diff --git a/openldap.spec b/openldap.spec
index 76a2dbd..b2a03c6 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -391,91 +391,24 @@ rm -rf %{buildroot}
 %pre servers
 
 # create ldap user and group
-getent group ldap >/dev/null || groupadd -r -g 55 ldap
-if ! getent passwd ldap >/dev/null; then
-	useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "LDAP User" ldap
-	# setup ownership of database files
-	if [ -d /var/lib/ldap ] ; then
-		for dbfile in /var/lib/ldap/* ; do
-			if [ -f $dbfile ] ; then
-				chown ldap:ldap $dbfile
-			fi
-		done
-	fi
-fi
+getent group ldap &>/dev/null || groupadd -r -g 55 ldap
+getent passwd ldap &>/dev/null || \
+	useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap
 
-# upgrade
 if [ $1 -eq 2 ]; then
-	# safe way to migrate the database if version number changed
-	# http://www.openldap.org/doc/admin24/maintenance.html
+	# package upgrade
 
 	old_version=$(rpm -q --qf=%%{version} openldap-servers)
 	new_version=%{version}
 
 	if [ "$old_version" != "$new_version" ]; then
-		pushd %{_sharedstatedir}/ldap &>/dev/null
-
-		# stop the service
-		if /sbin/service slapd status &>/dev/null; then
-			touch need_start
-			/sbin/service slapd stop
-		else
-			rm -f need_start
-		fi
-
-		if ls *.bdb &>/dev/null; then
-			# symlink to last backup
-			rm -f upgrade.ldif
-
-			# backup location
-			backupdir=backup.$(date +%%s)
-			backupfile=${backupdir}/backup.ldif
-			backupcmd="cp -a"
-
-			mkdir -p ${backupdir}
-
-			# database recovery tool
-			# (this is necessary to handle upgrade from old openldap, which had embedded db4)
-			if [ -f /usr/sbin/slapd_db_recover ]; then
-				db_recover=/usr/sbin/slapd_db_recover
-			else
-				db_recover=/usr/bin/db_recover
-			fi
-
-			# make sure the database is consistent
-			runuser -m -s $db_recover -- "ldap" -h %{_sharedstatedir}/ldap &>/dev/null
-
-			# export the database if possible
-			if [ $? -eq 0 ]; then
-				if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then
-					slapcat -f %{_sysconfdir}/openldap/slapd.conf -l $backupfile &>/dev/null
-				else
-					slapcat -F %{_sysconfdir}/openldap/slapd.d -l $backupfile &>/dev/null
-				fi
-
-				if [ $? -eq 0 ]; then
-					chmod 0400 $backupfile
-					ln -sf $backupfile upgrade.ldif
-					backupcmd=mv
-				fi
-			fi
-
-			# move or copy to backup directory
-			find -maxdepth 1 -type f \( -name alock -o -name "*.bdb" -o -name "__db.*" -o -name "log.*" \) \
-				| xargs -I '{}' $backupcmd '{}' $backupdir
-			cp -af DB_CONFIG $backupdir &>/dev/null
-
-			# fix permissions
-			chown -R ldap: $backupdir
-			chmod -R a-w $backupdir
-		fi
-
-		popd &>/dev/null
+		touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null
 	fi
 fi
 
 exit 0
 
+
 %post servers
 
 /sbin/ldconfig
@@ -503,43 +436,37 @@ chmod 640 slapd.pem
 popd
 fi
 
-# generate configuration in slapd.d
-if ! ls -d %{_sysconfdir}/openldap/slapd.d/* &>/dev/null; then
-
-	# fresh installation
-	[ ! -f %{_sysconfdir}/openldap/slapd.conf ]
-	fresh_install=$?
-
-	[ $fresh_install -eq 0 ] && \
-		cp %{_datadir}/openldap-servers/slapd.conf.obsolete %{_sysconfdir}/openldap/slapd.conf
-
-	# convert from old style config slapd.conf
-	mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak
-	mkdir -p %{_sysconfdir}/openldap/slapd.d/
-	slaptest -f %{_sysconfdir}/openldap/slapd.conf.bak -F %{_sysconfdir}/openldap/slapd.d &>/dev/null
-	chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d
-	chmod -R 000 %{_sysconfdir}/openldap/slapd.d
-	chmod -R u+rwX %{_sysconfdir}/openldap/slapd.d
-	rm -f %{_sysconfdir}/openldap/slapd.conf
-	rm -f %{_sharedstatedir}/ldap/__db* %{_sharedstatedir}/ldap/alock
-
-	[ $fresh_install -eq 0 ] && rm -f %{_sysconfdir}/openldap/slapd.conf.bak
+# generate/upgrade configuration
+if [ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then
+	if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then
+		%{_libexecdir}/slapd/convert-config.sh &>/dev/null
+		mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak
+	else
+		%{_libexecdir}/slapd/convert-config.sh -f %{_datadir}/openldap-servers/slapd.conf.obsolete &>/dev/null
+	fi
 fi
 
-# finish database migration (see %pre)
-if [ -f %{_sharedstatedir}/ldap/upgrade.ldif ]; then
-	runuser -m -s /usr/sbin/slapadd -- ldap -q -l %{_sharedstatedir}/ldap/upgrade.ldif &>/dev/null
-	rm -f %{_sharedstatedir}/ldap/upgrade.ldif
+# upgrade the database
+if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then
+	if /bin/systemctl --quiet is-active slapd.service; then
+		/bin/systemctl stop slapd.service
+		start=1
+	else
+		start=0
+	fi
+
+	%{_libexecdir}/slapd/upgrade-db.sh &>/dev/null
+	rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap
+
+	[ $start -eq 1 ] && /bin/systemctl start slapd.service &>/dev/null
+	skip_restart=1
+else
+	skip_restart=0
 fi
 
 # restart after upgrade
-if [ $1 -ge 1 ]; then
-	if [ -f %{_sharedstatedir}/ldap/need_start ]; then
-		/sbin/service slapd start
-		rm -f %{_sharedstatedir}/ldap/need_start
-	else
-		/sbin/service slapd condrestart
-	fi
+if [ $1 -ge 1 -a $skip_restart -ne 1 ]; then
+	/bin/systemctl condrestart slapd.service &>/dev/null || :
 fi
 
 exit 0
@@ -560,10 +487,15 @@ if [ $1 -ge 1 ]; then
 	/bin/systemctl try-restart slapd.service &>/dev/null || :
 fi
 
+exit 0
+
+
 %post devel -p /sbin/ldconfig
 
+
 %postun devel -p /sbin/ldconfig
 
+
 %triggerun servers -- openldap-servers < 2.4.26-6
 
 # migration from SysV to systemd
@@ -572,58 +504,41 @@ fi
 /bin/systemctl try-restart slapd.service &>/dev/null || :
 
 
-%triggerin servers -- db4
+%triggerin servers -- libdb
 
-# db4 upgrade (see %triggerun)
+# libdb upgrade (setup for %triggerun)
 if [ $2 -eq 2 ]; then
-	pushd %{_sharedstatedir}/ldap &>/dev/null
-
 	# we are interested in minor version changes (both versions of db4 are installed at this moment)
-	if [ "$(rpm -q --qf="%%{version}\n" db4 | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then
-		# stop the service
-		if /sbin/service slapd status &>/dev/null; then
-			touch need_start
-			/sbin/service slapd stop
-		fi
-
-		# ensure the database is consistent
-		runuser -m -s /usr/bin/db_recover -- "ldap" -h %{_sharedstatedir}/ldap &>/dev/null
-
-		# upgrade will be performed after removing old db4
-		touch upgrade_db4
+	if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then
+		touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb
 	else
-		rm -f upgrade_db4
+		rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
 	fi
-
-	popd &>/dev/null
 fi
 
 exit 0
 
-%triggerun servers -- db4
 
-# db4 upgrade (see %triggerin)
-if [ -f %{_sharedstatedir}/ldap/upgrade_db4 ]; then
-	pushd %{_sharedstatedir}/ldap &>/dev/null
+%triggerun servers -- libdb
 
-	# perform the upgrade
-	if ls *.bdb &>/dev/null; then
-		runuser -m -s /usr/bin/db_upgrade -- "ldap" -h %{_sharedstatedir}/ldap %{_sharedstatedir}/ldap/*.bdb
-		runuser -m -s /usr/bin/db_checkpoint -- "ldap" -h %{_sharedstatedir}/ldap -1
+# libdb upgrade (finish %triggerin)
+if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then
+	if /bin/systemctl --quiet is-active slapd.service; then
+		/bin/systemctl stop slapd.service
+		start=1
+	else
+		start=0
 	fi
 
-	# start the service
-	if [ -f need_start ]; then
-		/sbin/service slapd start
-		rm -f need_start
-	fi
+	%{_libexecdir}/slapd/upgrade-db.sh &>/dev/null
+	rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
 
-	rm -f upgrade_db4
-	popd &>/dev/null
+	[ $start -eq 1 ] && /bin/systemctl start slapd.service &>/dev/null
 fi
 
 exit 0
 
+
 %files
 %defattr(-,root,root)
 %doc openldap-%{version}/ANNOUNCEMENT