diff --git a/SOURCES/slapi-nis-don-t-search-in-SSSD-when-memberUid-has-no.patch b/SOURCES/slapi-nis-don-t-search-in-SSSD-when-memberUid-has-no.patch
new file mode 100644
index 0000000..fc13902
--- /dev/null
+++ b/SOURCES/slapi-nis-don-t-search-in-SSSD-when-memberUid-has-no.patch
@@ -0,0 +1,42 @@
+From 7ab0e8ec086d3822f267069bf9a947ac65647870 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 16 Jul 2015 17:07:31 +0300
+Subject: [PATCH] slapi-nis: don't search in SSSD when memberUid has no '@'
+ separator
+
+In the case there are no groups in cn=groups map that have certain
+memberUid as a member, we look at possibility that this user might
+be coming from a trusted AD forest. However, all users from trusted
+AD forests do have '@' separator in the name between the user name
+and the domain.
+
+In case there is no '@' separator, consider such search as not valid
+for lookups in SSSD.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1243823
+---
+ src/back-sch-nss.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
+index f8177d7..16d4164 100644
+--- a/src/back-sch-nss.c
++++ b/src/back-sch-nss.c
+@@ -140,9 +140,12 @@ backend_search_filter_has_cn_uid(Slapi_Filter *filter, void *arg)
+ 					}
+ 					slapi_ch_free_string(&memberUid);
+ 				}
++				config->name_set = TRUE;
++				config->search_members = TRUE;
++			} else {
++				/* there is no '@' in the memberUid name, it is not a trusted AD forest's user */
++				config->wrong_search = TRUE;
+ 			}
+-			config->name_set = TRUE;
+-			config->search_members = TRUE;
+ 		} else if ((0 == strcasecmp(filter_type, "objectClass")) &&
+ 			   (0 == bvstrcasecmp(bval, "posixGroup"))) {
+ 			config->search_group = TRUE;
+-- 
+2.4.3
+
diff --git a/SPECS/slapi-nis.spec b/SPECS/slapi-nis.spec
index 8d96f16..0260601 100644
--- a/SPECS/slapi-nis.spec
+++ b/SPECS/slapi-nis.spec
@@ -11,7 +11,7 @@
 
 Name:		slapi-nis
 Version:	0.54
-Release:	3%{?dist}
+Release:	5%{?dist}
 Summary:	NIS Server and Schema Compatibility plugins for Directory Server
 Group:		System Environment/Daemons
 License:	GPLv2
@@ -24,6 +24,7 @@ Patch2:		slapi-nis-schema-compat-support-ID-overrides-in-bind-callback.patch
 Patch3:		slapi-nis-use-libnss_sss.so.2-explicitly.patch
 Patch4:         slapi-nis-nss-make-sure-to-remember-the-length-of-reallocated.patch
 Patch5:         slapi-nis-nss-Make-sure-default-buffer-for-nsswitch-operations-is-.patch
+Patch6:         slapi-nis-don-t-search-in-SSSD-when-memberUid-has-no.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:	389-ds-base-devel, %{ldap_impl}-devel
 BuildRequires:	nspr-devel, nss-devel, /usr/bin/rpcgen
@@ -67,6 +68,7 @@ for attributes from multiple entries in the tree.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 %build
 %configure --disable-static --with-tcp-wrappers --with-ldap=%{ldap_impl} \
 	--with-nsswitch --with-pam --with-pam-service=system-auth \
@@ -96,6 +98,14 @@ rm -rf $RPM_BUILD_ROOT
 %{_sbindir}/nisserver-plugin-defs
 
 %changelog
+* Tue Jul 28 2015 Alexander Bokovoy <abokovoy@redhat.com> - 0.54-5
+- Don't lookup groups in SSSD for memberUid without @domain
+- Resolves: #1243823
+
+* Wed Jul 15 2015 Alexander Bokovoy <abokovoy@redhat.com> - 0.54-4
+- Fix CVE-2015-0283 for RHEL 7.2
+- Resolves: #1202996
+
 * Wed Mar 18 2015 Alexander Bokovoy <abokovoy@redhat.com> - 0.54-3
 - Fix CVE-2015-0283
 - Resolves: #1202995