diff --git a/SOURCES/0110-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch b/SOURCES/0110-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch
new file mode 100644
index 0000000..396cfcd
--- /dev/null
+++ b/SOURCES/0110-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch
@@ -0,0 +1,81 @@
+From 442cd658329251d8390dd5bd790d86c78ead88ab Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Mon, 24 Jun 2019 15:58:09 +0200
+Subject: [PATCH] LDAP: failover does not work on non-responsive ldaps
+
+In case ldaps:// is used, then establishing the secure socket is
+a sychronous operation. If there's nothing on the other end, then
+the process would be stuck waiting in for the crypto library
+to finish.
+
+Here we set socket read/write timeout so the operation can finish
+in reasonable time with an error. The ldap_network_timeout
+option is used for this timeout.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2878
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 2d657dffb419640860e46ed417137b0e2cc7d9af)
+---
+ src/util/sss_sockets.c | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c
+index 5e9be9ebd..0e4d8df8a 100644
+--- a/src/util/sss_sockets.c
++++ b/src/util/sss_sockets.c
+@@ -74,10 +74,11 @@ static errno_t set_fcntl_flags(int fd, int fd_flags, int fl_flags)
+ return EOK;
+ }
+
+-static errno_t set_fd_common_opts(int fd)
++static errno_t set_fd_common_opts(int fd, int timeout)
+ {
+ int dummy = 1;
+ int ret;
++ struct timeval tv;
+
+ /* SO_KEEPALIVE and TCP_NODELAY are set by OpenLDAP client libraries but
+ * failures are ignored.*/
+@@ -97,6 +98,27 @@ static errno_t set_fd_common_opts(int fd)
+ strerror(ret));
+ }
+
++ if (timeout > 0) {
++ /* Set socket read & write timeout */
++ tv = tevent_timeval_set(timeout, 0);
++
++ ret = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
++ if (ret != 0) {
++ ret = errno;
++ DEBUG(SSSDBG_FUNC_DATA,
++ "setsockopt SO_RCVTIMEO failed.[%d][%s].\n", ret,
++ strerror(ret));
++ }
++
++ ret = setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv));
++ if (ret != 0) {
++ ret = errno;
++ DEBUG(SSSDBG_FUNC_DATA,
++ "setsockopt SO_SNDTIMEO failed.[%d][%s].\n", ret,
++ strerror(ret));
++ }
++ }
++
+ return EOK;
+ }
+
+@@ -264,7 +286,7 @@ struct tevent_req *sssd_async_socket_init_send(TALLOC_CTX *mem_ctx,
+ goto fail;
+ }
+
+- ret = set_fd_common_opts(state->sd);
++ ret = set_fd_common_opts(state->sd, timeout);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "set_fd_common_opts failed.\n");
+ goto fail;
+--
+2.20.1
+
diff --git a/SOURCES/0111-Add-TCP-level-timeout-to-LDAP-services.patch b/SOURCES/0111-Add-TCP-level-timeout-to-LDAP-services.patch
new file mode 100644
index 0000000..8c28ccb
--- /dev/null
+++ b/SOURCES/0111-Add-TCP-level-timeout-to-LDAP-services.patch
@@ -0,0 +1,51 @@
+From bad7c631b7aab50d179755ee546357e4f4faca9d Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 10 Sep 2019 14:33:37 +0000
+Subject: [PATCH] Add TCP level timeout to LDAP services
+
+In some cases the TCP connection may hang with data sent because
+of network conditions, this may cause the socket to stall for much
+longer than the timeout intended.
+Set a TCP option to forcibly timeout a socket that sees its data not
+ACKed within the ldap_network_timeout seconds.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 7aa96458f3bec4ef6ff7385107458e6b2b0b06ac)
+---
+ src/util/sss_sockets.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c
+index 0e4d8df8a..b6b6dbac5 100644
+--- a/src/util/sss_sockets.c
++++ b/src/util/sss_sockets.c
+@@ -79,6 +79,7 @@ static errno_t set_fd_common_opts(int fd, int timeout)
+ int dummy = 1;
+ int ret;
+ struct timeval tv;
++ unsigned int milli;
+
+ /* SO_KEEPALIVE and TCP_NODELAY are set by OpenLDAP client libraries but
+ * failures are ignored.*/
+@@ -117,6 +118,16 @@ static errno_t set_fd_common_opts(int fd, int timeout)
+ "setsockopt SO_SNDTIMEO failed.[%d][%s].\n", ret,
+ strerror(ret));
+ }
++
++ milli = timeout * 1000; /* timeout in milliseconds */
++ ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli,
++ sizeof(milli));
++ if (ret != 0) {
++ ret = errno;
++ DEBUG(SSSDBG_FUNC_DATA,
++ "setsockopt TCP_USER_TIMEOUT failed.[%d][%s].\n", ret,
++ strerror(ret));
++ }
+ }
+
+ return EOK;
+--
+2.20.1
+
diff --git a/SOURCES/0112-sss_sockets-pass-pointer-instead-of-integer.patch b/SOURCES/0112-sss_sockets-pass-pointer-instead-of-integer.patch
new file mode 100644
index 0000000..cc45b47
--- /dev/null
+++ b/SOURCES/0112-sss_sockets-pass-pointer-instead-of-integer.patch
@@ -0,0 +1,47 @@
+From 191f3722f28107ccde4ce96dd88a401fb36b059a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Mon, 10 Feb 2020 11:52:35 +0100
+Subject: [PATCH] sss_sockets: pass pointer instead of integer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+```
+/home/pbrezina/workspace/sssd/src/util/sss_sockets.c: In function ‘set_fd_common_opts’:
+/home/pbrezina/workspace/sssd/src/util/sss_sockets.c:123:61: error: passing argument 4 of ‘setsockopt’ makes pointer from integer without a cast [-Werror=int-conversion]
+ 123 | ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli,
+ | ^~~~~
+ | |
+ | unsigned int
+In file included from /home/pbrezina/workspace/sssd/src/util/sss_sockets.c:28:
+/usr/include/sys/socket.h:216:22: note: expected ‘const void *’ but argument is of type ‘unsigned int’
+ 216 | const void *__optval, socklen_t __optlen) __THROW;
+ | ~~~~~~~~~~~~^~~~~~~~
+ CC src/util/sssd_kcm-sss_iobuf.o
+cc1: all warnings being treated as errors
+```
+
+Introduced by 7aa96458f3bec4ef6ff7385107458e6b2b0b06ac
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 5b87af6f5b50c464ee7ea4558f73431e398e1423)
+---
+ src/util/sss_sockets.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c
+index b6b6dbac5..6f2b71bc8 100644
+--- a/src/util/sss_sockets.c
++++ b/src/util/sss_sockets.c
+@@ -120,7 +120,7 @@ static errno_t set_fd_common_opts(int fd, int timeout)
+ }
+
+ milli = timeout * 1000; /* timeout in milliseconds */
+- ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli,
++ ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, &milli,
+ sizeof(milli));
+ if (ret != 0) {
+ ret = errno;
+--
+2.20.1
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 758ef2a..63d1c9c 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -48,7 +48,7 @@
Name: sssd
Version: 1.16.4
-Release: 37%{?dist}
+Release: 37%{?dist}.1
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -166,6 +166,9 @@ Patch0106: 0106-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
Patch0107: 0107-ad-add-ad_use_ldaps.patch
Patch0108: 0108-ldap-add-new-option-ldap_sasl_maxssf.patch
Patch0109: 0109-ad-set-min-and-max-ssf-for-ldaps.patch
+Patch0110: 0110-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch
+Patch0111: 0111-Add-TCP-level-timeout-to-LDAP-services.patch
+Patch0112: 0112-sss_sockets-pass-pointer-instead-of-integer.patch
#This patch should not be removed in RHEL-7
Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -915,7 +918,7 @@ done
%dir %{_sysconfdir}/rwtab.d
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
%dir %{_datadir}/sssd
-%{_sysconfdir}/pam.d/sssd-shadowutils
+%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
%{_libdir}/%{name}/conf/sssd.conf
%{_datadir}/sssd/cfg_rules.ini
@@ -1325,6 +1328,12 @@ systemctl try-restart sssd >/dev/null 2>&1 || :
}
%changelog
+* Wed Mar 18 2020 Michal Židek <mzidek@redhat.com> - 1.16.4-37.1
+- Resolves: rhbz#1801208 - id command taking 1+ minute for returning user
+ information [rhel-7.8.z]
+ - Also updates spec file to not replace
+ /pam.d/sssd-shadowutils on update
+
* Tue Jan 15 2020 Michal Židek <mzidek@redhat.com> - 1.16.4-37
- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider
- just bumping the version to fix generated dates in man pages