diff --git a/.openldap.metadata b/.openldap.metadata
index 80bf8dc..5df585c 100644
--- a/.openldap.metadata
+++ b/.openldap.metadata
@@ -1,2 +1,2 @@
-db02243150b050baac6a8ea4145ad73a1f6d2266 SOURCES/openldap-2.4.35.tgz
 444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
+2b8e8401214867c361f7212e7058f95118b5bd6c SOURCES/openldap-2.4.39.tgz
diff --git a/SOURCES/ldap.conf b/SOURCES/ldap.conf
index 661a259..aa6f8fd 100644
--- a/SOURCES/ldap.conf
+++ b/SOURCES/ldap.conf
@@ -15,4 +15,4 @@
 TLS_CACERTDIR	/etc/openldap/certs
 
 # Turning this off breaks GSSAPI used with krb5 when rdns = false
-SASL_NOCANON	on
\ No newline at end of file
+SASL_NOCANON	on
diff --git a/SOURCES/openldap-cldap.patch b/SOURCES/openldap-cldap.patch
deleted file mode 100644
index 834b74f..0000000
--- a/SOURCES/openldap-cldap.patch
+++ /dev/null
@@ -1,270 +0,0 @@
-This is a 3-part patch that fixes connectionless ldap when used with IPv6.
-================================================================================
-Don't try to parse the result of a CLDAP bind request. Since these are
-faked, no message is actually returned.
-
-Author: Stef Walter <stefw@redhat.com>
-Upstream commit: 5c919894779d67280fa26afdd94d99248fc38099
-ITS: #7695
-Backported-By: Jan Synacek <jsynacek@redhat.com>
-
---- a/clients/tools/common.c	2013-08-16 20:12:59.000000000 +0200
-+++ b/clients/tools/common.c	2013-10-14 09:35:50.817033451 +0200
-@@ -1521,11 +1521,13 @@ tool_bind( LDAP *ld )
- 			tool_exit( ld, LDAP_LOCAL_ERROR );
- 		}
- 
--		rc = ldap_parse_result( ld, result, &err, &matched, &info, &refs,
--			&ctrls, 1 );
--		if ( rc != LDAP_SUCCESS ) {
--			tool_perror( "ldap_bind parse result", rc, NULL, matched, info, refs );
--			tool_exit( ld, LDAP_LOCAL_ERROR );
-+		if ( result ) {
-+			rc = ldap_parse_result( ld, result, &err, &matched, &info, &refs,
-+									&ctrls, 1 );
-+			if ( rc != LDAP_SUCCESS ) {
-+				tool_perror( "ldap_bind parse result", rc, NULL, matched, info, refs );
-+				tool_exit( ld, LDAP_LOCAL_ERROR );
-+			}
- 		}
- 
- #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
-================================================================================
-commit d51ee964fc5e1f02b035811de0f95eee81c2789f
-Author: Howard Chu <hyc@openldap.org>
-Date:   Thu Oct 10 10:48:08 2013 -0700
-
-    ITS#7694 more for IPv6 CLDAP, slapd fix
-
-diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
-index e169494..7ed3f63 100644
---- a/servers/slapd/connection.c
-+++ b/servers/slapd/connection.c
-@@ -1499,22 +1499,53 @@ connection_input( Connection *conn , conn_readinfo *cri )
- 
- #ifdef LDAP_CONNECTIONLESS
- 	if ( conn->c_is_udp ) {
-+#if defined(LDAP_PF_INET6)
-+		char peername[sizeof("IP=[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]:65535")];
-+		char addr[INET6_ADDRSTRLEN];
-+#else
- 		char peername[sizeof("IP=255.255.255.255:65336")];
-+		char addr[INET_ADDRSTRLEN];
-+#endif
- 		const char *peeraddr_string = NULL;
- 
--		len = ber_int_sb_read(conn->c_sb, &peeraddr, sizeof(struct sockaddr));
--		if (len != sizeof(struct sockaddr)) return 1;
-+		len = ber_int_sb_read(conn->c_sb, &peeraddr, sizeof(Sockaddr));
-+		if (len != sizeof(Sockaddr)) return 1;
- 
-+#if defined(LDAP_PF_INET6)
-+		if (peeraddr.sa_addr.sa_family == AF_INET6) {
-+			if ( IN6_IS_ADDR_V4MAPPED(&peeraddr.sa_in6_addr.sin6_addr) ) {
- #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
--		char addr[INET_ADDRSTRLEN];
--		peeraddr_string = inet_ntop( AF_INET, &peeraddr.sa_in_addr.sin_addr,
-+				peeraddr_string = inet_ntop( AF_INET,
-+				   ((struct in_addr *)&peeraddr.sa_in6_addr.sin6_addr.s6_addr[12]),
-+				   addr, sizeof(addr) );
-+#else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
-+				peeraddr_string = inet_ntoa( *((struct in_addr *)
-+					&peeraddr.sa_in6_addr.sin6_addr.s6_addr[12]) );
-+#endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
-+				if ( !peeraddr_string ) peeraddr_string = SLAP_STRING_UNKNOWN;
-+				sprintf( peername, "IP=%s:%d", peeraddr_string,
-+					(unsigned) ntohs( peeraddr.sa_in6_addr.sin6_port ) );
-+			} else {
-+				peeraddr_string = inet_ntop( AF_INET6,
-+				      &peeraddr.sa_in6_addr.sin6_addr,
-+				      addr, sizeof addr );
-+				if ( !peeraddr_string ) peeraddr_string = SLAP_STRING_UNKNOWN;
-+				sprintf( peername, "IP=[%s]:%d", peeraddr_string,
-+					 (unsigned) ntohs( peeraddr.sa_in6_addr.sin6_port ) );
-+			}
-+		} else
-+#endif
-+#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
-+		{
-+			peeraddr_string = inet_ntop( AF_INET, &peeraddr.sa_in_addr.sin_addr,
- 			   addr, sizeof(addr) );
- #else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
--		peeraddr_string = inet_ntoa( peeraddr.sa_in_addr.sin_addr );
-+			peeraddr_string = inet_ntoa( peeraddr.sa_in_addr.sin_addr );
- #endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
--		sprintf( peername, "IP=%s:%d",
--			 peeraddr_string,
--			(unsigned) ntohs( peeraddr.sa_in_addr.sin_port ) );
-+			sprintf( peername, "IP=%s:%d",
-+				 peeraddr_string,
-+				(unsigned) ntohs( peeraddr.sa_in_addr.sin_port ) );
-+		}
- 		Statslog( LDAP_DEBUG_STATS,
- 			"conn=%lu UDP request from %s (%s) accepted.\n",
- 			conn->c_connid, peername, conn->c_sock_name.bv_val, 0, 0 );
-================================================================================
-commit 743a9783d57ea6b693e56f6545ac5d68dc9242c7
-Author: Stef Walter <stefw@redhat.com>
-Date:   Thu Sep 12 15:49:36 2013 +0200
-
-    ITS#7694 Fix use of IPv6 with LDAP_CONNECTIONLESS
-    
-    LDAP_CONNECTIONLESS code assumed that the size of an peer address
-    is equal to or smaller than sizeof (struct sockaddr).
-    
-    Fix to use struct sockaddr_storage instead which is intended for
-    this purpose. Use getnameinfo() where appropriate so we don't
-    assume anything about the contents of struct sockaddr
-
-diff --git a/libraries/liblber/sockbuf.c b/libraries/liblber/sockbuf.c
-index d997e92..858c942 100644
---- a/libraries/liblber/sockbuf.c
-+++ b/libraries/liblber/sockbuf.c
-@@ -888,8 +888,8 @@ Sockbuf_IO ber_sockbuf_io_debug = {
-  *
-  * All I/O at this level must be atomic. For ease of use, the sb_readahead
-  * must be used above this module. All data reads and writes are prefixed
-- * with a sockaddr containing the address of the remote entity. Upper levels
-- * must read and write this sockaddr before doing the usual ber_printf/scanf
-+ * with a sockaddr_storage containing the address of the remote entity. Upper levels
-+ * must read and write this sockaddr_storage before doing the usual ber_printf/scanf
-  * operations on LDAP messages.
-  */
- 
-@@ -914,13 +914,13 @@ sb_dgram_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len )
- 	assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
- 	assert( buf != NULL );
- 
--	addrlen = sizeof( struct sockaddr );
-+	addrlen = sizeof( struct sockaddr_storage );
- 	src = buf;
- 	buf = (char *) buf + addrlen;
- 	len -= addrlen;
- 	rc = recvfrom( sbiod->sbiod_sb->sb_fd, buf, len, 0, src, &addrlen );
- 
--	return rc > 0 ? rc+sizeof(struct sockaddr) : rc;
-+	return rc > 0 ? rc+sizeof(struct sockaddr_storage) : rc;
- }
- 
- static ber_slen_t 
-@@ -934,11 +934,11 @@ sb_dgram_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len )
- 	assert( buf != NULL );
- 
- 	dst = buf;
--	buf = (char *) buf + sizeof( struct sockaddr );
--	len -= sizeof( struct sockaddr );
-+	buf = (char *) buf + sizeof( struct sockaddr_storage );
-+	len -= sizeof( struct sockaddr_storage );
-    
- 	rc = sendto( sbiod->sbiod_sb->sb_fd, buf, len, 0, dst,
--		sizeof( struct sockaddr ) );
-+		sizeof( struct sockaddr_storage ) );
- 
- 	if ( rc < 0 ) return -1;
-    
-@@ -949,7 +949,7 @@ sb_dgram_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len )
- # endif
- 		return -1;
- 	}
--	rc = len + sizeof(struct sockaddr);
-+	rc = len + sizeof(struct sockaddr_storage);
- 	return rc;
- }
- 
-diff --git a/libraries/libldap/abandon.c b/libraries/libldap/abandon.c
-index d999b07..8fd9bc2 100644
---- a/libraries/libldap/abandon.c
-+++ b/libraries/libldap/abandon.c
-@@ -209,7 +209,7 @@ start_again:;
- 			LDAP_NEXT_MSGID(ld, i);
- #ifdef LDAP_CONNECTIONLESS
- 			if ( LDAP_IS_UDP(ld) ) {
--				struct sockaddr sa = {0};
-+				struct sockaddr_storage sa = {0};
- 				/* dummy, filled with ldo_peer in request.c */
- 				err = ber_write( ber, (char *) &sa, sizeof(sa), 0 );
- 			}
-diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c
-index 24d8a41..5b2613a 100644
---- a/libraries/libldap/open.c
-+++ b/libraries/libldap/open.c
-@@ -268,6 +268,7 @@ ldap_init_fd(
- 	int rc;
- 	LDAP *ld;
- 	LDAPConn *conn;
-+	socklen_t len;
- 
- 	*ldp = NULL;
- 	rc = ldap_create( &ld );
-@@ -308,6 +309,15 @@ ldap_init_fd(
- 
- #ifdef LDAP_CONNECTIONLESS
- 	case LDAP_PROTO_UDP:
-+		LDAP_IS_UDP(ld) = 1;
-+		if( ld->ld_options.ldo_peer )
-+			ldap_memfree( ld->ld_options.ldo_peer );
-+		ld->ld_options.ldo_peer = ldap_memalloc( sizeof( struct sockaddr_storage ) );
-+		len = sizeof( struct sockaddr_storage );
-+		if( getpeername ( fd, ld->ld_options.ldo_peer, &len ) < 0) {
-+			ldap_unbind_ext( ld, NULL, NULL );
-+			return( AC_SOCKET_ERROR );
-+		}
- #ifdef LDAP_DEBUG
- 		ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_debug,
- 			LBER_SBIOD_LEVEL_PROVIDER, (void *)"udp_" );
-diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
-index b31e05d..90b92df 100644
---- a/libraries/libldap/os-ip.c
-+++ b/libraries/libldap/os-ip.c
-@@ -422,8 +422,8 @@ ldap_pvt_connect(LDAP *ld, ber_socket_t s,
- 	if (LDAP_IS_UDP(ld)) {
- 		if (ld->ld_options.ldo_peer)
- 			ldap_memfree(ld->ld_options.ldo_peer);
--		ld->ld_options.ldo_peer=ldap_memalloc(sizeof(struct sockaddr));
--		AC_MEMCPY(ld->ld_options.ldo_peer,sin,sizeof(struct sockaddr));
-+		ld->ld_options.ldo_peer=ldap_memcalloc(1, sizeof(struct sockaddr_storage));
-+		AC_MEMCPY(ld->ld_options.ldo_peer,sin,addrlen);
- 		return ( 0 );
- 	}
- #endif
-diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c
-index fc2f4d0..4822a63 100644
---- a/libraries/libldap/request.c
-+++ b/libraries/libldap/request.c
-@@ -308,7 +308,7 @@ ldap_send_server_request(
- 		ber_rewind( &tmpber );
- 		LDAP_MUTEX_LOCK( &ld->ld_options.ldo_mutex );
- 		rc = ber_write( &tmpber, ld->ld_options.ldo_peer,
--			sizeof( struct sockaddr ), 0 );
-+			sizeof( struct sockaddr_storage ), 0 );
- 		LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex );
- 		if ( rc == -1 ) {
- 			ld->ld_errno = LDAP_ENCODING_ERROR;
-diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
-index f2a6c7b..d293299 100644
---- a/libraries/libldap/result.c
-+++ b/libraries/libldap/result.c
-@@ -482,8 +482,8 @@ retry:
- 	sock_errset(0);
- #ifdef LDAP_CONNECTIONLESS
- 	if ( LDAP_IS_UDP(ld) ) {
--		struct sockaddr from;
--		ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr) );
-+		struct sockaddr_storage from;
-+		ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) );
- 		if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1;
- 	}
- nextresp3:
-diff --git a/libraries/libldap/search.c b/libraries/libldap/search.c
-index 3867b5b..b966d1a 100644
---- a/libraries/libldap/search.c
-+++ b/libraries/libldap/search.c
-@@ -305,7 +305,7 @@ ldap_build_search_req(
- 	LDAP_NEXT_MSGID( ld, *idp );
- #ifdef LDAP_CONNECTIONLESS
- 	if ( LDAP_IS_UDP(ld) ) {
--		struct sockaddr sa = {0};
-+		struct sockaddr_storage sa = {0};
- 		/* dummy, filled with ldo_peer in request.c */
- 	    err = ber_write( ber, (char *) &sa, sizeof( sa ), 0 );
- 	}
diff --git a/SOURCES/openldap-doc1.patch b/SOURCES/openldap-doc1.patch
deleted file mode 100644
index 13c4c41..0000000
--- a/SOURCES/openldap-doc1.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Upstream ITS: #7568
-
-From 6be982c000133ccf9da949d39eed23a93bc7bfc5 Mon Sep 17 00:00:00 2001
-From: Jan Synacek <jsynacek@redhat.com>
-Date: Tue, 9 Apr 2013 12:41:38 +0200
-Subject: [PATCH 1/2] Fix typos in ldap.conf.5
-
----
- doc/man/man5/ldap.conf.5 | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
-index cfde143..8f7fecd 100644
---- a/doc/man/man5/ldap.conf.5
-+++ b/doc/man/man5/ldap.conf.5
-@@ -297,7 +297,7 @@ Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG)
- should be used. The default is off.
- .TP
- .B GSSAPI_ALLOW_REMOTE_PRINCIPAL <on/true/yes/off/false/no>
--Specifies if GSSAPI based authentification should try to form the
-+Specifies if GSSAPI based authentication should try to form the
- target principal name out of the ldapServiceName or dnsHostName
- attribute of the targets RootDSE entry. The default is off.
- .SH TLS OPTIONS
-@@ -354,7 +354,7 @@ it is of critical importance that the key file is protected carefully.
- When using Mozilla NSS, TLS_KEY specifies the name of a file that contains
- the password for the key for the certificate specified with TLS_CERT.  The
- modutil command can be used to turn off password protection for the cert/key
--database.  For example, if TLS_CACERTDIR specifes /home/scarter/.moznss as
-+database.  For example, if TLS_CACERTDIR specifies /home/scarter/.moznss as
- the location of the cert/key database, use modutil to change the password
- to the empty string:
- .nf
--- 
-1.8.1.4
-
diff --git a/SOURCES/openldap-doc2.patch b/SOURCES/openldap-doc2.patch
deleted file mode 100644
index 47b1c13..0000000
--- a/SOURCES/openldap-doc2.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Upstream ITS: #7568
-
-From 05c726c62785b2c307f9c5343a253d43ec7322c6 Mon Sep 17 00:00:00 2001
-From: Jan Synacek <jsynacek@redhat.com>
-Date: Tue, 9 Apr 2013 12:42:31 +0200
-Subject: [PATCH 2/2] Add -Q to slaptest's help
-
----
- servers/slapd/slapcommon.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
-index 714e2bc..153310f 100644
---- a/servers/slapd/slapcommon.c
-+++ b/servers/slapd/slapcommon.c
-@@ -92,7 +92,7 @@ usage( int tool, const char *progname )
- 		break;
- 
- 	case SLAPTEST:
--		options = " [-n databasenumber] [-u]\n";
-+		options = " [-n databasenumber] [-u] [-Q]\n";
- 		break;
- 
- 	case SLAPSCHEMA:
--- 
-1.8.1.4
-
diff --git a/SOURCES/openldap-doc3.patch b/SOURCES/openldap-doc3.patch
deleted file mode 100644
index d0e7821..0000000
--- a/SOURCES/openldap-doc3.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 128a8c486e86b8e8c8d34f0eb9fdc0b580212e5b Mon Sep 17 00:00:00 2001
-From: Jan Synacek <jsynacek@redhat.com>
-Date: Tue, 3 Sep 2013 14:09:37 +0200
-Subject: [PATCH] Fix typos in manpages.
-
----
- doc/man/man1/ldapsearch.1   | 2 +-
- doc/man/man5/slapd-passwd.5 | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
-index 82ddddb..150f064 100644
---- a/doc/man/man1/ldapsearch.1
-+++ b/doc/man/man1/ldapsearch.1
-@@ -456,7 +456,7 @@ This command:
- .fi
- .LP
- will perform a one-level search at the c=US level for all entries
--whose organization name (o) begins begins with \fBUniversity\fP.
-+whose organization name (o) begins with \fBUniversity\fP.
- The organization name and description attribute values will be retrieved
- and printed to standard output, resulting in output similar to this:
- .LP
-diff --git a/doc/man/man5/slapd-passwd.5 b/doc/man/man5/slapd-passwd.5
-index fbd30f2..2dc5c5d 100644
---- a/doc/man/man5/slapd-passwd.5
-+++ b/doc/man/man5/slapd-passwd.5
-@@ -13,7 +13,7 @@ serves up the user account information listed in the system
- .BR passwd (5)
- file.  This backend is provided for demonstration purposes only.
- The DN of each entry is "uid=<username>,<suffix>".
--Note that non-base searches scan the the entire passwd file, and
-+Note that non-base searches scan the entire passwd file, and
- are best suited for hosts with small passwd files.
- .SH CONFIGURATION
- This
--- 
-1.8.3.1
-
diff --git a/SOURCES/openldap-loglevel2bvarray.patch b/SOURCES/openldap-loglevel2bvarray.patch
deleted file mode 100644
index 1a0e766..0000000
--- a/SOURCES/openldap-loglevel2bvarray.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 4313b91b0bc2fe6585656cd69a03f9755b5af3c4 Mon Sep 17 00:00:00 2001
-From: Jan Synacek <jsynacek@redhat.com>
-Date: Wed, 29 May 2013 10:21:40 +0200
-Subject: [PATCH] Fix loglevel2bvarray
-
----
- servers/slapd/bconfig.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
-index 4e1f1b5..def6daf 100644
---- a/servers/slapd/bconfig.c
-+++ b/servers/slapd/bconfig.c
-@@ -3622,6 +3622,10 @@ loglevel2bvarray( int l, BerVarray *bva )
- 		loglevel_init();
- 	}
- 
-+	if ( l == 0 ) {
-+		return value_add_one( bva, ber_bvstr( "0" ) );
-+	}
-+
- 	return mask_to_verbs( loglevel_ops, l, bva );
- }
- 
--- 
-1.8.1.4
-
diff --git a/SOURCES/openldap-manpages.patch b/SOURCES/openldap-manpages.patch
index 1678b38..b69a391 100644
--- a/SOURCES/openldap-manpages.patch
+++ b/SOURCES/openldap-manpages.patch
@@ -6,13 +6,12 @@ diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
 index 3def6da..466c772 100644
 --- a/doc/man/man1/ldapmodify.1
 +++ b/doc/man/man1/ldapmodify.1
-@@ -397,9 +397,7 @@ exit status and a diagnostic message being written to standard error.
+@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error.
  .BR ldap_add_ext (3),
  .BR ldap_delete_ext (3),
  .BR ldap_modify_ext (3),
 -.BR ldap_modrdn_ext (3),
--.BR ldif (5),
--.BR slapd.replog (5)
+-.BR ldif (5).
 +.BR ldif (5)
  .SH AUTHOR
  The OpenLDAP Project <http://www.openldap.org/>
@@ -29,44 +28,6 @@ index cfde143..63592cb 100644
  This parameter is ignored with GnuTLS.
  
  When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
-diff --git a/doc/man/man5/ldif.5 b/doc/man/man5/ldif.5
-index 79615b6..2c06246 100644
---- a/doc/man/man5/ldif.5
-+++ b/doc/man/man5/ldif.5
-@@ -270,8 +270,7 @@ commands.
- .BR ldapmodify (1),
- .BR slapadd (8),
- .BR slapcat (8),
--.BR slapd\-ldif (5),
--.BR slapd.replog (5).
-+.BR slapd\-ldif (5).
- .LP
- "LDAP Data Interchange Format," Good, G., RFC 2849.
- .SH ACKNOWLEDGEMENTS
-diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
-index 742876a..31643c7 100644
---- a/doc/man/man5/slapd-config.5
-+++ b/doc/man/man5/slapd-config.5
-@@ -2086,7 +2086,6 @@ default slapd configuration directory
- .BR slapd.conf (5),
- .BR slapd.overlays (5),
- .BR slapd.plugin (5),
--.BR slapd.replog (5),
- .BR slapd (8),
- .BR slapacl (8),
- .BR slapadd (8),
-diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
-index 0a3a955..352cc7e 100644
---- a/doc/man/man5/slapd.conf.5
-+++ b/doc/man/man5/slapd.conf.5
-@@ -2016,7 +2016,6 @@ default slapd configuration file
- .BR slapd.backends (5),
- .BR slapd.overlays (5),
- .BR slapd.plugin (5),
--.BR slapd.replog (5),
- .BR slapd (8),
- .BR slapacl (8),
- .BR slapadd (8),
 diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
 index b739f4d..e2a1a00 100644
 --- a/doc/man/man8/slapd.8
diff --git a/SOURCES/openldap-nss-pk11-freeslot.patch b/SOURCES/openldap-nss-pk11-freeslot.patch
index 9ac541d..b128253 100644
--- a/SOURCES/openldap-nss-pk11-freeslot.patch
+++ b/SOURCES/openldap-nss-pk11-freeslot.patch
@@ -1,27 +1,23 @@
-Resolves: #929357
+Resolves: #1040324
 
-From 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec Mon Sep 17 00:00:00 2001
-From: Rich Megginson <rmeggins@redhat.com>
+Upstream commit: 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec
+Author: Rich Megginson <rmeggins@redhat.com>
 Date: Thu, 28 Mar 2013 19:05:02 -0600
-Subject: [PATCH] must call PK11_FreeSlot after SECMOD_CloseUserDB to remove ref to slot
+Modified by: Jan Synacek <jsynacek@redhat.com>
 
----
- libraries/libldap/tls_m.c |    2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
+This patch has been re-diffed so it clearly applies to OpenLDAP 2.4.39.
 
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 index 072d41d..c59d303 100644
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
-@@ -2063,6 +2063,8 @@ tlsm_ctx_free ( tls_ctx *ctx )
+@@ -2151,6 +2151,8 @@
  				   "TLS: could not close certdb slot - error %d:%s.\n",
  				   errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
  		}
 +		PK11_FreeSlot( c->tc_certdb_slot );
 +		c->tc_certdb_slot = NULL;
  	}
- 	PL_strfree( c->tc_pin_file );
- 	c->tc_pin_file = NULL;
--- 
-1.7.1
+ 	if ( c->tc_pin_file ) {
+ 		PL_strfree( c->tc_pin_file );
 
diff --git a/SOURCES/openldap-rwm-reference-counting.patch b/SOURCES/openldap-rwm-reference-counting.patch
new file mode 100644
index 0000000..67f4a66
--- /dev/null
+++ b/SOURCES/openldap-rwm-reference-counting.patch
@@ -0,0 +1,26 @@
+Author: Jan Synáček <jsynacek@redhat.com>
+Resolves: #1061405
+Upstream ITS: #7723
+
+Correctly count references in rwm overlay.
+
+--- a/libraries/librewrite/session.c	2010-04-13 22:23:09.000000000 +0200
++++ b/libraries/librewrite/session.c	2013-11-08 08:47:26.000000000 +0100
+@@ -161,6 +161,7 @@
+ #ifdef USE_REWRITE_LDAP_PVT_THREADS
+ 	if ( session ) {
+ 		ldap_pvt_thread_mutex_lock( &session->ls_mutex );
++		session->ls_count++;
+ 	}
+ 	ldap_pvt_thread_rdwr_runlock( &info->li_cookies_mutex );
+ #endif /* USE_REWRITE_LDAP_PVT_THREADS */
+@@ -178,6 +179,7 @@
+ )
+ {
+ 	assert( session != NULL );
++	session->ls_count--;
+ 	ldap_pvt_thread_mutex_unlock( &session->ls_mutex );
+ }
+ 
+
+
diff --git a/SOURCES/openldap-security-pie.patch b/SOURCES/openldap-security-pie.patch
deleted file mode 100644
index 025c3d4..0000000
--- a/SOURCES/openldap-security-pie.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Build slapd as position-independent executable (PIE) to take an advantage of
-address space layout randomization (ASLD).
-
-Author: Thomas Woerner <twoerner@redhat.com>
-
---- a/servers/slapd/Makefile.in
-+++ b/servers/slapd/Makefile.in
-@@ -263,7 +263,7 @@ slapi/libslapi.la: FORCE
- 	(cd slapi; $(MAKE) $(MFLAGS) all)
- 
- slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
--	$(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \
-+	$(LTLINK) -pie -Wl,-z,defs -o $@ $(SLAPD_OBJECTS) $(LIBS) \
- 		$(WRAP_LIBS)
- 	$(RM) $(SLAPTOOLS)
- 	for i in $(SLAPTOOLS); do \
diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec
index 470c05a..4051012 100644
--- a/SPECS/openldap.spec
+++ b/SPECS/openldap.spec
@@ -4,8 +4,8 @@
 %global check_password_version 1.1
 
 Name: openldap
-Version: 2.4.35
-Release: 7%{?dist}
+Version: 2.4.39
+Release: 3%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@@ -26,7 +26,6 @@ Source55: libexec-generate-server-cert.sh
 
 # patches for 2.4
 Patch0: openldap-manpages.patch
-Patch1: openldap-security-pie.patch
 Patch2: openldap-sql-linking.patch
 Patch3: openldap-reentrant-gethostby.patch
 Patch4: openldap-smbk5pwd-overlay.patch
@@ -42,9 +41,6 @@ Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch
 Patch14: openldap-nss-ignore-certdb-type-prefix.patch
 Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch
 Patch16: openldap-nss-pk11-freeslot.patch
-# documentation patches, already included upstream
-Patch17: openldap-doc1.patch
-Patch18: openldap-doc2.patch
 # fix back_perl problems with lt_dlopen()
 # might cause crashes because of symbol collisions
 # the proper fix is to link all perl modules against libperl
@@ -52,12 +48,8 @@ Patch18: openldap-doc2.patch
 Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
 # ldapi sasl fix pending upstream inclusion
 Patch20: openldap-ldapi-sasl.patch
-# already included upstream
-Patch21: openldap-loglevel2bvarray.patch
-# more documentation fixes, upstreamed
-Patch22: openldap-doc3.patch
-# cldap fixes, upstreamed
-Patch23: openldap-cldap.patch
+# rwm reference counting fix, pending upstream inclusion
+Patch21: openldap-rwm-reference-counting.patch
 
 # Fedora specific patches
 Patch100: openldap-autoconf-pkgconfig-nss.patch
@@ -157,7 +149,6 @@ ln -s %{_includedir}/nspr4 include/nspr
 AUTOMAKE=%{_bindir}/true autoreconf -fi
 
 %patch0 -p1
-%patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
@@ -173,13 +164,9 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
-%patch17 -p1
-%patch18 -p1
 %patch19 -p1
 %patch20 -p1
 %patch21 -p1
-%patch22 -p1
-%patch23 -p1
 
 %patch102 -p1
 
@@ -199,9 +186,15 @@ popd
 
 %build
 
+%ifarch s390 s390x
+  export CFLAGS="-fPIE"
+%else
+  export CFLAGS="-fpie"
+%endif
+export LDFLAGS="-pie"
 # avoid stray dependencies (linker flag --as-needed)
 # enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)
-export CFLAGS="%{optflags} -Wl,--as-needed -DLDAP_CONNECTIONLESS"
+export CFLAGS="${CFLAGS} %{optflags} -Wl,--as-needed -DLDAP_CONNECTIONLESS"
 
 pushd openldap-%{version}
 %configure \
@@ -229,6 +222,7 @@ pushd openldap-%{version}
 	--enable-backends=mod \
 	--enable-bdb=yes \
 	--enable-hdb=yes \
+	--enable-mdb=yes \
 	--enable-monitor=yes \
 	--disable-ndb \
 	\
@@ -294,8 +288,8 @@ install -m 0700 -d %{buildroot}%{_sharedstatedir}/ldap
 install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap
 
 # setup autocreation of runtime directories on tmpfs
-mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
-install -m 0644 %SOURCE3 %{buildroot}%{_sysconfdir}/tmpfiles.d/slapd.conf
+mkdir -p %{buildroot}%{_tmpfilesdir}/
+install -m 0644 %SOURCE3 %{buildroot}%{_tmpfilesdir}/slapd.conf
 
 # install default ldap.conf (customized)
 rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf
@@ -542,7 +536,7 @@ exit 0
 %config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d
 %config(noreplace) %{_sysconfdir}/openldap/schema
 %config(noreplace) %{_sysconfdir}/sysconfig/slapd
-%config(noreplace) %{_sysconfdir}/tmpfiles.d/slapd.conf
+%config(noreplace) %{_tmpfilesdir}/slapd.conf
 %config(noreplace) %{_sysconfdir}/openldap/check_password.conf
 %dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap
 %dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap
@@ -552,7 +546,6 @@ exit 0
 %{_libdir}/openldap/auditlog*
 %{_libdir}/openldap/back_dnssrv*
 %{_libdir}/openldap/back_ldap*
-%{_libdir}/openldap/back_mdb*
 %{_libdir}/openldap/back_meta*
 %{_libdir}/openldap/back_null*
 %{_libdir}/openldap/back_passwd*
@@ -609,6 +602,30 @@ exit 0
 %{_mandir}/man3/*
 
 %changelog
+* Wed Feb 26 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-3
+- move tmpfiles config to correct location (#1069513)
+
+* Wed Feb  5 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-2
+- CVE-2013-4449: segfault on certain queries with rwm overlay (#1061405)
+
+* Thu Jan 30 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-1
+- new upstream release (#1040324)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.4.35-12
+- Mass rebuild 2014-01-24
+
+* Thu Jan 16 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.35-11
+- fix: missing EOL at the end of default /etc/openldap/ldap.conf (#1053005)
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.4.35-10
+- Mass rebuild 2013-12-27
+
+* Tue Dec 17 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-9
+- fix: more typos in manpages (#948562)
+
+* Wed Nov 13 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-8
+- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1023415)
+
 * Mon Oct 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-7
 - fix: CLDAP is broken for IPv6 (#1007421)