diff --git a/SOURCES/0028-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch b/SOURCES/0028-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch
new file mode 100644
index 0000000..6db4260
--- /dev/null
+++ b/SOURCES/0028-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch
@@ -0,0 +1,46 @@
+From 65953c3a20f497c318919c18198da9c57fd7b5be Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 25 Aug 2021 17:10:29 +0200
+Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
+
+If a client sends a request to lookup an object from a given trusted
+domain by UID or GID and an object with matching ID is only found in a
+different domain the extdom should return LDAP_NO_SUCH_OBJECT to
+indicate to the client that the requested ID does not exists in the
+given domain.
+
+Resolves: https://pagure.io/freeipa/issue/8965
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ .../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+index 1e96c495ab1b893d963bcf0efde91d46adfd91ba..7c61099ccf2f67a5ea404c4c5e9747104a44a601 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
+ if (strcasecmp(locat+1, domain_name) == 0 ) {
+ locat[0] = '\0';
+ } else {
+- ret = LDAP_INVALID_SYNTAX;
++ /* The found object is from a different domain than requested,
++ * that means it does not exist in the requested domain */
++ ret = LDAP_NO_SUCH_OBJECT;
+ goto done;
+ }
+ }
+@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
+ if (strcasecmp(locat+1, domain_name) == 0 ) {
+ locat[0] = '\0';
+ } else {
+- ret = LDAP_INVALID_SYNTAX;
++ /* The found object is from a different domain than requested,
++ * that means it does not exist in the requested domain */
++ ret = LDAP_NO_SUCH_OBJECT;
+ goto done;
+ }
+ }
+--
+2.31.1
+
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index 38faab6..dc13b8d 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
-From a93c2ff982b27166206eab66f1b7d6c13eff63ed Mon Sep 17 00:00:00 2001
+From 2178218fdb1d1a8fe2c173d09b1a0dafc8504f3b Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 15:48:07 +0000
Subject: [PATCH] Change branding to IPA and Identity Management
@@ -1106,5 +1106,5 @@ index 643215985e932cae6e8d954596194032655b25d4..68baa0174ed88ede3f42092fb68150b5
""") + _("""
To enable the binddn run the following command to set the password:
--
-2.26.3
+2.31.1
diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
index a53c925..868769e 100644
--- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch
+++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
@@ -1,4 +1,4 @@
-From e83c5db6277d24159c869da9463ab2737396cddc Mon Sep 17 00:00:00 2001
+From 87b561cd11582ac64d10d2fc0288f6dc93eb1786 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 16:07:15 +0000
Subject: [PATCH] Package copy-schema-to-ca.py
@@ -40,5 +40,5 @@ index 922185c4b948fa7a5d1bcab6b2be3b34e99f66d4..8fead26f50cb4f045db6d60f9ca71dd9
--
-2.26.3
+2.31.1
diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
index 41c4053..7c2f716 100644
--- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
+++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1,4 +1,4 @@
-From 98045b1cf0c3d18c958c67a585c8745cf0948675 Mon Sep 17 00:00:00 2001
+From 7f8fdb2a050e72f8a8069e572a957f5ade9c11a8 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Jun 2016 13:53:46 +0200
Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout"
@@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
--
-2.26.3
+2.31.1
diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch
index 0964281..4ab0990 100644
--- a/SOURCES/1004-Remove-csrgen.patch
+++ b/SOURCES/1004-Remove-csrgen.patch
@@ -1,4 +1,4 @@
-From e4d43beea85e161ac426a5bff8fe10118a72a9a4 Mon Sep 17 00:00:00 2001
+From 117c3b5e46e2ed3cc2e5c74ebe93b6a359c01aba Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 16 Mar 2017 09:44:21 +0000
Subject: [PATCH] Remove csrgen
@@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000
@@ -1 +0,0 @@
-{{ options|join(";") }}
--
-2.26.3
+2.31.1
diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch
index e6a31b2..1ee4878 100644
--- a/SOURCES/1005-Removing-filesystem-encoding-check.patch
+++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch
@@ -1,4 +1,4 @@
-From 47575ded74d9bd4b0691b0e356453629e8d00e49 Mon Sep 17 00:00:00 2001
+From a3c7afb55ef0ed4542dd59295ba4ac9b8a77f88d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>
Date: Fri, 10 Aug 2018 13:16:38 +0200
Subject: [PATCH] Removing filesystem encoding check
@@ -126,5 +126,5 @@ index b660532bd6e8db964b8287845ed1b5ebbcb43b9b..60309c58f250a263c8c3d13b0b47773b
IPA_NOT_CONFIGURED = b'IPA is not configured on this system'
IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system'
--
-2.26.3
+2.31.1
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 84089b2..f0c20bb 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -103,7 +103,7 @@
Name: ipa
Version: %{IPA_VERSION}
-Release: 5%{?dist}.7
+Release: 5%{?dist}.9
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -111,9 +111,9 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -145,6 +145,7 @@ Patch0024: 0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch
Patch0025: 0025-CA-less-installation-non-ASCII-chars-in-CA-subject.patch
Patch0026: 0026-ipatests-use-non-ascii-chars-in-CA-less-install.patch
Patch0027: 0027-Allow-PKINIT-to-be-enabled-when-updating-from-a-pre-.patch
+Patch0028: 0028-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Package-copy-schema-to-ca.py.patch
Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -405,10 +406,7 @@ Requires: oddjob
Requires: gssproxy >= 0.7.0-2
# 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
Requires: sssd-dbus >= 1.15.2
-
-%if 0%{?centos} == 0
Requires: system-logos >= 70.7.0
-%endif
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@@ -965,9 +963,9 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
# with_python3
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
@@ -991,8 +989,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
%make_build
@@ -1013,8 +1010,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
popd
%endif
# with_python3
@@ -1101,11 +1097,9 @@ ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-tes
# remove files which are useful only for make uninstall
find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
-%if 0%{?centos} == 0
# RHEL spec file only: START: Replace login-screen-logo.png with a symlink
ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
# RHEL spec file only: END: Replace login-screen-logo.png with a symlink
-%endif
%find_lang %{gettext_domain}
@@ -1762,8 +1756,9 @@ fi
%changelog
-* Tue Jul 20 2021 CentOS Sources <bugs@centos.org> - 4.6.8-5.el7.centos.7
-- Roll in CentOS Branding
+* Wed Sep 08 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.8-5.el7_9.9
+- Resolves: #2000261 - extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
+ - extdom: return LDAP_NO_SUCH_OBJECT if domains differ
* Tue Jun 22 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.8-5.el7_9.7
- Resolves: #1956550 - IPA server installation fails when cert contains non-ASCII character