diff --git a/SOURCES/0117-LDAP-Fix-leak-of-file-descriptors.patch b/SOURCES/0117-LDAP-Fix-leak-of-file-descriptors.patch
new file mode 100644
index 0000000..0db92d2
--- /dev/null
+++ b/SOURCES/0117-LDAP-Fix-leak-of-file-descriptors.patch
@@ -0,0 +1,113 @@
+From bb3365aee62f616c9d0c8cc8d737ef69d46544d3 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 22 Oct 2015 10:30:12 +0200
+Subject: [PATCH 117/117] LDAP: Fix leak of file descriptors
+
+The state "struct sss_ldap_init_state" contains socket
+created in function sss_ldap_init_send. We register callback
+sdap_async_sys_connect_timeout for handling issue with connection
+
+The tevent request "sss_ldap_init_send" is usually (nested) subrequest
+of "struct resolve_service_state" related request created in fucntion
+fo_resolve_service_send. Function fo_resolve_service_send also register
+timeout callback fo_resolve_service_timeout to state "struct
+resolve_service_state".
+
+It might happen that fo_resolve_service_timeout will be called before
+sss_ldap_init_send timeout and we could not handle tiemout error
+for state "struct sss_ldap_init_state" and therefore created socket
+was not closed.
+
+We tried to release resources in function sdap_handle_release.
+But the structure "struct sdap_handle" had not been initialized yet
+with LDAP handle and therefore associated file descriptor could not be closed.
+
+[fo_resolve_service_timeout] (0x0080): Service resolving timeout reached
+[fo_resolve_service_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[110]
+[sdap_handle_release] (0x2000): Trace: sh[0x7f6713410270], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory
+[be_resolve_server_done] (0x1000): Server resolution failed: 14
+[be_resolve_server_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[14]
+[check_online_callback] (0x0100): Backend returned: (1, 0, <NULL>) [Provider is Offline (Success)]
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2792
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit a10f67d4c64f3b1243de5d86a996475361adf0ac)
+(cherry picked from commit db2fdba6f3cecd0612439988e61be60d5d8576bf)
+(cherry picked from commit 2136f71c94660bcdde83f80feb83734389d57674)
+---
+ src/util/sss_ldap.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/src/util/sss_ldap.c b/src/util/sss_ldap.c
+index dd63b4b4f22f0aa1b540bc04ede211ac9cb88ebe..f42f9404bb9b79cdeb6a01c0a6e5025bb0370a6c 100644
+--- a/src/util/sss_ldap.c
++++ b/src/util/sss_ldap.c
+@@ -304,6 +304,22 @@ struct sss_ldap_init_state {
+ #endif
+ };
+
++static int sss_ldap_init_state_destructor(void *data)
++{
++ struct sss_ldap_init_state *state = (struct sss_ldap_init_state *)data;
++
++ if (state->ldap) {
++ DEBUG(SSSDBG_TRACE_FUNC,
++ "calling ldap_unbind_ext for ldap:[%p] sd:[%d]\n",
++ state->ldap, state->sd);
++ ldap_unbind_ext(state->ldap, NULL, NULL);
++ } else if (state->sd != -1) {
++ DEBUG(SSSDBG_TRACE_FUNC, "closing socket [%d]\n", state->sd);
++ close(state->sd);
++ }
++
++ return 0;
++}
+
+ struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+@@ -321,6 +337,8 @@ struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx,
+ return NULL;
+ }
+
++ talloc_set_destructor((TALLOC_CTX *)state, sss_ldap_init_state_destructor);
++
+ state->ldap = NULL;
+ state->uri = uri;
+
+@@ -370,9 +388,6 @@ struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx,
+ return req;
+
+ fail:
+- if(state->sd >= 0) {
+- close(state->sd);
+- }
+ tevent_req_error(req, ret);
+ #else
+ DEBUG(SSSDBG_MINOR_FAILURE, "ldap_init_fd not available, "
+@@ -455,11 +470,6 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq)
+ return;
+
+ fail:
+- if (state->ldap) {
+- ldap_unbind_ext(state->ldap, NULL, NULL);
+- } else {
+- close(state->sd);
+- }
+ tevent_req_error(req, ret);
+ }
+ #endif
+@@ -470,6 +480,9 @@ int sss_ldap_init_recv(struct tevent_req *req, LDAP **ldap, int *sd)
+ struct sss_ldap_init_state);
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
++ /* Everything went well therefore we do not want to release resources */
++ talloc_set_destructor(state, NULL);
++
+ *ldap = state->ldap;
+ *sd = state->sd;
+
+--
+2.4.11
+
diff --git a/SOURCES/0118-libwbclient-wbcSidsToUnixIds-don-t-fail-on-errors.patch b/SOURCES/0118-libwbclient-wbcSidsToUnixIds-don-t-fail-on-errors.patch
new file mode 100644
index 0000000..9bda53e
--- /dev/null
+++ b/SOURCES/0118-libwbclient-wbcSidsToUnixIds-don-t-fail-on-errors.patch
@@ -0,0 +1,44 @@
+From 02a5b8945863755e8708b6a11954c1f398680e01 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 2 Jun 2016 21:01:11 +0200
+Subject: [PATCH 118/118] libwbclient: wbcSidsToUnixIds() don't fail on errors
+
+Resolves: https://fedorahosted.org/sssd/ticket/3028
+
+Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
+(cherry picked from commit 52f1093ef3d7c44132ec10c57436865b2cbb19d7)
+(cherry picked from commit 15ad5f603a5797c61a01f67365c2581c7bddcdfa)
+---
+ src/sss_client/libwbclient/wbc_idmap_sssd.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/sss_client/libwbclient/wbc_idmap_sssd.c b/src/sss_client/libwbclient/wbc_idmap_sssd.c
+index 1b0e2e10a5ce1a0c7577d391b740ff988f920903..6b5f525f0433c948e4d570d177dc6cffd82eff40 100644
+--- a/src/sss_client/libwbclient/wbc_idmap_sssd.c
++++ b/src/sss_client/libwbclient/wbc_idmap_sssd.c
+@@ -172,15 +172,14 @@ wbcErr wbcSidsToUnixIds(const struct wbcDomainSid *sids, uint32_t num_sids,
+ wbcErr wbc_status;
+
+ for (c = 0; c < num_sids; c++) {
++ type = SSS_ID_TYPE_NOT_SPECIFIED;
+ wbc_status = wbcSidToString(&sids[c], &sid_str);
+- if (!WBC_ERROR_IS_OK(wbc_status)) {
+- return wbc_status;
+- }
+-
+- ret = sss_nss_getidbysid(sid_str, &id, &type);
+- wbcFreeMemory(sid_str);
+- if (ret != 0) {
+- return WBC_ERR_UNKNOWN_FAILURE;
++ if (WBC_ERROR_IS_OK(wbc_status)) {
++ ret = sss_nss_getidbysid(sid_str, &id, &type);
++ wbcFreeMemory(sid_str);
++ if (ret != 0) {
++ type = SSS_ID_TYPE_NOT_SPECIFIED;
++ }
+ }
+
+ switch (type) {
+--
+2.4.11
+
diff --git a/SOURCES/0119-IPA-ldap_group_external_member-defaults-to-ipaExtern.patch b/SOURCES/0119-IPA-ldap_group_external_member-defaults-to-ipaExtern.patch
new file mode 100644
index 0000000..beab91b
--- /dev/null
+++ b/SOURCES/0119-IPA-ldap_group_external_member-defaults-to-ipaExtern.patch
@@ -0,0 +1,26 @@
+From fe540303e8fa2000160d087da4f19df317fb7de6 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 14 Jul 2016 12:21:25 +0200
+Subject: [PATCH 119/119] IPA: ldap_group_external_member defaults to
+ ipaExternalMember
+
+---
+ src/providers/ipa/ipa_opts.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
+index 81ccc42fc0c9f21c8ef16e2d1735bc06199ba747..c1bfc9fde38a9c0fbd0a464b340e644cc4835455 100644
+--- a/src/providers/ipa/ipa_opts.h
++++ b/src/providers/ipa/ipa_opts.h
+@@ -221,7 +221,7 @@ struct sdap_attr_map ipa_group_map[] = {
+ { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+ { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
+ { "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL },
+- { "ldap_group_external_member", NULL, SYSDB_EXTERNAL_MEMBER, NULL },
++ { "ldap_group_external_member", "ipaExternalMember", SYSDB_EXTERNAL_MEMBER, NULL },
+ SDAP_ATTR_MAP_TERMINATOR
+ };
+
+--
+2.4.11
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index de6504f..84381b9 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -25,7 +25,7 @@
Name: sssd
Version: 1.13.0
-Release: 40%{?dist}.9
+Release: 40%{?dist}.12
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -152,6 +152,9 @@ Patch0113: 0113-LDAP-Try-also-the-AD-access-control-for-IPA-users.patch
Patch0114: 0114-NSS-Fix-memory-leak-netgroup.patch
Patch0115: 0115-ipa_s2n_save_objects-use-configured-user-and-group-t.patch
Patch0116: 0116-IPA-use-forest-name-when-looking-up-the-Global-Catal.patch
+Patch0117: 0117-LDAP-Fix-leak-of-file-descriptors.patch
+Patch0118: 0118-libwbclient-wbcSidsToUnixIds-don-t-fail-on-errors.patch
+Patch0119: 0119-IPA-ldap_group_external_member-defaults-to-ipaExtern.patch
#This patch should not be removed in RHEL-7
Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -1084,6 +1087,17 @@ fi
/usr/bin/rm -f /var/tmp/sssd.upgrade || :
%changelog
+* Thu Jul 14 2016 Jakub Hrozek <jhrozek@redhat.com> - 1.13.0-40.12
+- Resolves: rhbz#1356433 - ldap_group_external_member is no set for the
+ IPA provider
+
+* Fri Jul 8 2016 Jakub Hrozek <jhrozek@redhat.com> - 1.13.0-40.11
+- Resolves: rhbz#1353605 - sssd-libwbclient: wbcSidsToUnixIds should not
+ fail on lookup errors
+
+* Tue Jun 21 2016 Jakub Hrozek <jhrozek@redhat.com> - 1.13.0-40.10
+- Resolves: rhbz#1347723 - sssd is not closing sockets properly
+
* Tue May 24 2016 Jakub Hrozek <jhrozek@redhat.com> - 1.13.0-40.9
- Resolves: rhbz#1339509 - sssd tries to resolve global catalog servers
from AD forest sub-domains in AD-IPA trust setup