diff --git a/SOURCES/0020-ipa-kdb-fix-compiler-warnings.patch b/SOURCES/0020-ipa-kdb-fix-compiler-warnings.patch
new file mode 100644
index 0000000..ec12f9a
--- /dev/null
+++ b/SOURCES/0020-ipa-kdb-fix-compiler-warnings.patch
@@ -0,0 +1,105 @@
+From 02b0d44892a7c6953cfb70034dbfc1b77a2371fc Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 23 Feb 2021 10:06:25 +0200
+Subject: [PATCH] ipa-kdb: fix compiler warnings
+
+There are few fields in KDB structures that have 'conflicting' types but
+need to be compared. They come from MIT Kerberos and we have no choice
+here.
+
+In the same way, SID structures have own requirements.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_audit_as.c   | 4 ++--
+ daemons/ipa-kdb/ipa_kdb_mspac.c      | 4 ++--
+ daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++---
+ daemons/ipa-kdb/ipa_kdb_pwdpolicy.c  | 2 +-
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
+index 77748a75d6b16ee4d080a5f53213cc58c81660dc..a5ffe29334509e23fe0f0b9973432166c254b484 100644
+--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
++++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
+@@ -110,13 +110,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
+         }
+ 
+         if (client->last_failed + ied->pol->lockout_duration > authtime &&
+-            (client->fail_auth_count >= ied->pol->max_fail && 
++            (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail && 
+              ied->pol->max_fail != 0)) {
+             /* client already locked, nothing more to do */
+             break;
+         }
+         if (ied->pol->max_fail == 0 ||
+-            client->fail_auth_count < ied->pol->max_fail) {
++            client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
+             /* let's increase the fail counter */
+             client->fail_auth_count++;
+             client->mask |= KMASK_FAIL_AUTH_COUNT;
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 74cbb77cccb45188f7bd8a1a33085f8ef964930f..9f95d0dc407df4566467f2b4a960086a7d940bcc 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -158,9 +158,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
+ 
+ char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
+ {
+-    size_t c;
++    int8_t c;
+     size_t len;
+-    int ofs;
++    size_t ofs;
+     uint32_t ia;
+     char *buf;
+ 
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index 259a0d2563f4b9c038b041781b2580fe72d7ed7e..3b78970b118cb6d8bd97da82a79226d20ea784e1 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -498,7 +498,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
+     l = len;
+     for (i = 0; i < count; i++) {
+         ret = snprintf(ap, l, "%s ", authinds[i]);
+-        if (ret <= 0 || ret > l) {
++        if (ret <= 0 || ret > (int) l) {
+             ret = ENOMEM;
+             goto cleanup;
+         }
+@@ -1867,7 +1867,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
+     char *s = NULL;
+     size_t ai_size = 0;
+     int cnt = 0;
+-    int i = 0;
++    size_t i = 0;
+ 
+     ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
+     if (ret) {
+@@ -2248,7 +2248,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
+ {
+     krb5_error_code kerr;
+     LDAPMod *m = NULL;
+-    int i;
++    size_t i;
+ 
+     kerr = ipadb_mods_new(imods, &m);
+     if (kerr) {
+diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+index 10f128700bfd01d6ed6b5dd224ea9226b6f0dd2e..a3be116f93458e7b1a50bbbc6bda916d0e11a47a 100644
+--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
++++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+@@ -328,7 +328,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
+     }
+ 
+     if (ied->pol->max_fail == 0 ||
+-        client->fail_auth_count < ied->pol->max_fail) {
++        client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
+         /* still within allowed failures range */
+         return 0;
+     }
+-- 
+2.26.3
+
diff --git a/SOURCES/0021-ipa-kdb-add-missing-prototypes.patch b/SOURCES/0021-ipa-kdb-add-missing-prototypes.patch
new file mode 100644
index 0000000..a997b67
--- /dev/null
+++ b/SOURCES/0021-ipa-kdb-add-missing-prototypes.patch
@@ -0,0 +1,88 @@
+From 0c9f411efb7fb7bd7df5f07f2225af3f75bdf342 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 24 Feb 2021 20:51:40 +0200
+Subject: [PATCH] ipa-kdb: add missing prototypes
+
+On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
+about function prototypes missing. If -Werror is specified, this breaks
+compilation.
+
+We also default to -Werror=implicit-function-declaration
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c         | 20 ++++++++++++--------
+ daemons/ipa-kdb/ipa_kdb_mspac_private.h |  4 ++++
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 9f95d0dc407df4566467f2b4a960086a7d940bcc..b6e7516859ce59232364f6ae93dee3063914ecf4 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -2325,9 +2325,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
+     *mspac = NULL;
+ }
+ 
+-krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+-                                                  struct dom_sid **result_sids,
+-                                                  int *result_length)
++static krb5_error_code
++ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
++                                  struct dom_sid **result_sids,
++                                  int *result_length)
+ {
+     int len, i;
+     char **source;
+@@ -2358,9 +2359,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+     return 0;
+ }
+ 
+-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
+-                                                   char **sid_blacklist_incoming,
+-                                                   char **sid_blacklist_outgoing)
++static krb5_error_code
++ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
++                                   char **sid_blacklist_incoming,
++                                   char **sid_blacklist_outgoing)
+ {
+     krb5_error_code kerr;
+ 
+@@ -2381,7 +2383,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
+     return 0;
+ }
+ 
+-krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
++static krb5_error_code
++ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
+ {
+     char *attrs[] = { NULL };
+     char *filter = "(objectclass=ipaNTTrustedDomain)";
+@@ -2426,7 +2429,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blacklist_incoming, char ***si
+     }
+ }
+ 
+-krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
++static krb5_error_code
++ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+ {
+     struct ipadb_adtrusts *t;
+     LDAP *lc = ipactx->lcontext;
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+index 30382d2eefaeddc6d5aff38553fb4668e0173201..82397cc40febfef91f8f58cb643daaa5b9b1d6d9 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
++++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+@@ -52,3 +52,7 @@ struct ipadb_adtrusts {
+ 
+ int string_to_sid(const char *str, struct dom_sid *sid);
+ char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
++krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx,
++                                  krb5_data realm, struct PAC_LOGON_INFO_CTR *info);
++void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
++                          bool *_with_pac, bool *_with_pad);
+\ No newline at end of file
+-- 
+2.26.3
+
diff --git a/SOURCES/0022-ipa-kdb-reformat-ipa_kdb_certauth.patch b/SOURCES/0022-ipa-kdb-reformat-ipa_kdb_certauth.patch
new file mode 100644
index 0000000..6a1f25d
--- /dev/null
+++ b/SOURCES/0022-ipa-kdb-reformat-ipa_kdb_certauth.patch
@@ -0,0 +1,75 @@
+From 592a0eceb7e38fb41c815efa22229574bae177c6 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 24 Feb 2021 20:52:15 +0200
+Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
+
+Add prototype to the exported function
+
+Replace few tabs by spaces and mark static code as static.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
+index 47911aa3ded56efe4d47acb78d94ccdbcdca7339..32d6710edb9f1547d1ffe628a5529357b2f593ab 100644
+--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
++++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
+@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st {
+     time_t valid_until;
+ };
+ 
+-void ipa_certmap_debug(void *private,
+-                       const char *file, long line,
+-                       const char *function,
+-                       const char *format, ...)
++krb5_error_code certauth_ipakdb_initvt(krb5_context context,
++                                       int maj_ver, int min_ver,
++                                       krb5_plugin_vtable vtable);
++
++static void ipa_certmap_debug(void *private, const char *file, long line,
++                              const char *function,
++                              const char *format, ...)
+ {
+     va_list ap;
+     char str[255] = { 0 };
+@@ -355,12 +358,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
+      * so there is nothing more to add here. */
+     auth_inds = calloc(2, sizeof(char *));
+     if (auth_inds != NULL) {
+-	ret = asprintf(&auth_inds[0], "pkinit");
+-	if (ret != -1) {
++        ret = asprintf(&auth_inds[0], "pkinit");
++        if (ret != -1) {
+             auth_inds[1] = NULL;
+             *authinds_out = auth_inds;
+-	} else {
+-	    free(auth_inds);
++        } else {
++            free(auth_inds);
+         }
+     }
+ 
+@@ -405,12 +408,12 @@ static void ipa_certauth_free_indicator(krb5_context context,
+     size_t i = 0;
+ 
+     if ((authinds == NULL) || (moddata == NULL)) {
+-	return;
++        return;
+     }
+ 
+     for(i=0; authinds[i]; i++) {
+-	free(authinds[i]);
+-	authinds[i] = NULL;
++        free(authinds[i]);
++        authinds[i] = NULL;
+     }
+ 
+     free(authinds);
+-- 
+2.26.3
+
diff --git a/SOURCES/0023-ipa-kdb-mark-test-functions-as-static.patch b/SOURCES/0023-ipa-kdb-mark-test-functions-as-static.patch
new file mode 100644
index 0000000..290e0d0
--- /dev/null
+++ b/SOURCES/0023-ipa-kdb-mark-test-functions-as-static.patch
@@ -0,0 +1,61 @@
+From 7423bf0192310509ff963d2b67c85409a501d4e3 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 24 Feb 2021 20:55:41 +0200
+Subject: [PATCH] ipa-kdb: mark test functions as static
+
+No need to define missing prototypes to single use test functions.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/tests/ipa_kdb_tests.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+index 7f1ae7f66e233d779433eff4e5f32fe7fafc3f02..1f94afe486fd09c497ee8b8aa16880d1840603d0 100644
+--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
++++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+@@ -164,7 +164,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
+                                   krb5_data realm,
+                                   struct PAC_LOGON_INFO_CTR *info);
+ 
+-void test_filter_logon_info(void **state)
++static void test_filter_logon_info(void **state)
+ {
+     krb5_error_code kerr;
+     krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
+@@ -299,10 +299,7 @@ void test_filter_logon_info(void **state)
+ 
+ }
+ 
+-extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
+-                                 bool *with_pac, bool *with_pad);
+-
+-void test_get_authz_data_types(void **state)
++static void test_get_authz_data_types(void **state)
+ {
+     bool with_pac;
+     bool with_pad;
+@@ -420,7 +417,7 @@ void test_get_authz_data_types(void **state)
+     krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
+ }
+ 
+-void test_string_to_sid(void **state)
++static void test_string_to_sid(void **state)
+ {
+     int ret;
+     struct dom_sid sid;
+@@ -452,7 +449,7 @@ void test_string_to_sid(void **state)
+     assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
+ }
+ 
+-void test_dom_sid_string(void **state)
++static void test_dom_sid_string(void **state)
+ {
+     struct test_ctx *test_ctx;
+     char *str_sid;
+-- 
+2.26.3
+
diff --git a/SOURCES/0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch b/SOURCES/0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch
new file mode 100644
index 0000000..f8fc36f
--- /dev/null
+++ b/SOURCES/0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch
@@ -0,0 +1,238 @@
+From 022c2a55ec9578867b331e419fad547092d94192 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 19 Feb 2021 15:37:47 +0200
+Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
+
+Calling to ipadb_get_connection() will remove LDAP context if any error
+happens. This means upper layers must always verify that LDAP context
+exists after such calls.
+
+ipadb_get_user_auth() may re-read global configuration and that may fail
+and cause IPA context to have NULL LDAP context.
+
+Fixes: https://pagure.io/freeipa/issue/8681
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb.c            |  1 +
+ daemons/ipa-kdb/ipa_kdb_mspac.c      | 32 +++++++++++++++-------------
+ daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
+ 3 files changed, 37 insertions(+), 22 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
+index 0dcc74263263423da6b1f4d8441ee149bce24c58..eb18a037e41bd778b3f522644acf8d793ddf70e7 100644
+--- a/daemons/ipa-kdb/ipa_kdb.c
++++ b/daemons/ipa-kdb/ipa_kdb.c
+@@ -56,6 +56,7 @@ static void ipadb_context_free(krb5_context kcontext,
+         /* ldap free lcontext */
+         if ((*ctx)->lcontext) {
+             ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
++            (*ctx)->lcontext = NULL;
+         }
+         free((*ctx)->supp_encs);
+         free((*ctx)->def_encs);
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index b6e7516859ce59232364f6ae93dee3063914ecf4..b231844250b8c65337bf4e7523d6a800dfe0767d 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -386,7 +386,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+                                         TALLOC_CTX *memctx,
+                                         struct netr_SamInfo3 *info3)
+ {
+-    LDAP *lcontext = ipactx->lcontext;
+     LDAPDerefRes *deref_results = NULL;
+     struct dom_sid sid;
+     gid_t prigid = -1;
+@@ -403,7 +402,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     krb5_principal princ;
+     krb5_data *data;
+ 
+-    ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
++    ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
+                                      &objectclasses);
+     if (ret == 0 && objectclasses != NULL) {
+         for (c = 0; objectclasses[c] != NULL; c++) {
+@@ -427,7 +426,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     }
+ 
+     if (is_host) {
+-        ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
++        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
+         if (ret) {
+             /* fqdn is mandatory for hosts */
+             return ret;
+@@ -440,7 +439,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+             return ENOENT;
+         }
+     } else if (is_service) {
+-        ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbPrincipalName", &strres);
++        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
++                                     "krbCanonicalName", &strres);
+         if (ret) {
+             /* krbPrincipalName is mandatory for services */
+             return ret;
+@@ -489,7 +489,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+             return ENOENT;
+         }
+     } else {
+-        ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
++        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
+         if (ret) {
+             /* uid is mandatory */
+             return ret;
+@@ -502,7 +502,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     if (is_host || is_service) {
+         prigid = 515; /* Well known RID for domain computers group */
+     } else {
+-        ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
++        ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
++                                     "gidNumber", &intres);
+         if (ret) {
+             /* gidNumber is mandatory */
+             return ret;
+@@ -533,7 +534,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     info3->base.kickoff_time = -1;
+ #endif
+ 
+-    ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
++    ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
+                                     "krbLastPwdChange", &timeres);
+     switch (ret) {
+     case 0:
+@@ -550,7 +551,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+     info3->base.allow_password_change = 0;
+     info3->base.force_password_change = -1;
+ 
+-    ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
++    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
+     switch (ret) {
+     case 0:
+         info3->base.full_name.string = talloc_strdup(memctx, strres);
+@@ -563,7 +564,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         return ret;
+     }
+ 
+-    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                  "ipaNTLogonScript", &strres);
+     switch (ret) {
+     case 0:
+@@ -577,7 +578,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         return ret;
+     }
+ 
+-    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                  "ipaNTProfilePath", &strres);
+     switch (ret) {
+     case 0:
+@@ -591,7 +592,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         return ret;
+     }
+ 
+-    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                  "ipaNTHomeDirectory", &strres);
+     switch (ret) {
+     case 0:
+@@ -605,7 +606,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         return ret;
+     }
+ 
+-    ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++    ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                  "ipaNTHomeDirectoryDrive", &strres);
+     switch (ret) {
+     case 0:
+@@ -626,7 +627,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         /* Well know RID of domain controllers group */
+         info3->base.rid = 516;
+     } else {
+-        ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++        ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+                                      "ipaNTSecurityIdentifier", &strres);
+         if (ret) {
+             /* SID is mandatory */
+@@ -643,7 +644,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+         }
+     }
+ 
+-    ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
++    ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
+     switch (ret) {
+     LDAPDerefRes *dres;
+     LDAPDerefVal *dval;
+@@ -2433,7 +2434,7 @@ static krb5_error_code
+ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+ {
+     struct ipadb_adtrusts *t;
+-    LDAP *lc = ipactx->lcontext;
++    LDAP *lc = NULL;
+     char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
+                       "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
+                       "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
+@@ -2467,6 +2468,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+         goto done;
+     }
+ 
++    lc = ipactx->lcontext;
+     for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
+         dnstr = ldap_get_dn(lc, le);
+ 
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index 3b78970b118cb6d8bd97da82a79226d20ea784e1..e1e86a6102886051cdafa3d885bf75c2718b8575 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -341,6 +341,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
+     if (gcfg != NULL)
+         gua = gcfg->user_auth;
+ 
++    /* lcontext == NULL means ipadb_get_global_config() failed to load
++     * global config and cleared the ipactx */
++    if (ipactx->lcontext == NULL)
++        return IPADB_USER_AUTH_NONE;
++
+     /* Get the user's user_auth settings if not disabled. */
+     if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
+         ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
+@@ -555,8 +560,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
+         free(entry);
+         return KRB5_KDB_DBNOTINITED;
+     }
+-    lcontext = ipactx->lcontext;
+-    if (!lcontext) {
++
++    entry->magic = KRB5_KDB_MAGIC_NUMBER;
++    entry->len = KRB5_KDB_V1_BASE_LENGTH;
++
++    /* Get User Auth configuration. */
++    ua = ipadb_get_user_auth(ipactx, lentry);
++
++    /* ipadb_get_user_auth() calls into ipadb_get_global_config()
++     * and that might fail, causing lcontext to become NULL */
++    if (!ipactx->lcontext) {
+         krb5_klog_syslog(LOG_INFO,
+                          "No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
+         ret = ipadb_get_connection(ipactx);
+@@ -568,11 +581,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
+         }
+     }
+ 
+-    entry->magic = KRB5_KDB_MAGIC_NUMBER;
+-    entry->len = KRB5_KDB_V1_BASE_LENGTH;
+-
+-    /* Get User Auth configuration. */
+-    ua = ipadb_get_user_auth(ipactx, lentry);
++    /* If any code below would result in invalidating ipactx->lcontext,
++     * lcontext must be updated with the new ipactx->lcontext value.
++     * We rely on the fact that none of LDAP-parsing helpers does it. */
++    lcontext = ipactx->lcontext;
+ 
+     /* ignore mask for now */
+ 
+-- 
+2.26.3
+
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index 76f9908..0cb4f84 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
-From 3cb7e1ad038a798f1fc88d2c1b116607fe04a806 Mon Sep 17 00:00:00 2001
+From cab573c5e2fb5631c9fd77a41ff77103ea51f9b3 Mon Sep 17 00:00:00 2001
 From: Jan Cholasta <jcholast@redhat.com>
 Date: Tue, 14 Mar 2017 15:48:07 +0000
 Subject: [PATCH] Change branding to IPA and Identity Management
@@ -1106,5 +1106,5 @@ index 643215985e932cae6e8d954596194032655b25d4..68baa0174ed88ede3f42092fb68150b5
  """) + _("""
  To enable the binddn run the following command to set the password:
 -- 
-2.26.2
+2.26.3
 
diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
index fbe3870..6cc1d21 100644
--- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch
+++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
@@ -1,4 +1,4 @@
-From 6b729f724be49e4157a213e6b2c09fc3da5fc477 Mon Sep 17 00:00:00 2001
+From 514a42e4ea723e6630ac24ff3ea68a442137ab52 Mon Sep 17 00:00:00 2001
 From: Jan Cholasta <jcholast@redhat.com>
 Date: Tue, 14 Mar 2017 16:07:15 +0000
 Subject: [PATCH] Package copy-schema-to-ca.py
@@ -40,5 +40,5 @@ index 922185c4b948fa7a5d1bcab6b2be3b34e99f66d4..8fead26f50cb4f045db6d60f9ca71dd9
  
  
 -- 
-2.26.2
+2.26.3
 
diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
index aea1eac..8cea203 100644
--- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
+++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1,4 +1,4 @@
-From 5043712188408afa67ec062b213b9d6b8b0f10e5 Mon Sep 17 00:00:00 2001
+From 90ffaffce2db5467ac6fd773db53373adfff69b4 Mon Sep 17 00:00:00 2001
 From: Jan Cholasta <jcholast@redhat.com>
 Date: Wed, 22 Jun 2016 13:53:46 +0200
 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout"
@@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d
  WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
  WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
 -- 
-2.26.2
+2.26.3
 
diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch
index 68889b5..27f9930 100644
--- a/SOURCES/1004-Remove-csrgen.patch
+++ b/SOURCES/1004-Remove-csrgen.patch
@@ -1,4 +1,4 @@
-From d70975a40069c46b9d474de0e971d65606b6e6e3 Mon Sep 17 00:00:00 2001
+From e4ef3eb243d8e4fe26dee86529f90f8aaa8ab00f Mon Sep 17 00:00:00 2001
 From: Jan Cholasta <jcholast@redhat.com>
 Date: Thu, 16 Mar 2017 09:44:21 +0000
 Subject: [PATCH] Remove csrgen
@@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000
 @@ -1 +0,0 @@
 -{{ options|join(";") }}
 -- 
-2.26.2
+2.26.3
 
diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch
index 8657ddf..6da2669 100644
--- a/SOURCES/1005-Removing-filesystem-encoding-check.patch
+++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch
@@ -1,4 +1,4 @@
-From 3e6b0431e88c39d8c130feaa27f1c9591f774864 Mon Sep 17 00:00:00 2001
+From 17675289caa161c6574d1afbc813bd91efe71064 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>
 Date: Fri, 10 Aug 2018 13:16:38 +0200
 Subject: [PATCH] Removing filesystem encoding check
@@ -126,5 +126,5 @@ index b660532bd6e8db964b8287845ed1b5ebbcb43b9b..60309c58f250a263c8c3d13b0b47773b
  IPA_NOT_CONFIGURED = b'IPA is not configured on this system'
  IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system'
 -- 
-2.26.2
+2.26.3
 
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index c05a853..b22cd72 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -102,7 +102,7 @@
 
 Name:           ipa
 Version:        %{IPA_VERSION}
-Release:        5%{?dist}.4
+Release:        5%{?dist}.5
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -110,9 +110,9 @@ License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
 # RHEL spec file only: START: Change branding to IPA and Identity Management
-#Source1:        header-logo.png
-#Source2:        login-screen-background.jpg
-#Source4:        product-name.png
+Source1:        header-logo.png
+Source2:        login-screen-background.jpg
+Source4:        product-name.png
 # RHEL spec file only: END: Change branding to IPA and Identity Management
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -136,6 +136,11 @@ Patch0016:      0016-Improve-PKI-subsystem-detection.patch
 Patch0017:      0017-ipatests-add-test-for-PKI-subsystem-detection.patch
 Patch0018:      0018-ipatest-fix-test_upgrade.py-TestUpgrade-test_kra_det.patch
 Patch0019:      0019-Add-more-indices.patch
+Patch0020:      0020-ipa-kdb-fix-compiler-warnings.patch
+Patch0021:      0021-ipa-kdb-add-missing-prototypes.patch
+Patch0022:      0022-ipa-kdb-reformat-ipa_kdb_certauth.patch
+Patch0023:      0023-ipa-kdb-mark-test-functions-as-static.patch
+Patch0024:      0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Package-copy-schema-to-ca.py.patch
 Patch1003:      1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -396,10 +401,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
-
-%if 0%{?centos} == 0
 Requires: system-logos >= 70.7.0
-%endif
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
@@ -956,9 +958,9 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
 # with_python3
 
 # RHEL spec file only: START: Change branding to IPA and Identity Management
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE4 install/ui/images/product-name.png
 # RHEL spec file only: END: Change branding to IPA and Identity Management
 
 
@@ -982,8 +984,7 @@ find \
 %configure --with-vendor-suffix=-%{release} \
            %{enable_server_option} \
            %{with_ipatests_option} \
-           %{linter_options} \
-           --with-ipaplatform=rhel
+           %{linter_options}
 
 %make_build
 
@@ -1004,8 +1005,7 @@ find \
 %configure --with-vendor-suffix=-%{release} \
            %{enable_server_option} \
            %{with_ipatests_option} \
-           %{linter_options} \
-           --with-ipaplatform=rhel
+           %{linter_options}
 popd
 %endif
 # with_python3
@@ -1092,11 +1092,9 @@ ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-tes
 # remove files which are useful only for make uninstall
 find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
 
-%if 0%{?centos} == 0
 # RHEL spec file only: START: Replace login-screen-logo.png with a symlink
 ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
 # RHEL spec file only: END: Replace login-screen-logo.png with a symlink
-%endif
 
 %find_lang %{gettext_domain}
 
@@ -1753,8 +1751,15 @@ fi
 
 
 %changelog
-* Tue Mar 16 2021 CentOS Sources <bugs@centos.org> - 4.6.8-5.el7.centos.4
-- Roll in CentOS Branding
+* Tue Apr 6 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.8-5.el7_9.5
+- Resolves: #1931405 krb5kdc crash - Segmentation fault in ldap_first_entry().
+  - ipa-kdb: fix compiler warnings
+  - ipa-kdb: add missing prototypes
+  - ipa-kdb: reformat ipa_kdb_certauth
+  - ipa-kdb: mark test functions as static
+  - ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
+- Resolves: #1835741 krb5kdc crashing on ipa server
+- Resolves: #1929372 krb5kdc is crashing intermittently on IPA server.
 
 * Fri Jan 29 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.8-5.el7_9.4
 - Resolves: #1897253 IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing