Makefile.am-for-daemons.patch
@@ -0,0 +1,63 @@
+From d249ac3c15aefd23b6c47f16cc2843bd136f4fd5 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 18 Mar 2015 17:09:06 +0000
+Subject: [PATCH] fix Makefile.am for daemons
+
+---
+ daemons/Makefile.am                                    | 2 +-
+ daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am        | 1 -
+ daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 1 -
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am    | 1 -
+ 4 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/daemons/Makefile.am b/daemons/Makefile.am
+index 956f399b1ed6d399ee52a620dcda5f67d252c848..f919429dcbd29fed3071e8f385d2573354717519 100644
+--- a/daemons/Makefile.am
++++ b/daemons/Makefile.am
+@@ -1,6 +1,6 @@
+ # This file will be processed with automake-1.7 to create Makefile.in
+ #
+-AUTOMAKE_OPTIONS = 1.7
++AUTOMAKE_OPTIONS = 1.7 subdir-objects
+ 
+ NULL =
+ 
+diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
+index 8e35cdbd4499582dd0e14562f05e4eda5bb3ec5b..fba5b08bfc15450ab4864812049699d2cfcbaf05 100644
+--- a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
+@@ -6,7 +6,6 @@ AM_CPPFLAGS =							\
+ 	-I.							\
+ 	-I$(srcdir)						\
+ 	-I$(PLUGIN_COMMON_DIR)					\
+-	-I$(COMMON_BER_DIR)					\
+ 	-DPREFIX=\""$(prefix)"\" 				\
+ 	-DBINDIR=\""$(bindir)"\"				\
+ 	-DLIBDIR=\""$(libdir)"\" 				\
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+index a1679812ef3c5de8c6e18433cbb991a99ad0b6c8..8ee26a7fe8ef988dbbf2ac357e6702b73e887754 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+@@ -7,7 +7,6 @@ AM_CPPFLAGS =							\
+ 	-I$(srcdir)						\
+ 	-I$(PLUGIN_COMMON_DIR)					\
+ 	-I$(KRB5_UTIL_DIR)					\
+-	-I$(COMMON_BER_DIR)					\
+ 	-DPREFIX=\""$(prefix)"\" 				\
+ 	-DBINDIR=\""$(bindir)"\"				\
+ 	-DLIBDIR=\""$(libdir)"\" 				\
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+index 1ab6c6704e401810772a5ababc7cc5eec19d2c83..078ff9c8476b8547db58d2cf5c5d941846a3143c 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+@@ -14,7 +14,6 @@ AM_CPPFLAGS =							\
+ 	-I$(PLUGIN_COMMON_DIR)					\
+ 	-I$(KRB5_UTIL_DIR)					\
+ 	-I$(ASN1_UTIL_DIR)					\
+-	-I$(COMMON_BER_DIR)					\
+ 	-DPREFIX=\""$(prefix)"\" 				\
+ 	-DBINDIR=\""$(bindir)"\"				\
+ 	-DLIBDIR=\""$(libdir)"\" 				\
+-- 
+2.1.0
+
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py        | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
-     PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
-     PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
-     ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+    ETC_CENTOS_RELEASE = "/etc/centos-release"
-     RESOLV_CONF = "/etc/resolv.conf"
-     SAMBA_KEYTAB = "/etc/samba/samba.keytab"
-     SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
-         os = ""
-         if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
-             os = "fedora"
-+        elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+            os = "centos"
-         elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
-             os = "rhel"
- 
--- 
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index c9441a1..899d783 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -32,7 +32,7 @@
 
 Name:           ipa
 Version:        4.1.0
-Release:        18%{?dist}
+Release:        18%{?dist}.3
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -40,10 +40,10 @@ License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 # RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1:        header-logo.png
-#Source2:        login-screen-background.jpg
-#Source3:        login-screen-logo.png
-#Source4:        product-name.png
+Source1:        header-logo.png
+Source2:        login-screen-background.jpg
+Source3:        login-screen-logo.png
+Source4:        product-name.png
 # RHEL spec file only: END: Change branding to IPA and Identity-Management
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -160,6 +160,20 @@ Patch0109:      0109-Do-not-crash-when-replica-is-unreachable-in-ipa-rest.patch
 Patch0110:      0110-idviews-Allow-setting-ssh-public-key-on-ipauseroverr.patch
 Patch0111:      0111-Fix-ipa-pwd-extop-global-configuration-caching.patch
 Patch0112:      0112-group-detach-does-not-add-correct-objectclasses.patch
+Patch0113:      0113-Always-return-absolute-idnsname-in-dnszone-commands.patch
+Patch0114:      0114-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch
+Patch0115:      0115-ipalib-Make-sure-correct-attribute-name-is-reference.patch
+Patch0116:      0116-Restore-default.conf-and-use-it-to-build-API.patch
+Patch0117:      0117-Limit-deadlocks-between-DS-plugin-DNA-and-slapi-nis.patch
+Patch0118:      0118-Add-configure-check-for-cwrap-libraries.patch
+Patch0119:      0119-extdom-handle-ERANGE-return-code-for-getXXYYY_r-call.patch
+Patch0120:      0120-extdom-make-nss-buffer-configurable.patch
+Patch0121:      0121-extdom-return-LDAP_NO_SUCH_OBJECT-to-the-client.patch
+Patch0122:      0122-extdom-fix-memory-leak.patch
+Patch0123:      0123-certstore-Make-certificate-retrieval-more-robust.patch
+Patch0124:      0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch
+Patch0125:      0125-client-Fix-ca_is_enabled-calls.patch
+Patch0126:      0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch
 
 Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
 Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -173,8 +187,8 @@ Patch1009:      1009-Do-not-allow-installation-in-FIPS-mode.patch
 Patch1010:      1010-Disable-DNSSEC-support.patch
 Patch1011:      1011-Disable-TLS-1.2-in-nss.conf-until-mod_nss-supports-i.patch
 Patch1012:      1012-Expand-the-token-auth-sync-windows.patch
-Patch1013:      1013-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch
-Patch1014:      ipa-centos-branding.patch
+Patch1013:      1013-extdom-fix-wrong-realloc-size.patch
+Patch1014:      1014-fix-Makefile.am-for-daemons.patch
 # RHEL spec file only: END
 
 %if ! %{ONLY_CLIENT}
@@ -277,6 +291,9 @@ Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.54-2
 Requires: pki-ca >= 10.1.2-5
+%if 0%{?rhel}
+Requires: subscription-manager
+%endif
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: python-dns >= 1.11.1-2
@@ -289,7 +306,7 @@ Requires: fontawesome-fonts
 Requires: open-sans-fonts
 # RHEL spec file only: DELETED: Disable DNSSEC support
 # RHEL spec file only: START
-# Requires: redhat-access-plugin-ipa
+Requires: redhat-access-plugin-ipa
 # RHEL spec file only: END
 
 Conflicts: %{alt_name}-server
@@ -463,10 +480,10 @@ for p in %patches ; do
 done
 
 # Red Hat's Identity Management branding
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
 # RHEL spec file only: END
 
 %build
@@ -492,6 +509,9 @@ rm -f ipaserver/install/opendnssecinstance.py
 make version-update
 cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
 %if ! %{ONLY_CLIENT}
+# RHEL SPEC file only: START: Force re-generation of the makefiles
+find daemons -name Makefile.in |egrep -v '(libotp|lockout|otp-counter|lasttoken)'|xargs rm -f
+# RHEL SPEC file only: END: Force re-generation of the makefiles
 cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --with-openldap; cd ..
 cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
 %endif # ONLY_CLIENT
@@ -1013,11 +1033,25 @@ fi
 # RHEL spec file only: DELETED: Do not build tests
 
 %changelog
-* Thu Mar 05 2015 CentOS Sources <bugs@centos.org> - 4.1.0-18.el7.centos
-- Roll in CentOS Branding
-- Remove supscription-manager requires
-
-* Thu Jan 29 2015 Martin Kosek <mkosek@redhat.com> 4.1.0-18
+* Thu Mar 19 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-18.3
+- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate:
+  (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312)
+
+* Wed Mar 18 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.0-18.2
+- IPA extdom plugin fails when encountering large groups (#1193759)
+- CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r()
+  (#1202997)
+
+* Thu Mar  5 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-18.1
+- "an internal error has occurred" during ipa host-del --updatedns (#1198431)
+- Renamed patch 1013 to 0114, as it was merged upstream
+- Fax number not displayed for user-show when kinit'ed as normal user.
+  (#1198430)
+- Replication agreement with replica not disabled when ipa-restore done without
+  IPA installed (#1199060)
+- Limit deadlocks between DS plugin DNA and slapi-nis (#1199128)
+
+* Thu Jan 29 2015 Martin Kosek <mkosek@redhat.com> - 4.1.0-18
 - Fix ipa-pwd-extop global configuration caching (#1187342)
 - group-detach does not add correct objectclasses (#1187540)