diff --git a/.gitignore b/.gitignore
index 53bfbb7..ed34c5e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -81,3 +81,4 @@ sssd-1.2.91.tar.gz
 /sssd-1.16.1.tar.gz
 /sssd-1.16.2.tar.gz
 /sssd-2.0.0.tar.gz
+/sssd-2.1.0.tar.gz
diff --git a/0001-BUILD-Accept-krb5-1.17-for-building-the-PAC-plugin.patch b/0001-BUILD-Accept-krb5-1.17-for-building-the-PAC-plugin.patch
deleted file mode 100644
index 79fb1ca..0000000
--- a/0001-BUILD-Accept-krb5-1.17-for-building-the-PAC-plugin.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 53e6fdfd881f051898e85448832eafdd2ea09454 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 22 Nov 2018 11:33:20 +0100
-Subject: [PATCH] BUILD: Accept krb5 1.17 for building the PAC plugin
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/external/pac_responder.m4 | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
-index e0685f0ce..dc986a1b8 100644
---- a/src/external/pac_responder.m4
-+++ b/src/external/pac_responder.m4
-@@ -18,7 +18,8 @@ then
-         Kerberos\ 5\ release\ 1.13* | \
-         Kerberos\ 5\ release\ 1.14* | \
-         Kerberos\ 5\ release\ 1.15* | \
--        Kerberos\ 5\ release\ 1.16*)
-+        Kerberos\ 5\ release\ 1.16* | \
-+        Kerberos\ 5\ release\ 1.17*)
-             krb5_version_ok=yes
-             AC_MSG_RESULT([yes])
-             ;;
--- 
-2.20.0
-
diff --git a/0001-BUILD-Fix-issue-with-installation-of-libsss_secrets.patch b/0001-BUILD-Fix-issue-with-installation-of-libsss_secrets.patch
deleted file mode 100644
index 24a25d9..0000000
--- a/0001-BUILD-Fix-issue-with-installation-of-libsss_secrets.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 101934f29e6b76931b1499adc19ae7f7a976789d Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Tue, 14 Aug 2018 08:20:57 +0000
-Subject: [PATCH 1/4] BUILD: Fix issue with installation of libsss_secrets
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-libsss_secret.so is linked with libsss_util.so therefore it shoudl be
-added into pkglib_LTLIBRARIES after libsss_util.so.
-Otherwise there can failure in linking phase.
-
-libtool: warning: relinking 'libsss_secrets.la'
-libtool: install: (cd /home/build/sssd/ci-build-debug/intg/bld; /bin/sh
-  "/home/build/sssd/ci-build-debug/intg/bld/libtool"  --tag CC
-  --mode=relink gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith
-  -Wcast-qual -Wcast-align -Wwrite-strings -Wundef
-  -Werror-implicit-function-declaration -Winit-self -Wmissing-include-dirs
-  -fno-strict-aliasing -std=gnu99 -O2 -g -g3 -O2 -Werror
-  -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-  -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-  -avoid-version -o libsss_secrets.la -rpath
-  /tmp/sssd-intg.l7nl5pgb/lib/sssd
-  src/util/secrets/libsss_secrets_la-secrets.lo
-  src/util/secrets/libsss_secrets_la-config.lo -ltalloc -lldb
-  libsss_crypt.la libsss_debug.la libsss_util.la )
-libtool: relink: gcc -shared  -fPIC -DPIC
-  src/util/secrets/.libs/libsss_secrets_la-secrets.o
-  src/util/secrets/.libs/libsss_secrets_la-config.o   -Wl,-rpath
-  -Wl,/tmp/sssd-intg.l7nl5pgb/lib/sssd -ltalloc -lldb
-  -L/tmp/sssd-intg.l7nl5pgb/lib/sssd -lsss_crypt -lsss_debug -lsss_util
-  -O2 -g -g3 -O2   -Wl,-soname -Wl,libsss_secrets.so -o
-  .libs/libsss_secrets.so
-/usr/bin/ld: cannot find -lsss_util
-collect2: error: ld returned 1 exit status
-libtool:   error: error: relink 'libsss_secrets.la' with the above
-command before installing it
-
-Merges: https://pagure.io/SSSD/sssd/pull-request/3808
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- Makefile.am | 43 +++++++++++++++++++++----------------------
- 1 file changed, 21 insertions(+), 22 deletions(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index d313957..a2d8ea4 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -1209,28 +1209,6 @@ libsss_iface_sync_la_LDFLAGS = \
-     -avoid-version \
-     $(NULL)
- 
--if BUILD_WITH_LIBSECRET
--pkglib_LTLIBRARIES += libsss_secrets.la
--
--libsss_secrets_la_SOURCES = \
--    src/util/secrets/secrets.c \
--    src/util/secrets/config.c \
--    $(NULL)
--libsss_secrets_la_CFLAGS = \
--    $(AM_CFLAGS) \
--    $(NULL)
--libsss_secrets_la_LIBADD = \
--    $(TALLOC_LIBS) \
--    $(LDB_LIBS) \
--    libsss_crypt.la \
--    libsss_debug.la \
--    libsss_util.la \
--    $(NULL)
--libsss_secrets_la_LDFLAGS = \
--    -avoid-version \
--    $(NULL)
--endif
--
- pkglib_LTLIBRARIES += libsss_util.la
- libsss_util_la_SOURCES = \
-     src/confdb/confdb.c \
-@@ -1314,6 +1292,27 @@ libsss_util_la_LIBADD += stap_generated_probes.lo
- endif
- libsss_util_la_LDFLAGS = -avoid-version
- 
-+if BUILD_WITH_LIBSECRET
-+pkglib_LTLIBRARIES += libsss_secrets.la
-+libsss_secrets_la_SOURCES = \
-+    src/util/secrets/secrets.c \
-+    src/util/secrets/config.c \
-+    $(NULL)
-+libsss_secrets_la_CFLAGS = \
-+    $(AM_CFLAGS) \
-+    $(NULL)
-+libsss_secrets_la_LIBADD = \
-+    $(TALLOC_LIBS) \
-+    $(LDB_LIBS) \
-+    libsss_crypt.la \
-+    libsss_debug.la \
-+    libsss_util.la \
-+    $(NULL)
-+libsss_secrets_la_LDFLAGS = \
-+    -avoid-version \
-+    $(NULL)
-+endif
-+
- pkglib_LTLIBRARIES += libsss_semanage.la
- libsss_semanage_la_CFLAGS = \
-     $(AM_CFLAGS) \
--- 
-2.9.5
-
diff --git a/0001-sbus-avoid-using-invalid-stack-point-in-SBUS_INTERFA.patch b/0001-sbus-avoid-using-invalid-stack-point-in-SBUS_INTERFA.patch
deleted file mode 100644
index cb16809..0000000
--- a/0001-sbus-avoid-using-invalid-stack-point-in-SBUS_INTERFA.patch
+++ /dev/null
@@ -1,459 +0,0 @@
-From 194438830cdd729e317c1e1baf93da7201dfd39b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Mon, 4 Feb 2019 12:00:01 +0100
-Subject: [PATCH 1/3] sbus: avoid using invalid stack point in SBUS_INTERFACE
-
-SBUS_INTERFACE macros expanded as:
-struct sbus_interface bus =
-    ({ sbus_interface(
-        "org.freedesktop.DBus",
-        ((void *)0),
-        (((const struct sbus_method[])
-        {
-            ({
-                /* ... compile time check of function signature omitted */ ;
-                sbus_method_sync(/* ... full list of params omitted */);
-            }),
-  ...
-
-This however includes an issue that methods/properties/signals are returned
-by value, however stored in sbus_interface as pointers. Once we return out
-of the top-level block and assign resulting sbus_interface into 'bus' variable
-those objects allocated on stack becomes invalid and can be overwritten by other
-allocations on stack.
-
-This patch overcomes this issue by changing declaration of SBUS_INTERFACE and
-avoiding using this top-level block. This still keeps the declarative structure
-and simplifies the code as it does not require any memory handling and
-tests for successful allocations.
-
-    const struct sbus_method __ ## varname ## _m[] = methods;                 \
-    const struct sbus_signal __ ## varname ## _s[] = signals;                 \
-    const struct sbus_property __ ## varname ## _p[] = properties;            \
-    struct sbus_interface varname = SBUS_IFACE_ ## iface(                     \
-        (__ ## varname ## _m),                                                \
-        (__ ## varname ## _s),                                                \
-        (__ ## varname ## _p)                                                 \
-    )
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3924
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/monitor/monitor.c                   |  2 +-
- src/providers/data_provider/dp.c        | 10 +++++-----
- src/providers/data_provider_be.c        |  2 +-
- src/providers/proxy/proxy_child.c       |  2 +-
- src/providers/proxy/proxy_client.c      |  2 +-
- src/responder/autofs/autofssrv.c        |  2 +-
- src/responder/common/responder_iface.c  |  6 +++---
- src/responder/ifp/ifp_iface/ifp_iface.c | 24 ++++++++++++------------
- src/responder/ifp/ifpsrv.c              |  2 +-
- src/responder/nss/nss_iface.c           |  2 +-
- src/responder/nss/nsssrv.c              |  2 +-
- src/sbus/interface/sbus_introspection.c |  2 +-
- src/sbus/interface/sbus_properties.c    |  2 +-
- src/sbus/sbus_interface.h               | 22 +++++++++++++++++-----
- src/sbus/server/sbus_server_interface.c |  2 +-
- 15 files changed, 48 insertions(+), 36 deletions(-)
-
-diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
-index 136cf8f27..8d12f8133 100644
---- a/src/monitor/monitor.c
-+++ b/src/monitor/monitor.c
-@@ -2018,7 +2018,7 @@ static void monitor_sbus_connected(struct tevent_req *req)
-         goto done;
-     }
- 
--    struct sbus_interface iface = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface,
-         sssd_monitor,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_monitor, RegisterService, monitor_sbus_RegisterService, ctx)
-diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c
-index bd003c8b3..e79d6f294 100644
---- a/src/providers/data_provider/dp.c
-+++ b/src/providers/data_provider/dp.c
-@@ -33,7 +33,7 @@ dp_init_interface(struct data_provider *provider)
- {
-     errno_t ret;
- 
--    struct sbus_interface iface_dp_client = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_dp_client,
-         sssd_DataProvider_Client,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_DataProvider_Client, Register, dp_client_register, provider)
-@@ -42,7 +42,7 @@ dp_init_interface(struct data_provider *provider)
-         SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
-     );
- 
--    struct sbus_interface iface_dp_backend = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_dp_backend,
-         sssd_DataProvider_Backend,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_DataProvider_Backend, IsOnline, dp_backend_is_online, provider->be_ctx)
-@@ -51,7 +51,7 @@ dp_init_interface(struct data_provider *provider)
-         SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
-     );
- 
--    struct sbus_interface iface_dp_failover = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_dp_failover,
-         sssd_DataProvider_Failover,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_DataProvider_Failover, ListServices, dp_failover_list_services, provider->be_ctx),
-@@ -62,7 +62,7 @@ dp_init_interface(struct data_provider *provider)
-         SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
-     );
- 
--    struct sbus_interface iface_dp_access = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_dp_access,
-         sssd_DataProvider_AccessControl,
-         SBUS_METHODS(
-             SBUS_ASYNC(METHOD, sssd_DataProvider_AccessControl, RefreshRules, dp_access_control_refresh_rules_send, dp_access_control_refresh_rules_recv, provider)
-@@ -71,7 +71,7 @@ dp_init_interface(struct data_provider *provider)
-         SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
-     );
- 
--    struct sbus_interface iface_dp = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_dp,
-         sssd_dataprovider,
-         SBUS_METHODS(
-             SBUS_ASYNC(METHOD, sssd_dataprovider, pamHandler, dp_pam_handler_send, dp_pam_handler_recv, provider),
-diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
-index 7043e7a5f..942952b24 100644
---- a/src/providers/data_provider_be.c
-+++ b/src/providers/data_provider_be.c
-@@ -382,7 +382,7 @@ static void signal_be_reset_offline(struct tevent_context *ev,
- static errno_t
- be_register_monitor_iface(struct sbus_connection *conn, struct be_ctx *be_ctx)
- {
--    struct sbus_interface iface_service = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_service,
-         sssd_service,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_service, resInit, data_provider_res_init, be_ctx),
-diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c
-index 134f96f82..4f06d42aa 100644
---- a/src/providers/proxy/proxy_child.c
-+++ b/src/providers/proxy/proxy_child.c
-@@ -348,7 +348,7 @@ proxy_cli_init(struct pc_ctx *ctx)
-         return ENOMEM;
-     }
- 
--    struct sbus_interface iface = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface,
-         sssd_ProxyChild_Auth,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_ProxyChild_Auth, PAM, pc_pam_handler, ctx)
-diff --git a/src/providers/proxy/proxy_client.c b/src/providers/proxy/proxy_client.c
-index 1c325eee5..09ebf3bda 100644
---- a/src/providers/proxy/proxy_client.c
-+++ b/src/providers/proxy/proxy_client.c
-@@ -100,7 +100,7 @@ proxy_client_init(struct sbus_connection *conn,
- {
-     errno_t ret;
- 
--    struct sbus_interface iface = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface,
-         sssd_ProxyChild_Client,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_ProxyChild_Client, Register, proxy_client_register, auth_ctx)
-diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c
-index 614e901e7..230bd2aac 100644
---- a/src/responder/autofs/autofssrv.c
-+++ b/src/responder/autofs/autofssrv.c
-@@ -62,7 +62,7 @@ autofs_register_service_iface(struct autofs_ctx *autofs_ctx,
- {
-     errno_t ret;
- 
--    struct sbus_interface iface_svc = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_svc,
-         sssd_service,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_service, resInit, monitor_common_res_init, NULL),
-diff --git a/src/responder/common/responder_iface.c b/src/responder/common/responder_iface.c
-index 79b632c05..911cd6cc0 100644
---- a/src/responder/common/responder_iface.c
-+++ b/src/responder/common/responder_iface.c
-@@ -99,7 +99,7 @@ sss_resp_register_sbus_iface(struct sbus_connection *conn,
- {
-     errno_t ret;
- 
--    struct sbus_interface iface_resp_domain = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_resp_domain,
-         sssd_Responder_Domain,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_Responder_Domain, SetActive, sss_resp_domain_active, rctx),
-@@ -109,7 +109,7 @@ sss_resp_register_sbus_iface(struct sbus_connection *conn,
-         SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
-     );
- 
--    struct sbus_interface iface_resp_negcache = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_resp_negcache,
-         sssd_Responder_NegativeCache,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_Responder_NegativeCache, ResetUsers, sss_resp_reset_ncache_users, rctx),
-@@ -139,7 +139,7 @@ sss_resp_register_service_iface(struct resp_ctx *rctx)
- {
-     errno_t ret;
- 
--    struct sbus_interface iface_svc = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_svc,
-         sssd_service,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_service, resInit, monitor_common_res_init, NULL),
-diff --git a/src/responder/ifp/ifp_iface/ifp_iface.c b/src/responder/ifp/ifp_iface/ifp_iface.c
-index fa9f9ba53..a3385091b 100644
---- a/src/responder/ifp/ifp_iface/ifp_iface.c
-+++ b/src/responder/ifp/ifp_iface/ifp_iface.c
-@@ -77,7 +77,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
- {
-     errno_t ret;
- 
--    struct sbus_interface iface_ifp = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_ifp,
-         org_freedesktop_sssd_infopipe,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD,  org_freedesktop_sssd_infopipe, Ping, ifp_ping, ctx),
-@@ -96,7 +96,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
-         SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
-     );
- 
--    struct sbus_interface iface_ifp_components = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_ifp_components,
-         org_freedesktop_sssd_infopipe_Components,
-         SBUS_METHODS(SBUS_NO_METHODS),
-         SBUS_SIGNALS(SBUS_NO_SIGNALS),
-@@ -109,7 +109,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
-         )
-     );
- 
--    struct sbus_interface iface_ifp_domains = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_ifp_domains,
-         org_freedesktop_sssd_infopipe_Domains,
-         SBUS_METHODS(SBUS_NO_METHODS),
-         SBUS_SIGNALS(SBUS_NO_SIGNALS),
-@@ -131,7 +131,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
-         )
-     );
- 
--    struct sbus_interface iface_ifp_domains_domain = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_ifp_domains_domain,
-         org_freedesktop_sssd_infopipe_Domains_Domain,
-         SBUS_METHODS(
-             SBUS_ASYNC(METHOD, org_freedesktop_sssd_infopipe_Domains_Domain, IsOnline, ifp_domains_domain_is_online_send, ifp_domains_domain_is_online_recv, ctx),
-@@ -144,7 +144,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
-         SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
-     );
- 
--    struct sbus_interface iface_ifp_users = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_ifp_users,
-         org_freedesktop_sssd_infopipe_Users,
-         SBUS_METHODS(
-             SBUS_ASYNC(METHOD, org_freedesktop_sssd_infopipe_Users, FindByName, ifp_users_find_by_name_send, ifp_users_find_by_name_recv, ctx),
-@@ -159,7 +159,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
-         SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
-     );
- 
--    struct sbus_interface iface_ifp_users_user = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_ifp_users_user,
-         org_freedesktop_sssd_infopipe_Users_User,
-         SBUS_METHODS(SBUS_NO_METHODS),
-         SBUS_SIGNALS(SBUS_NO_SIGNALS),
-@@ -178,7 +178,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
-         )
-     );
- 
--    struct sbus_interface iface_ifp_cache_user = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_ifp_cache_user,
-         org_freedesktop_sssd_infopipe_Cache,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe_Cache, List, ifp_cache_list_user, ctx),
-@@ -188,7 +188,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
-         SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
-     );
- 
--    struct sbus_interface iface_ifp_cache_object_user = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_ifp_cache_object_user,
-         org_freedesktop_sssd_infopipe_Cache_Object,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe_Cache_Object, Store, ifp_cache_object_store_user, ctx),
-@@ -198,7 +198,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
-         SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
-     );
- 
--    struct sbus_interface iface_ifp_groups = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_ifp_groups,
-         org_freedesktop_sssd_infopipe_Groups,
-         SBUS_METHODS(
-             SBUS_ASYNC(METHOD, org_freedesktop_sssd_infopipe_Groups, FindByName, ifp_groups_find_by_name_send, ifp_groups_find_by_name_recv, ctx),
-@@ -210,7 +210,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
-         SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
-     );
- 
--    struct sbus_interface iface_ifp_groups_group = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_ifp_groups_group,
-         org_freedesktop_sssd_infopipe_Groups_Group,
-         SBUS_METHODS(
-             SBUS_ASYNC(METHOD, org_freedesktop_sssd_infopipe_Groups_Group, UpdateMemberList, ifp_groups_group_update_member_list_send, ifp_groups_group_update_member_list_recv, ctx)
-@@ -225,7 +225,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
-         )
-     );
- 
--    struct sbus_interface iface_ifp_cache_group = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_ifp_cache_group,
-         org_freedesktop_sssd_infopipe_Cache,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe_Cache, List, ifp_cache_list_group, ctx),
-@@ -235,7 +235,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
-         SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
-     );
- 
--    struct sbus_interface iface_ifp_cache_object_group = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_ifp_cache_object_group,
-         org_freedesktop_sssd_infopipe_Cache_Object,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe_Cache_Object, Store, ifp_cache_object_store_group, ctx),
-diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
-index 61072aad1..0c53534e4 100644
---- a/src/responder/ifp/ifpsrv.c
-+++ b/src/responder/ifp/ifpsrv.c
-@@ -135,7 +135,7 @@ ifp_register_service_iface(struct ifp_ctx *ifp_ctx,
- {
-     errno_t ret;
- 
--    struct sbus_interface iface_svc = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_svc,
-         sssd_service,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_service, resInit, monitor_common_res_init, NULL),
-diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
-index f39c3d370..a47b35fca 100644
---- a/src/responder/nss/nss_iface.c
-+++ b/src/responder/nss/nss_iface.c
-@@ -219,7 +219,7 @@ nss_register_backend_iface(struct sbus_connection *conn,
- {
-     errno_t ret;
- 
--    struct sbus_interface iface = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface,
-         sssd_nss_MemoryCache,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_nss_MemoryCache, UpdateInitgroups, nss_memorycache_update_initgroups, nss_ctx),
-diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
-index daaf3c06c..9cc9c5d35 100644
---- a/src/responder/nss/nsssrv.c
-+++ b/src/responder/nss/nsssrv.c
-@@ -276,7 +276,7 @@ nss_register_service_iface(struct nss_ctx *nss_ctx,
- {
-     errno_t ret;
- 
--    struct sbus_interface iface_svc = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface_svc,
-         sssd_service,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, sssd_service, resInit, monitor_common_res_init, NULL),
-diff --git a/src/sbus/interface/sbus_introspection.c b/src/sbus/interface/sbus_introspection.c
-index b2de9a9ac..863383719 100644
---- a/src/sbus/interface/sbus_introspection.c
-+++ b/src/sbus/interface/sbus_introspection.c
-@@ -658,7 +658,7 @@ errno_t
- sbus_register_introspection(struct sbus_router *router)
- {
- 
--    struct sbus_interface iface = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface,
-         org_freedesktop_DBus_Introspectable,
-         SBUS_METHODS(
-             SBUS_ASYNC(METHOD, org_freedesktop_DBus_Introspectable, Introspect,
-diff --git a/src/sbus/interface/sbus_properties.c b/src/sbus/interface/sbus_properties.c
-index 9df4c6bd6..8be933caa 100644
---- a/src/sbus/interface/sbus_properties.c
-+++ b/src/sbus/interface/sbus_properties.c
-@@ -867,7 +867,7 @@ errno_t
- sbus_register_properties(struct sbus_router *router)
- {
- 
--    struct sbus_interface iface = SBUS_INTERFACE(
-+    SBUS_INTERFACE(iface,
-         org_freedesktop_DBus_Properties,
-         SBUS_METHODS(
-             SBUS_ASYNC(METHOD, org_freedesktop_DBus_Properties, Get,
-diff --git a/src/sbus/sbus_interface.h b/src/sbus/sbus_interface.h
-index eb1462dd2..45ab4b5ad 100644
---- a/src/sbus/sbus_interface.h
-+++ b/src/sbus/sbus_interface.h
-@@ -80,7 +80,7 @@ struct sbus_node;
-  *     };
-  */
- #define SBUS_METHODS(...)                                                     \
--    (const struct sbus_method[]) {                                            \
-+    {                                                                         \
-         __VA_ARGS__,                                                          \
-         SBUS_INTERFACE_SENTINEL                                               \
-     }
-@@ -117,7 +117,7 @@ struct sbus_node;
-  *     };
-  */
- #define SBUS_SIGNALS(...)                                                     \
--    (const struct sbus_signal[]) {                                            \
-+    {                                                                         \
-         __VA_ARGS__,                                                          \
-         SBUS_INTERFACE_SENTINEL                                               \
-     }
-@@ -159,7 +159,7 @@ struct sbus_node;
-  *     };
-  */
- #define SBUS_PROPERTIES(...)                                                  \
--    (const struct sbus_property[]) {                                          \
-+    {                                                                         \
-         __VA_ARGS__,                                                          \
-         SBUS_INTERFACE_SENTINEL                                               \
-     }
-@@ -228,6 +228,11 @@ struct sbus_node;
- /**
-  * Create and sbus interface.
-  *
-+ * @param varname      Name of the variable that will hold the interface
-+ *                     description. It is created as:
-+ *                       struct sbus_interface varname;
-+ *                     You can refer to it later when creating 'sbus_path'
-+ *                     structure as &varname.
-  * @param iface        Name of the interface with dots replaced
-  *                     with underscore. (token, not a string)
-  * @param methods      Methods on the interface.
-@@ -239,8 +244,15 @@ struct sbus_node;
-  *
-  * @see SBUS_METHODS, SBUS_SIGNALS, SBUS_PROPERTIES to create those arguments.
-  */
--#define SBUS_INTERFACE(iface, methods, signals, properties)                   \
--    SBUS_IFACE_ ## iface((methods), (signals), (properties))
-+#define SBUS_INTERFACE(varname, iface, methods, signals, properties)          \
-+    const struct sbus_method __ ## varname ## _m[] = methods;                 \
-+    const struct sbus_signal __ ## varname ## _s[] = signals;                 \
-+    const struct sbus_property __ ## varname ## _p[] = properties;            \
-+    struct sbus_interface varname = SBUS_IFACE_ ## iface(                     \
-+        (__ ## varname ## _m),                                                \
-+        (__ ## varname ## _s),                                                \
-+        (__ ## varname ## _p)                                                 \
-+    )
- 
- /**
-  * Create a new sbus synchronous handler.
-diff --git a/src/sbus/server/sbus_server_interface.c b/src/sbus/server/sbus_server_interface.c
-index 695d4d09b..9c0ba0abb 100644
---- a/src/sbus/server/sbus_server_interface.c
-+++ b/src/sbus/server/sbus_server_interface.c
-@@ -387,7 +387,7 @@ sbus_server_setup_interface(struct sbus_server *server)
- {
-     errno_t ret;
- 
--    struct sbus_interface bus = SBUS_INTERFACE(
-+    SBUS_INTERFACE(bus,
-         org_freedesktop_DBus,
-         SBUS_METHODS(
-             SBUS_SYNC(METHOD, org_freedesktop_DBus, Hello, sbus_server_bus_hello, server),
--- 
-2.20.1
-
diff --git a/0001-sbus-use-120-second-default-timeout.patch b/0001-sbus-use-120-second-default-timeout.patch
deleted file mode 100644
index a4dbfdd..0000000
--- a/0001-sbus-use-120-second-default-timeout.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 04c1909a0c1c13eee10141f08eff2048decc2e49 Mon Sep 17 00:00:00 2001
-From: Adam Williamson <awilliam@redhat.com>
-Date: Wed, 12 Dec 2018 22:28:15 -0800
-Subject: [PATCH] sbus: use 120 second default timeout
-
-As discussed in #1654537, first login to a system as a FreeIPA
-domain user now usually causes an expensive SELinux operation
-to happen; this can take longer than the default bus message
-timeout of 25 seconds. To deal with this for now, let's use a
-120 second default timeout; this is a big hammer, but unless we
-can refactor things to use a longer timeout just for that one
-call, or make the actual operation take less time, there's not
-much else we can do.
-
-Resolves:
-https://bugzilla.redhat.com/show_bug.cgi?id=1654537
-
-Signed-off-by: Adam Williamson <awilliam@redhat.com>
----
- src/sbus/sbus_message.h | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
-index e7b8fe594..7ae634ece 100644
---- a/src/sbus/sbus_message.h
-+++ b/src/sbus/sbus_message.h
-@@ -27,8 +27,10 @@
- #include "util/util.h"
- #include "sbus/sbus_errors.h"
- 
--/* Use reasonable default timeout which is computed in libdbus */
--#define SBUS_MESSAGE_TIMEOUT -1
-+/* Use longer default timeout than libdbus default due to expensive
-+ * selinux operation: see https://bugzilla.redhat.com/show_bug.cgi?id=1654537
-+ */
-+#define SBUS_MESSAGE_TIMEOUT 120000
- 
- /**
-  * Bound message with a talloc context.
--- 
-2.20.0
-
diff --git a/0001-tests-fix-mocking-krb5_creds-in-test_copy_ccache.patch b/0001-tests-fix-mocking-krb5_creds-in-test_copy_ccache.patch
deleted file mode 100644
index 029dc4a..0000000
--- a/0001-tests-fix-mocking-krb5_creds-in-test_copy_ccache.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 08bba3a6e3e4e21f2e20b71cca463d50420aa9ee Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 22 Nov 2018 11:36:57 +0100
-Subject: [PATCH] tests: fix mocking krb5_creds in test_copy_ccache
-
-To just test some ccache related functionality without talking to an
-actual KDC to get the tickets some needed libkrb5 structs were mocked
-based on tests from the MIT Kerberos source code. One struct member
-(is_skey) was so far not regarded by libkrb5 for out test case. But a
-recent fix for http://krbdev.mit.edu/rt/Ticket/Display.html?id=8718
-changed this and we have to change the mocking.
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tests/cmocka/test_copy_ccache.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tests/cmocka/test_copy_ccache.c b/src/tests/cmocka/test_copy_ccache.c
-index 84225b6bf..7c76c00e8 100644
---- a/src/tests/cmocka/test_copy_ccache.c
-+++ b/src/tests/cmocka/test_copy_ccache.c
-@@ -88,7 +88,7 @@ static int setup_ccache(void **state)
-     test_creds.times.starttime = 2222;
-     test_creds.times.endtime = 3333;
-     test_creds.times.renew_till = 4444;
--    test_creds.is_skey = 1;
-+    test_creds.is_skey = 0;
-     test_creds.ticket_flags = 5555;
-     test_creds.addresses = addrs;
- 
--- 
-2.20.0
-
diff --git a/0002-BUILD-Add-missing-deps-to-libsss_sbus-.so.patch b/0002-BUILD-Add-missing-deps-to-libsss_sbus-.so.patch
deleted file mode 100644
index 420b010..0000000
--- a/0002-BUILD-Add-missing-deps-to-libsss_sbus-.so.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 677a93372e4b7359d19d7e55467fa5ccea4a80a3 Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Wed, 15 Aug 2018 22:07:40 +0200
-Subject: [PATCH 2/4] BUILD: Add missing deps to libsss_sbus*.so
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It indirectly caused failures when linking unit test.
-
-  CCLD     test_sbus_opath
-/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_validate'
-/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_free'
-/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_malloc'
-/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_casefold'
-/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_collate'
-/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_strlen'
-/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_strdown'
-
-Merges: https://pagure.io/SSSD/sssd/pull-request/3808
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- Makefile.am | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/Makefile.am b/Makefile.am
-index a2d8ea4..1b4f044 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -1105,6 +1105,7 @@ libsss_sbus_la_LIBADD = \
-     $(TALLOC_LIBS) \
-     $(TEVENT_LIBS) \
-     $(DBUS_LIBS) \
-+    $(UNICODE_LIBS) \
-     $(NULL)
- libsss_sbus_la_CFLAGS = \
-     $(AM_CFLAGS) \
-@@ -1146,6 +1147,7 @@ libsss_sbus_sync_la_CFLAGS = \
-     $(AM_CFLAGS) \
-     $(TALLOC_CFLAGS) \
-     $(DBUS_CFLAGS) \
-+    $(UNICODE_LIBS) \
-     $(NULL)
- libsss_sbus_sync_la_LDFLAGS = \
-     -avoid-version \
--- 
-2.9.5
-
diff --git a/0002-sbus-improve-documentation-of-SBUS_INTERFACE.patch b/0002-sbus-improve-documentation-of-SBUS_INTERFACE.patch
deleted file mode 100644
index 55594b5..0000000
--- a/0002-sbus-improve-documentation-of-SBUS_INTERFACE.patch
+++ /dev/null
@@ -1,267 +0,0 @@
-From e185b039468ec27bbc905c61c57dffc5496af521 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Tue, 5 Feb 2019 10:36:13 +0100
-Subject: [PATCH 2/3] sbus: improve documentation of SBUS_INTERFACE
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/sbus/sbus_interface.h | 195 +++++++++++++++++++++++++++-----------
- 1 file changed, 138 insertions(+), 57 deletions(-)
-
-diff --git a/src/sbus/sbus_interface.h b/src/sbus/sbus_interface.h
-index 45ab4b5ad..2312fde68 100644
---- a/src/sbus/sbus_interface.h
-+++ b/src/sbus/sbus_interface.h
-@@ -49,35 +49,47 @@ struct sbus_node;
-  *
-  * @see SBUS_SYNC, SBUS_ASYNC, SBUS_NO_METHODS, SBUS_WITHOUT_METHODS
-  *
-+ * The following examples demonstrate the intended usage of this macro.
-+ * Do not use it in any other way.
-+ *
-  * @example Interface with two methods, one with synchronous handler,
-  * one with asynchronous handler.
-  *
-- *     struct sbus_interface iface = {
-- *         .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
-- *          SBUS_METHODS(
-- *              SBUS_SYNC (METHOD, org_freedekstop_sssd, UpdateMembers,
-- *                         update_members_sync, pvt_data),
-- *              SBUS_ASYNC(METHOD, org_freedekstop_sssd, UpdateMembersAsync,
-- *                         update_members_send, update_members_recv,
-- *                         pvt_data)
-- *          )
-- *     };
-+ *     SBUS_INTERFACE(
-+ *         iface_variable,
-+ *         org_freedesktop_sssd,
-+ *         SBUS_METHODS(
-+ *             SBUS_SYNC (METHOD, org_freedekstop_sssd, UpdateMembers,
-+ *                       update_members_sync, pvt_data),
-+ *             SBUS_ASYNC(METHOD, org_freedekstop_sssd, UpdateMembersAsync,
-+ *                        update_members_send, update_members_recv,
-+ *                        pvt_data)
-+ *         ),
-+ *         @signals,
-+ *         @properties
-+ *     );
-  *
-  * @example Interface with no methods.
-  *
-- *     struct sbus_interface empty_iface = {
-- *         .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
-- *          SBUS_METHODS(
-- *              SBUS_NO_METHODS
-- *          )
-- *     };
-+ *     SBUS_INTERFACE(
-+ *         iface_variable,
-+ *         org_freedesktop_sssd,
-+ *         SBUS_METHODS(
-+ *             SBUS_NO_METHODS
-+ *         ),
-+ *         @signals,
-+ *         @properties
-+ *     );
-  *
-  *     or
-  *
-- *     struct sbus_interface empty_iface = {
-- *         .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
-- *          SBUS_WITHOUT_METHODS
-- *     };
-+ *     SBUS_INTERFACE(
-+ *         iface_variable,
-+ *         org_freedesktop_sssd,
-+ *         SBUS_WITHOUT_METHODS,
-+ *         @signals,
-+ *         @properties
-+ *     );
-  */
- #define SBUS_METHODS(...)                                                     \
-     {                                                                         \
-@@ -91,30 +103,42 @@ struct sbus_node;
-  *
-  * @see SBUS_EMIT, SBUS_NO_SIGNALS, SBUS_WITHOUT_SIGNALS
-  *
-+ * The following examples demonstrate the intended usage of this macro.
-+ * Do not use it in any other way.
-+ *
-  * @example Interface that can emit a PropertyChanged signal.
-  *
-- *     struct sbus_interface iface = {
-- *         .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
-- *          SBUS_SIGNALS(
-- *              SBUS_EMIT(org_freedekstop_sssd, PropertyChanged)
-- *          )
-- *     };
-+ *     SBUS_INTERFACE(
-+ *         iface_variable,
-+ *         org_freedesktop_sssd,
-+ *         @methods,
-+ *         SBUS_SIGNALS(
-+ *             SBUS_EMIT(org_freedekstop_sssd, PropertyChanged)
-+ *         ),
-+ *         @properties
-+ *     );
-  *
-  * @example Interface with no signals.
-  *
-- *     struct sbus_interface empty_iface = {
-- *         .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
-- *          SBUS_SIGNALS(
-- *              SBUS_NO_SIGNALS
-- *          )
-- *     };
-+ *     SBUS_INTERFACE(
-+ *         iface_variable,
-+ *         org_freedesktop_sssd,
-+ *         @methods,
-+ *         SBUS_SIGNALS(
-+ *             SBUS_NO_SIGNALS
-+ *         ),
-+ *         @properties
-+ *     );
-  *
-  *     or
-  *
-- *     struct sbus_interface empty_iface = {
-- *         .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
-- *          SBUS_WITHOUT_SIGNALS
-- *     };
-+ *     SBUS_INTERFACE(
-+ *         iface_variable,
-+ *         org_freedesktop_sssd,
-+ *         @methods,
-+ *         SBUS_WITHOUT_SIGNALS,
-+ *         @properties
-+ *     );
-  */
- #define SBUS_SIGNALS(...)                                                     \
-     {                                                                         \
-@@ -128,35 +152,47 @@ struct sbus_node;
-  *
-  * @see SBUS_SYNC, SBUS_ASYNC, SBUS_NO_PROPERTIES, SBUS_WITHOUT_PROPERTIES
-  *
-+ * The following examples demonstrate the intended usage of this macro.
-+ * Do not use it in any other way.
-+ *
-  * @example Interface with one property with asynchronous getter and
-  * synchronous setter.
-  *
-- *     struct sbus_interface iface = {
-- *         .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
-- *          SBUS_PROPERTIES(
-- *              SBUS_SYNC (GETTER, org_freedekstop_sssd, domain_name,
-- *                         set_domain_name, pvt_data),
-- *              SBUS_ASYNC(GETTER, org_freedekstop_sssd, domain_name,
-- *                         get_domain_name_send, get_domain_name_recv,
-- *                         pvt_data)
-- *          )
-- *     };
-+ *     SBUS_INTERFACE(
-+ *         iface_variable,
-+ *         org_freedesktop_sssd,
-+ *         @methods,
-+ *         @signals,
-+ *         SBUS_PROPERTIES(
-+ *             SBUS_SYNC (GETTER, org_freedekstop_sssd, domain_name,
-+ *                        set_domain_name, pvt_data),
-+ *             SBUS_ASYNC(GETTER, org_freedekstop_sssd, domain_name,
-+ *                        get_domain_name_send, get_domain_name_recv,
-+ *                        pvt_data)
-+ *         )
-+ *     );
-  *
-  * @example Interface with no properties.
-  *
-- *     struct sbus_interface empty_iface = {
-- *         .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
-- *          SBUS_PROPERTIES(
-- *              SBUS_NO_PROPERTIES
-- *          )
-- *     };
-+ *     SBUS_INTERFACE(
-+ *         iface_variable,
-+ *         org_freedesktop_sssd,
-+ *         @methods,
-+ *         @signals,
-+ *         SBUS_PROPERTIES(
-+ *             SBUS_NO_PROPERTIES
-+ *         )
-+ *     );
-  *
-  *     or
-  *
-- *     struct sbus_interface empty_iface = {
-- *         .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
-- *          SBUS_WITHOUT_PROPERTIES
-- *     };
-+ *     SBUS_INTERFACE(
-+ *         iface_variable,
-+ *         org_freedesktop_sssd,
-+ *         @methods,
-+ *         @signals,
-+ *         SBUS_WITHOUT_PROPERTIES
-+ *     );
-  */
- #define SBUS_PROPERTIES(...)                                                  \
-     {                                                                         \
-@@ -239,8 +275,53 @@ struct sbus_node;
-  * @param signals      Signals on the interface.
-  * @param properties   Properties on the interface.
-  *
-+ * Please note that the following macro introduced to the scope these variables:
-+ *   - __varname_m
-+ *   - __varname_s
-+ *   - __varname_p
-+ *
-+ * These variables are intended for internal purpose only and should not be
-+ * used outside this macro. They are allocated on stack and will be destroyed
-+ * with it.
-+ *
-+ * Additionally, it creates 'struct sbus_interface varname'. This variable
-+ * holds the information about the interfaces you created. The structure and
-+ * all its data are allocated on stack and will be destroyed with it.
-+ *
-+ * The only intended usage of this variable is to assign it to an sbus path
-+ * and then register this path inside the same function where the interface
-+ * is defined. It should not be used in any other way.
-+ *
-+ * The following example demonstrates the intended usage of this macro.
-+ * Do not use it in any other way.
-+ *
-  * @example
-- *     SBUS_INTERFACE(org_freedesktop_sssd, @methods, @signals, @properties)
-+ *     SBUS_INTERFACE(
-+ *         iface_bus,
-+ *         org_freedesktop_DBus,
-+ *         SBUS_METHODS(
-+ *             SBUS_SYNC(METHOD, org_freedesktop_DBus, Hello, sbus_server_bus_hello, server),
-+ *             SBUS_SYNC(METHOD, org_freedesktop_DBus, RequestName, sbus_server_bus_request_name, server),
-+ *         ),
-+ *         SBUS_SIGNALS(
-+ *             SBUS_EMITS(org_freedesktop_DBus, NameOwnerChanged),
-+ *             SBUS_EMITS(org_freedesktop_DBus, NameAcquired),
-+ *             SBUS_EMITS(org_freedesktop_DBus, NameLost)
-+ *         ),
-+ *         SBUS_WITHOUT_PROPERTIES
-+ *     );
-+ *
-+ *     struct sbus_path paths[] = {
-+ *          {"/org/freedesktop/dbus", &iface_bus},
-+ *          {NULL, NULL}
-+ *     };
-+ *
-+ *     ret = sbus_router_add_path_map(server->router, paths);
-+ *     if (ret != EOK) {
-+ *         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n",
-+ *               ret, sss_strerror(ret));
-+ *         return ret;
-+ *     }
-  *
-  * @see SBUS_METHODS, SBUS_SIGNALS, SBUS_PROPERTIES to create those arguments.
-  */
--- 
-2.20.1
-
diff --git a/0003-BUILD-Reduce-compilation-of-unnecessary-files.patch b/0003-BUILD-Reduce-compilation-of-unnecessary-files.patch
deleted file mode 100644
index 3e45982..0000000
--- a/0003-BUILD-Reduce-compilation-of-unnecessary-files.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 53ed60b878d3737d4c174644b69df960595479da Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Wed, 15 Aug 2018 22:23:42 +0200
-Subject: [PATCH 3/4] BUILD: Reduce compilation of unnecessary files
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We safe compilation of 52 files 2 times with linking to existing
-internal libraries.
-
-It also fixes issue with multiple definition of the same symbol
-
-  CCLD     responder_common-tests
-/usr/bin/ld: .libs/libsss_debug.so and ../../../src/util/responder_common_tests-debug.o:
-  warning: multiple common of `sss_logger'
-collect2: error: ld returned 1 exit status
-
-Merges: https://pagure.io/SSSD/sssd/pull-request/3808
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/tests/cwrap/Makefile.am | 64 +++------------------------------------------
- 1 file changed, 4 insertions(+), 60 deletions(-)
-
-diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
-index d5778d1..b63c695 100644
---- a/src/tests/cwrap/Makefile.am
-+++ b/src/tests/cwrap/Makefile.am
-@@ -66,67 +66,7 @@ SSSD_CACHE_REQ_OBJ = \
-     ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
-     $(NULL)
- 
--SSSD_SBUS_OBJ = \
--    ../../../src/util/check_and_open.c \
--    ../../../src/util/debug.c \
--    ../../../src/util/sss_ptr_hash.c \
--    ../../../src/util/sss_ptr_list.c \
--    ../../../src/util/sss_utf8.c \
--    ../../../src/util/util.c \
--    ../../../src/util/util_errors.c \
--    ../../../src/util/util_ext.c \
--    ../../../src/util/strtonum.c \
--    ../../../src/sbus/sbus_errors.c \
--    ../../../src/sbus/sbus_opath.c \
--    ../../../src/sbus/connection/sbus_connection.c \
--    ../../../src/sbus/connection/sbus_connection_connect.c \
--    ../../../src/sbus/connection/sbus_dbus.c \
--    ../../../src/sbus/connection/sbus_dispatcher.c \
--    ../../../src/sbus/connection/sbus_reconnect.c \
--    ../../../src/sbus/connection/sbus_send.c \
--    ../../../src/sbus/connection/sbus_watch.c \
--    ../../../src/sbus/interface_dbus/sbus_dbus_arguments.c \
--    ../../../src/sbus/interface_dbus/sbus_dbus_client_async.c \
--    ../../../src/sbus/interface_dbus/sbus_dbus_invokers.c \
--    ../../../src/sbus/interface_dbus/sbus_dbus_keygens.c \
--    ../../../src/sbus/interface_dbus/sbus_dbus_symbols.c \
--    ../../../src/sbus/interface/sbus_interface.c \
--    ../../../src/sbus/interface/sbus_introspection.c \
--    ../../../src/sbus/interface/sbus_iterator_readers.c \
--    ../../../src/sbus/interface/sbus_iterator_writers.c \
--    ../../../src/sbus/interface/sbus_properties.c \
--    ../../../src/sbus/interface/sbus_properties_parser.c \
--    ../../../src/sbus/interface/sbus_std_signals.c \
--    ../../../src/sbus/request/sbus_message.c \
--    ../../../src/sbus/request/sbus_request.c \
--    ../../../src/sbus/request/sbus_request_call.c \
--    ../../../src/sbus/request/sbus_request_hash.c \
--    ../../../src/sbus/request/sbus_request_sender.c \
--    ../../../src/sbus/request/sbus_request_util.c \
--    ../../../src/sbus/router/sbus_router.c \
--    ../../../src/sbus/router/sbus_router_handler.c \
--    ../../../src/sbus/router/sbus_router_hash.c \
--    ../../../src/sbus/server/sbus_server_handler.c \
--    ../../../src/sbus/server/sbus_server_interface.c \
--    ../../../src/sbus/server/sbus_server_match.c \
--    ../../../src/sbus/server/sbus_server.c \
--    $(NULL)
--
--SSSD_IFACE_OBJ = \
--    ../../../src/sss_iface/sbus_sss_arguments.c \
--    ../../../src/sss_iface/sbus_sss_client_async.c \
--    ../../../src/sss_iface/sbus_sss_invokers.c \
--    ../../../src/sss_iface/sbus_sss_keygens.c \
--    ../../../src/sss_iface/sbus_sss_symbols.c \
--    ../../../src/sss_iface/sss_iface_types.c \
--    ../../../src/sss_iface/sss_iface.c \
--    ../../../src/util/domain_info_utils.c \
--    ../../../src/util/sss_pam_data.c \
--    $(NULL)
--
- SSSD_RESPONDER_IFACE_OBJ = \
--    $(SSSD_SBUS_OBJ) \
--    $(SSSD_IFACE_OBJ) \
-     ../../../src/responder/common/responder_iface.c \
-     $(NULL)
- 
-@@ -244,6 +184,8 @@ responder_common_tests_LDADD = \
-     $(abs_top_builddir)/libsss_util.la \
-     $(abs_top_builddir)/libsss_debug.la \
-     $(abs_top_builddir)/libsss_test_common.la \
-+    $(abs_top_builddir)/libsss_iface.la \
-+    $(abs_top_builddir)/libsss_sbus.la \
-     $(NULL)
- 
- negcache_tests_SOURCES =\
-@@ -262,6 +204,8 @@ negcache_tests_LDADD = \
-     $(abs_top_builddir)/libsss_util.la \
-     $(abs_top_builddir)/libsss_debug.la \
-     $(abs_top_builddir)/libsss_test_common.la \
-+    $(abs_top_builddir)/libsss_iface.la \
-+    $(abs_top_builddir)/libsss_sbus.la \
-     $(NULL)
- 
- tests: $(check_PROGRAMS)
--- 
-2.9.5
-
diff --git a/0003-sbus-interface-fixed-interface-copy-helpers.patch b/0003-sbus-interface-fixed-interface-copy-helpers.patch
deleted file mode 100644
index c0e59f9..0000000
--- a/0003-sbus-interface-fixed-interface-copy-helpers.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 38ebae7e0ea889fa9022670a3e08e7352b624677 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Mon, 4 Feb 2019 18:13:14 +0100
-Subject: [PATCH 3/3] sbus/interface: fixed interface copy helpers
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In `sbus_method_copy()` and other copy helpers there was code like:
-```
-copy = talloc_zero_array(mem_ctx, struct sbus_method, count + 1);
-memcpy(copy, input, sizeof(struct sbus_method) * count + 1);
-```
-Copy of one byte of "sentinel" doesn't make a sense.
-We can either rely on the fact that sentinel is zero-initialized struct
-*and* `talloc_zero_array()` zero-initializes memory (so copying of
-sentinel may be omitted at all) or just copy sentinel in a whole.
-Opted for second option as more clear variant.
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/sbus/interface/sbus_interface.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/sbus/interface/sbus_interface.c b/src/sbus/interface/sbus_interface.c
-index ed1b5fd79..afd54dd81 100644
---- a/src/sbus/interface/sbus_interface.c
-+++ b/src/sbus/interface/sbus_interface.c
-@@ -109,7 +109,7 @@ sbus_method_copy(TALLOC_CTX *mem_ctx,
- 
-     /* All data is either pointer to a static data or it is not a pointer.
-      * We can just copy it. */
--    memcpy(copy, input, sizeof(struct sbus_method) * count + 1);
-+    memcpy(copy, input, sizeof(struct sbus_method) * (count + 1));
- 
-     return copy;
- }
-@@ -144,7 +144,7 @@ sbus_signal_copy(TALLOC_CTX *mem_ctx,
- 
-     /* All data is either pointer to a static data or it is not a pointer.
-      * We can just copy it. */
--    memcpy(copy, input, sizeof(struct sbus_signal) * count + 1);
-+    memcpy(copy, input, sizeof(struct sbus_signal) * (count + 1));
- 
-     return copy;
- }
-@@ -208,7 +208,7 @@ sbus_property_copy(TALLOC_CTX *mem_ctx,
- 
-     /* All data is either pointer to a static data or it is not a pointer.
-      * We can just copy it. */
--    memcpy(copy, input, sizeof(struct sbus_property) * count + 1);
-+    memcpy(copy, input, sizeof(struct sbus_property) * (count + 1));
- 
-     return copy;
- }
--- 
-2.20.1
-
diff --git a/0004-KCM-Don-t-error-out-if-creating-a-new-ID-as-the-firs.patch b/0004-KCM-Don-t-error-out-if-creating-a-new-ID-as-the-firs.patch
deleted file mode 100644
index 15c17a9..0000000
--- a/0004-KCM-Don-t-error-out-if-creating-a-new-ID-as-the-firs.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 81dce19792cf300950411722d16b72f8816aecb0 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Tue, 28 Aug 2018 14:47:44 +0200
-Subject: [PATCH] KCM: Don't error out if creating a new ID as the first step
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We need to handle the case where the nextID operation is ran, but the
-secdb is totally empty, otherwise logins with sssd's krb5_child would
-fail.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3815
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
----
- src/responder/kcm/kcmsrv_ccache_secdb.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
-index 0f1c037..a61d7b1 100644
---- a/src/responder/kcm/kcmsrv_ccache_secdb.c
-+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
-@@ -595,7 +595,10 @@ static struct tevent_req *ccdb_secdb_nextid_send(TALLOC_CTX *mem_ctx,
-     }
- 
-     ret = sss_sec_list(state, sreq, &keys, &nkeys);
--    if (ret != EOK) {
-+    if (ret == ENOENT) {
-+        keys = NULL;
-+        nkeys = 0;
-+    } else if (ret != EOK) {
-         DEBUG(SSSDBG_OP_FAILURE,
-               "Cannot list keys [%d]: %s\n",
-               ret, sss_strerror(ret));
--- 
-2.9.5
-
diff --git a/0005-sbus-register-filter-on-new-connection.patch b/0005-sbus-register-filter-on-new-connection.patch
deleted file mode 100644
index 527fb3a..0000000
--- a/0005-sbus-register-filter-on-new-connection.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 55d5b43543b5ef62322fe635fe8108410cb4ea77 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Wed, 5 Sep 2018 15:08:52 +0200
-Subject: [PATCH 08/83] sbus: register filter on new connection
-
-The filter is not again registered on new connection when the old connection
-was lost. This caused a segfault when the router is destroyed during shutdown.
-
-It also would not allow to recieve and process any messages as the filter
-function is needed for that. However, this was not very visible with
-current sssd architecture.
-
-Steps to reproduce:
-1. Run SSSD
-2. pkill sssd_be
-3. Wait for responders to reconnect to backend
-4. Shutdown SSSD
-5. It will crash without this patch
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3821
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/sbus/router/sbus_router.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/src/sbus/router/sbus_router.c b/src/sbus/router/sbus_router.c
-index 24c2c76..d31cef1 100644
---- a/src/sbus/router/sbus_router.c
-+++ b/src/sbus/router/sbus_router.c
-@@ -364,6 +364,13 @@ errno_t
- sbus_router_reset(struct sbus_connection *conn)
- {
-     errno_t ret;
-+    bool bret;
-+
-+    bret = sbus_router_filter_add(conn->router);
-+    if (!bret) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register message filter!\n");
-+        return EFAULT;
-+    }
- 
-     ret = sbus_router_reset_listeners(conn);
-     if (ret != EOK) {
--- 
-2.9.5
-
diff --git a/0006-sbus-fix-typo.patch b/0006-sbus-fix-typo.patch
deleted file mode 100644
index e952d62..0000000
--- a/0006-sbus-fix-typo.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 8c8f74b0dfa29643279d31b12300ced47d5c2ab5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Thu, 16 Aug 2018 11:42:44 +0200
-Subject: [PATCH 09/83] sbus: fix typo
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/sbus/sbus_message.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
-index 99dd930..92d5cea 100644
---- a/src/sbus/sbus_message.h
-+++ b/src/sbus/sbus_message.h
-@@ -49,7 +49,7 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
-  *
-  * DO NOT USE dbus_message_unref() on such message anymore since it would not
-  * release internal data about the bound. The message will be automatically
-- * unreferenced whent the talloc context is freed.
-+ * unreferenced when the talloc context is freed.
-  *
-  * @param mem_ctx Memory context to bound the message with. It can not be NULL.
-  * @param msg     Message to be bound with memory context.
--- 
-2.9.5
-
diff --git a/0007-sbus-check-for-null-message-in-sbus_message_bound.patch b/0007-sbus-check-for-null-message-in-sbus_message_bound.patch
deleted file mode 100644
index e3fd232..0000000
--- a/0007-sbus-check-for-null-message-in-sbus_message_bound.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 30f4adf874aff174734ad77902a79fc5727ab495 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Thu, 16 Aug 2018 12:57:47 +0200
-Subject: [PATCH 10/83] sbus: check for null message in sbus_message_bound
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/sbus/request/sbus_message.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/sbus/request/sbus_message.c b/src/sbus/request/sbus_message.c
-index 950be91..7314fd7 100644
---- a/src/sbus/request/sbus_message.c
-+++ b/src/sbus/request/sbus_message.c
-@@ -83,6 +83,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
-         return EINVAL;
-     }
- 
-+    if (msg == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
-+        return EINVAL;
-+    }
-+
-     /* Create a talloc context that will unreference this message when
-      * the parent context is freed. */
-     talloc_msg = talloc(mem_ctx, struct sbus_talloc_msg);
-@@ -122,6 +127,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
- errno_t
- sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg)
- {
-+    if (msg == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
-+        return EINVAL;
-+    }
-+
-     dbus_message_ref(msg);
-     return sbus_message_bound(mem_ctx, msg);
- }
--- 
-2.9.5
-
diff --git a/0008-sbus-replace-sbus_message_bound_ref-with-sbus_messag.patch b/0008-sbus-replace-sbus_message_bound_ref-with-sbus_messag.patch
deleted file mode 100644
index 2ef5432..0000000
--- a/0008-sbus-replace-sbus_message_bound_ref-with-sbus_messag.patch
+++ /dev/null
@@ -1,336 +0,0 @@
-From ca50c40511f08c0f7c786598e5793a06789c6cce Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Thu, 16 Aug 2018 13:17:13 +0200
-Subject: [PATCH 11/83] sbus: replace sbus_message_bound_ref with
- sbus_message_bound_steal
-
-The memory context used to new message reference accidentally overwrote
-the one use by the initial sbus_message_bound call. This caused a memory
-leak of message as its reference counter got increased but number of
-talloc contexts bound this this message decreased at the same time.
-
-Fixing this is non-trival and it would require separate data slot for
-each reference. Because we do not have any existing use case for this
-and we use it only as an equivalent of talloc_steal it is better to
-provide a real equivalent for this talloc function.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3810
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c |  4 +-
- src/sbus/codegen/templates/client_async.c.tpl      |  4 +-
- src/sbus/codegen/templates/client_sync.c.tpl       |  4 +-
- src/sbus/interface_dbus/sbus_dbus_client_async.c   |  8 ++--
- src/sbus/interface_dbus/sbus_dbus_client_sync.c    |  8 ++--
- src/sbus/request/sbus_message.c                    | 51 +++++++++++++++++-----
- src/sbus/request/sbus_request.c                    | 10 ++---
- src/sbus/request/sbus_request_call.c               |  5 +--
- src/sbus/sbus_message.h                            |  8 +---
- src/sbus/sync/sbus_sync_call.c                     |  5 +--
- 10 files changed, 65 insertions(+), 42 deletions(-)
-
-diff --git a/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c b/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
-index 4859b93..1f0a8e3 100644
---- a/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
-+++ b/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
-@@ -526,9 +526,9 @@ sbus_method_in_sas_out_raw
-         goto done;
-     }
- 
--    ret = sbus_message_bound_ref(mem_ctx, reply);
-+    ret = sbus_message_bound_steal(mem_ctx, reply);
-     if (ret != EOK) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
-               ret, sss_strerror(ret));
-         goto done;
-     }
-diff --git a/src/sbus/codegen/templates/client_async.c.tpl b/src/sbus/codegen/templates/client_async.c.tpl
-index 6ffb4f8..e16ce42 100644
---- a/src/sbus/codegen/templates/client_async.c.tpl
-+++ b/src/sbus/codegen/templates/client_async.c.tpl
-@@ -193,9 +193,9 @@
-             return EINVAL;
-         }
- 
--        ret = sbus_message_bound_ref(mem_ctx, state->reply);
-+        ret = sbus_message_bound_steal(mem_ctx, state->reply);
-         if (ret != EOK) {
--            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
-+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
-                   ret, sss_strerror(ret));
-             return ret;
-         }
-diff --git a/src/sbus/codegen/templates/client_sync.c.tpl b/src/sbus/codegen/templates/client_sync.c.tpl
-index 30fa009..fe9a3a4 100644
---- a/src/sbus/codegen/templates/client_sync.c.tpl
-+++ b/src/sbus/codegen/templates/client_sync.c.tpl
-@@ -110,9 +110,9 @@
-             goto done;
-         }
- 
--        ret = sbus_message_bound_ref(mem_ctx, reply);
-+        ret = sbus_message_bound_steal(mem_ctx, reply);
-         if (ret != EOK) {
--            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
-+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
-                   ret, sss_strerror(ret));
-             goto done;
-         }
-diff --git a/src/sbus/interface_dbus/sbus_dbus_client_async.c b/src/sbus/interface_dbus/sbus_dbus_client_async.c
-index 9dbd72c..0060e8b 100644
---- a/src/sbus/interface_dbus/sbus_dbus_client_async.c
-+++ b/src/sbus/interface_dbus/sbus_dbus_client_async.c
-@@ -301,9 +301,9 @@ sbus_method_in_s_out_raw_recv
-         return EINVAL;
-     }
- 
--    ret = sbus_message_bound_ref(mem_ctx, state->reply);
-+    ret = sbus_message_bound_steal(mem_ctx, state->reply);
-     if (ret != EOK) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
-               ret, sss_strerror(ret));
-         return ret;
-     }
-@@ -513,9 +513,9 @@ sbus_method_in_ss_out_raw_recv
-         return EINVAL;
-     }
- 
--    ret = sbus_message_bound_ref(mem_ctx, state->reply);
-+    ret = sbus_message_bound_steal(mem_ctx, state->reply);
-     if (ret != EOK) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
-               ret, sss_strerror(ret));
-         return ret;
-     }
-diff --git a/src/sbus/interface_dbus/sbus_dbus_client_sync.c b/src/sbus/interface_dbus/sbus_dbus_client_sync.c
-index a0473cd..3ab0aab 100644
---- a/src/sbus/interface_dbus/sbus_dbus_client_sync.c
-+++ b/src/sbus/interface_dbus/sbus_dbus_client_sync.c
-@@ -101,9 +101,9 @@ sbus_method_in_s_out_raw
-         goto done;
-     }
- 
--    ret = sbus_message_bound_ref(mem_ctx, reply);
-+    ret = sbus_message_bound_steal(mem_ctx, reply);
-     if (ret != EOK) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
-               ret, sss_strerror(ret));
-         goto done;
-     }
-@@ -159,9 +159,9 @@ sbus_method_in_ss_out_raw
-         goto done;
-     }
- 
--    ret = sbus_message_bound_ref(mem_ctx, reply);
-+    ret = sbus_message_bound_steal(mem_ctx, reply);
-     if (ret != EOK) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
-               ret, sss_strerror(ret));
-         goto done;
-     }
-diff --git a/src/sbus/request/sbus_message.c b/src/sbus/request/sbus_message.c
-index 7314fd7..90c6df4 100644
---- a/src/sbus/request/sbus_message.c
-+++ b/src/sbus/request/sbus_message.c
-@@ -29,8 +29,9 @@
- #include "sbus/interface/sbus_iterator_writers.h"
- 
- /* Data slot that is used for message data. The slot is shared for all
-- * messages. */
--dbus_int32_t data_slot = -1;
-+ * messages, i.e. when a data slot is allocated all messages have the
-+ * slot available. */
-+dbus_int32_t global_data_slot = -1;
- 
- struct sbus_talloc_msg {
-     DBusMessage *msg;
-@@ -48,7 +49,7 @@ static int sbus_talloc_msg_destructor(struct sbus_talloc_msg *talloc_msg)
-     /* There may exist more references to this message but this talloc
-      * context is no longer valid. We remove dbus message data to invoke
-      * dbus destructor now. */
--    dbus_message_set_data(talloc_msg->msg, data_slot, NULL, NULL);
-+    dbus_message_set_data(talloc_msg->msg, global_data_slot, NULL, NULL);
-     dbus_message_unref(talloc_msg->msg);
-     return 0;
- }
-@@ -60,7 +61,7 @@ static void sbus_msg_data_destructor(void *ctx)
-     talloc_msg = talloc_get_type(ctx, struct sbus_talloc_msg);
- 
-     /* Decrement ref counter on data slot. */
--    dbus_message_free_data_slot(&data_slot);
-+    dbus_message_free_data_slot(&global_data_slot);
- 
-     if (!talloc_msg->in_talloc_destructor) {
-         /* References to this message dropped to zero but through
-@@ -100,7 +101,8 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
-     /* Allocate a dbus message data slot that will contain pointer to the
-      * talloc context so we can pick up cases when the dbus message is
-      * freed through dbus api. */
--    bret = dbus_message_allocate_data_slot(&data_slot);
-+
-+    bret = dbus_message_allocate_data_slot(&global_data_slot);
-     if (!bret) {
-         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to allocate data slot!\n");
-         talloc_free(talloc_msg);
-@@ -108,11 +110,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
-     }
- 
-     free_fn = sbus_msg_data_destructor;
--    bret = dbus_message_set_data(msg, data_slot, talloc_msg, free_fn);
-+    bret = dbus_message_set_data(msg, global_data_slot, talloc_msg, free_fn);
-     if (!bret) {
-         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set message data!\n");
-         talloc_free(talloc_msg);
--        dbus_message_free_data_slot(&data_slot);
-+        dbus_message_free_data_slot(&global_data_slot);
-         return ENOMEM;
-     }
- 
-@@ -125,15 +127,44 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
- }
- 
- errno_t
--sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg)
-+sbus_message_bound_steal(TALLOC_CTX *mem_ctx, DBusMessage *msg)
- {
-+    struct sbus_talloc_msg *talloc_msg;
-+    void *data;
-+
-+    if (mem_ctx == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Warning: bounding to NULL context!\n");
-+        return EINVAL;
-+    }
-+
-     if (msg == NULL) {
-         DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
-         return EINVAL;
-     }
- 
--    dbus_message_ref(msg);
--    return sbus_message_bound(mem_ctx, msg);
-+    if (global_data_slot < 0) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
-+              "(data slot < 0)\n");
-+        return ERR_INTERNAL;
-+    }
-+
-+    data = dbus_message_get_data(msg, global_data_slot);
-+    if (data == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
-+              "(returned data is NULL)\n");
-+        return ERR_INTERNAL;
-+    }
-+
-+    talloc_msg = talloc_get_type(data, struct sbus_talloc_msg);
-+    if (talloc_msg == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
-+              "(invalid data)\n");
-+        return ERR_INTERNAL;
-+    }
-+
-+    talloc_steal(mem_ctx, talloc_msg);
-+
-+    return EOK;
- }
- 
- DBusMessage *
-diff --git a/src/sbus/request/sbus_request.c b/src/sbus/request/sbus_request.c
-index 3d0e2f9..1ccd01e 100644
---- a/src/sbus/request/sbus_request.c
-+++ b/src/sbus/request/sbus_request.c
-@@ -564,10 +564,9 @@ sbus_incoming_request_recv(TALLOC_CTX *mem_ctx,
-         return EOK;
-     }
- 
--    /* Create new reference to the reply and bound it with caller mem_ctx. */
--    ret = sbus_message_bound_ref(mem_ctx, state->reply);
-+    ret = sbus_message_bound_steal(mem_ctx, state->reply);
-     if (ret != EOK) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
-               ret, sss_strerror(ret));
-         return ret;
-     }
-@@ -709,10 +708,9 @@ sbus_outgoing_request_recv(TALLOC_CTX *mem_ctx,
- 
-     TEVENT_REQ_RETURN_ON_ERROR(req);
- 
--    /* Create new reference to the reply and bound it with caller mem_ctx. */
--    ret = sbus_message_bound_ref(mem_ctx, state->reply);
-+    ret = sbus_message_bound_steal(mem_ctx, state->reply);
-     if (ret != EOK) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
-               ret, sss_strerror(ret));
-         return ret;
-     }
-diff --git a/src/sbus/request/sbus_request_call.c b/src/sbus/request/sbus_request_call.c
-index 1cf58bd..cf2a6e5 100644
---- a/src/sbus/request/sbus_request_call.c
-+++ b/src/sbus/request/sbus_request_call.c
-@@ -126,10 +126,9 @@ sbus_call_method_recv(TALLOC_CTX *mem_ctx,
- 
-     TEVENT_REQ_RETURN_ON_ERROR(req);
- 
--    /* Create new reference to the reply and bound it with caller mem_ctx. */
--    ret = sbus_message_bound_ref(mem_ctx, state->reply);
-+    ret = sbus_message_bound_steal(mem_ctx, state->reply);
-     if (ret != EOK) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
-               ret, sss_strerror(ret));
-         return ret;
-     }
-diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
-index 92d5cea..e7b8fe5 100644
---- a/src/sbus/sbus_message.h
-+++ b/src/sbus/sbus_message.h
-@@ -45,11 +45,7 @@ errno_t
- sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
- 
- /**
-- * Reference the message and bound it with talloc context.
-- *
-- * DO NOT USE dbus_message_unref() on such message anymore since it would not
-- * release internal data about the bound. The message will be automatically
-- * unreferenced when the talloc context is freed.
-+ * Steal previously bound D-Bus message to a new talloc parent.
-  *
-  * @param mem_ctx Memory context to bound the message with. It can not be NULL.
-  * @param msg     Message to be bound with memory context.
-@@ -57,7 +53,7 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
-  * @return EOK on success, other errno code on error.
-  */
- errno_t
--sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg);
-+sbus_message_bound_steal(TALLOC_CTX *mem_ctx, DBusMessage *msg);
- 
- /**
-  * Create an empty D-Bus method call.
-diff --git a/src/sbus/sync/sbus_sync_call.c b/src/sbus/sync/sbus_sync_call.c
-index 8549e58..a4f8a5c 100644
---- a/src/sbus/sync/sbus_sync_call.c
-+++ b/src/sbus/sync/sbus_sync_call.c
-@@ -63,10 +63,9 @@ sbus_sync_call_method(TALLOC_CTX *mem_ctx,
-         goto done;
-     }
- 
--    /* Create new reference to the reply and bound it with caller mem_ctx. */
--    ret = sbus_message_bound_ref(mem_ctx, reply);
-+    ret = sbus_message_bound_steal(mem_ctx, reply);
-     if (ret != EOK) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
-               ret, sss_strerror(ret));
-         goto done;
-     }
--- 
-2.9.5
-
diff --git a/0009-sbus-add-unit-tests-for-public-sbus_message-module.patch b/0009-sbus-add-unit-tests-for-public-sbus_message-module.patch
deleted file mode 100644
index 516b5e0..0000000
--- a/0009-sbus-add-unit-tests-for-public-sbus_message-module.patch
+++ /dev/null
@@ -1,663 +0,0 @@
-From c895fa2449900f4abd1dce6bb62a45c52bbb12cf Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Thu, 16 Aug 2018 13:20:55 +0200
-Subject: [PATCH 12/83] sbus: add unit tests for public sbus_message module
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- Makefile.am                               |  14 +
- src/tests/cmocka/sbus/test_sbus_message.c | 610 ++++++++++++++++++++++++++++++
- 2 files changed, 624 insertions(+)
- create mode 100644 src/tests/cmocka/sbus/test_sbus_message.c
-
-diff --git a/Makefile.am b/Makefile.am
-index 1b4f044..11d0405 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -270,6 +270,7 @@ if HAVE_CMOCKA
-         test_copy_keytab \
-         test_child_common \
-         responder_cache_req-tests \
-+        test_sbus_message \
-         test_sbus_opath \
-         test_fo_srv \
-         pam-srv-tests \
-@@ -2594,6 +2595,19 @@ test_ssh_client_LDADD = \
-     $(SSSD_LIBS) \
-     $(NULL)
- 
-+test_sbus_message_SOURCES = \
-+    src/tests/cmocka/sbus/test_sbus_message.c \
-+    $(NULL)
-+test_sbus_message_CFLAGS = \
-+    $(AM_CFLAGS)
-+test_sbus_message_LDADD = \
-+    $(CMOCKA_LIBS) \
-+    $(POPT_LIBS) \
-+    libsss_debug.la \
-+    libsss_test_common.la \
-+    libsss_sbus.la \
-+    $(NULL)
-+
- test_sbus_opath_SOURCES = \
-     src/tests/cmocka/sbus/test_sbus_opath.c \
-     $(NULL)
-diff --git a/src/tests/cmocka/sbus/test_sbus_message.c b/src/tests/cmocka/sbus/test_sbus_message.c
-new file mode 100644
-index 0000000..c01e168
---- /dev/null
-+++ b/src/tests/cmocka/sbus/test_sbus_message.c
-@@ -0,0 +1,610 @@
-+/*
-+    Authors:
-+        Jakub Hrozek <jhrozek@redhat.com>
-+        Pavel Březina <pbrezina@redhat.com>
-+
-+    Copyright (C) 2014 Red Hat
-+
-+    This program is free software; you can redistribute it and/or modify
-+    it under the terms of the GNU General Public License as published by
-+    the Free Software Foundation; either version 3 of the License, or
-+    (at your option) any later version.
-+
-+    This program is distributed in the hope that it will be useful,
-+    but WITHOUT ANY WARRANTY; without even the implied warranty of
-+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+    GNU General Public License for more details.
-+
-+    You should have received a copy of the GNU General Public License
-+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include "config.h"
-+
-+#include <talloc.h>
-+#include <errno.h>
-+#include <popt.h>
-+
-+#include "util/util.h"
-+#include "sbus/sbus_message.h"
-+#include "tests/cmocka/common_mock.h"
-+#include "tests/common.h"
-+
-+#define BASE_PATH "/some/path"
-+
-+struct test_ctx {
-+    bool msg_removed;
-+};
-+
-+static void helper_msg_removed(void *state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(state, struct test_ctx);
-+
-+    test_ctx->msg_removed = true;
-+}
-+
-+static void helper_msg_watch(struct test_ctx *test_ctx, DBusMessage *msg)
-+{
-+    DBusFreeFunction free_fn;
-+    dbus_int32_t data_slot = -1;
-+    dbus_bool_t bret;
-+
-+    assert_non_null(msg);
-+
-+    bret = dbus_message_allocate_data_slot(&data_slot);
-+    assert_true(bret);
-+
-+    free_fn = helper_msg_removed;
-+    bret = dbus_message_set_data(msg, data_slot, test_ctx, free_fn);
-+    assert_true(bret);
-+}
-+
-+static int test_setup(void **state)
-+{
-+    struct test_ctx *test_ctx;
-+
-+    assert_true(leak_check_setup());
-+
-+    test_ctx = talloc_zero(global_talloc_context, struct test_ctx);
-+    assert_non_null(test_ctx);
-+    *state = test_ctx;
-+
-+    check_leaks_push(test_ctx);
-+
-+    return 0;
-+}
-+
-+int test_teardown(void **state)
-+{
-+    struct test_ctx *test_ctx;
-+
-+    test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+
-+    assert_true(check_leaks_pop(test_ctx));
-+    talloc_zfree(test_ctx);
-+    assert_true(leak_check_teardown());
-+
-+    return 0;
-+}
-+
-+void test_sbus_message_bound__null(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    DBusMessage *msg;
-+    errno_t ret;
-+
-+    msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+
-+    ret = sbus_message_bound(NULL, msg);
-+    assert_int_equal(ret, EINVAL);
-+
-+    ret = sbus_message_bound(test_ctx, NULL);
-+    assert_int_equal(ret, EINVAL);
-+
-+    dbus_message_unref(msg);
-+}
-+
-+void test_sbus_message_bound__unref(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    DBusMessage *msg;
-+    errno_t ret;
-+
-+    msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    ret = sbus_message_bound(test_ctx, msg);
-+    assert_int_equal(ret, EOK);
-+
-+    /* no memory leak should be detected in teardown */
-+    dbus_message_unref(msg);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_message_bound__free(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    TALLOC_CTX *tmp_ctx;
-+    DBusMessage *msg;
-+    errno_t ret;
-+
-+    tmp_ctx = talloc_new(test_ctx);
-+    assert_non_null(tmp_ctx);
-+
-+    msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    ret = sbus_message_bound(tmp_ctx, msg);
-+    assert_int_equal(ret, EOK);
-+
-+    talloc_free(tmp_ctx);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_message_bound_steal__null(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    DBusMessage *msg;
-+    errno_t ret;
-+
-+    msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    ret = sbus_message_bound_steal(NULL, msg);
-+    assert_int_equal(ret, EINVAL);
-+
-+    ret = sbus_message_bound_steal(test_ctx, NULL);
-+    assert_int_equal(ret, EINVAL);
-+
-+    dbus_message_unref(msg);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_message_bound_steal__invalid(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    DBusMessage *msg;
-+    errno_t ret;
-+
-+    msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    ret = sbus_message_bound_steal(test_ctx, msg);
-+    assert_int_equal(ret, ERR_INTERNAL);
-+
-+    dbus_message_unref(msg);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_message_bound_steal__free(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    TALLOC_CTX *tmp_ctx;
-+    TALLOC_CTX *tmp_ctx_steal;
-+    DBusMessage *msg;
-+    errno_t ret;
-+
-+    tmp_ctx = talloc_new(test_ctx);
-+    assert_non_null(tmp_ctx);
-+
-+    tmp_ctx_steal = talloc_new(test_ctx);
-+    assert_non_null(tmp_ctx_steal);
-+
-+    msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    ret = sbus_message_bound(tmp_ctx, msg);
-+    assert_int_equal(ret, EOK);
-+
-+    /* this will increase ref counter of message and add new talloc bound */
-+    ret = sbus_message_bound_steal(tmp_ctx_steal, msg);
-+    assert_int_equal(ret, EOK);
-+
-+    talloc_free(tmp_ctx);
-+    assert_false(test_ctx->msg_removed);
-+    talloc_free(tmp_ctx_steal);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_method_create_empty__unref(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    DBusMessage *msg;
-+
-+    msg = sbus_method_create_empty(NULL, "bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
-+    assert_string_equal(dbus_message_get_destination(msg), "bus.test");
-+    assert_string_equal(dbus_message_get_path(msg), "/");
-+    assert_string_equal(dbus_message_get_interface(msg), "iface.test");
-+    assert_string_equal(dbus_message_get_member(msg), "method");
-+
-+    dbus_message_unref(msg);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_method_create_empty__free(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    TALLOC_CTX *tmp_ctx;
-+    DBusMessage *msg;
-+
-+    tmp_ctx = talloc_new(test_ctx);
-+    assert_non_null(tmp_ctx);
-+
-+    msg = sbus_method_create_empty(tmp_ctx, "bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
-+    assert_string_equal(dbus_message_get_destination(msg), "bus.test");
-+    assert_string_equal(dbus_message_get_path(msg), "/");
-+    assert_string_equal(dbus_message_get_interface(msg), "iface.test");
-+    assert_string_equal(dbus_message_get_member(msg), "method");
-+
-+    talloc_free(tmp_ctx);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_method_create__unref(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    DBusMessage *msg;
-+    dbus_bool_t dbret;
-+    uint32_t in_value = 32;
-+    uint32_t out_value;
-+
-+    msg = sbus_method_create(NULL, "bus.test", "/", "iface.test", "method",
-+                             DBUS_TYPE_UINT32, &in_value);
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
-+    assert_string_equal(dbus_message_get_destination(msg), "bus.test");
-+    assert_string_equal(dbus_message_get_path(msg), "/");
-+    assert_string_equal(dbus_message_get_interface(msg), "iface.test");
-+    assert_string_equal(dbus_message_get_member(msg), "method");
-+
-+    dbret = dbus_message_get_args(msg, NULL,
-+                                  DBUS_TYPE_UINT32, &out_value,
-+                                  DBUS_TYPE_INVALID);
-+    assert_true(dbret);
-+    assert_int_equal(out_value, 32);
-+
-+    dbus_message_unref(msg);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_method_create__free(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    TALLOC_CTX *tmp_ctx;
-+    DBusMessage *msg;
-+
-+    tmp_ctx = talloc_new(test_ctx);
-+    assert_non_null(tmp_ctx);
-+
-+    msg = sbus_method_create_empty(tmp_ctx, "bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
-+    assert_string_equal(dbus_message_get_destination(msg), "bus.test");
-+    assert_string_equal(dbus_message_get_path(msg), "/");
-+    assert_string_equal(dbus_message_get_interface(msg), "iface.test");
-+    assert_string_equal(dbus_message_get_member(msg), "method");
-+
-+    talloc_free(tmp_ctx);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_signal_create_empty__unref(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    DBusMessage *msg;
-+
-+    msg = sbus_signal_create_empty(NULL, "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
-+    assert_null(dbus_message_get_destination(msg));
-+    assert_string_equal(dbus_message_get_path(msg), "/");
-+    assert_string_equal(dbus_message_get_interface(msg), "iface.test");
-+    assert_string_equal(dbus_message_get_member(msg), "method");
-+
-+    dbus_message_unref(msg);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_signal_create_empty__free(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    TALLOC_CTX *tmp_ctx;
-+    DBusMessage *msg;
-+
-+    tmp_ctx = talloc_new(test_ctx);
-+    assert_non_null(tmp_ctx);
-+
-+    msg = sbus_signal_create_empty(tmp_ctx, "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
-+    assert_null(dbus_message_get_destination(msg));
-+    assert_string_equal(dbus_message_get_path(msg), "/");
-+    assert_string_equal(dbus_message_get_interface(msg), "iface.test");
-+    assert_string_equal(dbus_message_get_member(msg), "method");
-+
-+    talloc_free(tmp_ctx);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_signal_create__unref(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    DBusMessage *msg;
-+    dbus_bool_t dbret;
-+    uint32_t in_value = 32;
-+    uint32_t out_value;
-+
-+    msg = sbus_signal_create(NULL, "/", "iface.test", "method",
-+                             DBUS_TYPE_UINT32, &in_value);
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
-+    assert_null(dbus_message_get_destination(msg));
-+    assert_string_equal(dbus_message_get_path(msg), "/");
-+    assert_string_equal(dbus_message_get_interface(msg), "iface.test");
-+    assert_string_equal(dbus_message_get_member(msg), "method");
-+
-+    dbret = dbus_message_get_args(msg, NULL,
-+                                  DBUS_TYPE_UINT32, &out_value,
-+                                  DBUS_TYPE_INVALID);
-+    assert_true(dbret);
-+    assert_int_equal(out_value, 32);
-+
-+    dbus_message_unref(msg);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_signal_create__free(void **state)
-+{
-+    struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
-+    TALLOC_CTX *tmp_ctx;
-+    DBusMessage *msg;
-+    dbus_bool_t dbret;
-+    uint32_t in_value = 32;
-+    uint32_t out_value;
-+
-+    tmp_ctx = talloc_new(test_ctx);
-+    assert_non_null(tmp_ctx);
-+
-+    msg = sbus_signal_create(tmp_ctx, "/", "iface.test", "method",
-+                             DBUS_TYPE_UINT32, &in_value);
-+    assert_non_null(msg);
-+    helper_msg_watch(test_ctx, msg);
-+
-+    assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
-+    assert_null(dbus_message_get_destination(msg));
-+    assert_string_equal(dbus_message_get_path(msg), "/");
-+    assert_string_equal(dbus_message_get_interface(msg), "iface.test");
-+    assert_string_equal(dbus_message_get_member(msg), "method");
-+
-+    dbret = dbus_message_get_args(msg, NULL,
-+                                  DBUS_TYPE_UINT32, &out_value,
-+                                  DBUS_TYPE_INVALID);
-+    assert_true(dbret);
-+    assert_int_equal(out_value, 32);
-+
-+    talloc_free(tmp_ctx);
-+    assert_true(test_ctx->msg_removed);
-+}
-+
-+void test_sbus_reply_parse__ok(void **state)
-+{
-+    DBusMessage *msg;
-+    DBusMessage *reply;
-+    dbus_bool_t dbret;
-+    uint32_t in_value1 = 32;
-+    uint32_t in_value2 = 64;
-+    uint32_t out_value1;
-+    uint32_t out_value2;
-+    errno_t ret;
-+
-+    msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    dbus_message_set_serial(msg, 1);
-+
-+    reply = dbus_message_new_method_return(msg);
-+    assert_non_null(reply);
-+
-+    dbret = dbus_message_append_args(reply, DBUS_TYPE_UINT32, &in_value1,
-+                                            DBUS_TYPE_UINT32, &in_value2,
-+                                            DBUS_TYPE_INVALID);
-+    assert_true(dbret);
-+
-+    ret = sbus_reply_parse(reply, DBUS_TYPE_UINT32, &out_value1,
-+                                  DBUS_TYPE_UINT32, &out_value2);
-+    assert_int_equal(ret, EOK);
-+    assert_int_equal(out_value1, in_value1);
-+    assert_int_equal(out_value2, in_value2);
-+
-+    dbus_message_unref(msg);
-+    dbus_message_unref(reply);
-+}
-+
-+void test_sbus_reply_parse__error(void **state)
-+{
-+    DBusMessage *msg;
-+    DBusMessage *reply;
-+    uint32_t out_value1;
-+    uint32_t out_value2;
-+    errno_t ret;
-+
-+    msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    dbus_message_set_serial(msg, 1);
-+
-+    reply = dbus_message_new_error(msg, SBUS_ERROR_KILLED, "Test error!");
-+    assert_non_null(reply);
-+
-+    ret = sbus_reply_parse(reply, DBUS_TYPE_UINT32, &out_value1,
-+                                  DBUS_TYPE_UINT32, &out_value2);
-+    assert_int_equal(ret, ERR_SBUS_KILL_CONNECTION);
-+
-+    dbus_message_unref(msg);
-+    dbus_message_unref(reply);
-+}
-+
-+void test_sbus_reply_parse__wrong_type(void **state)
-+{
-+    DBusMessage *msg;
-+    errno_t ret;
-+
-+    msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    dbus_message_set_serial(msg, 1);
-+
-+    ret = sbus_reply_parse(msg);
-+    assert_int_not_equal(ret, EOK);
-+
-+    dbus_message_unref(msg);
-+}
-+
-+void test_sbus_reply_check__ok(void **state)
-+{
-+    DBusMessage *msg;
-+    DBusMessage *reply;
-+    errno_t ret;
-+
-+    msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    dbus_message_set_serial(msg, 1);
-+
-+    reply = dbus_message_new_method_return(msg);
-+    assert_non_null(reply);
-+
-+    ret = sbus_reply_check(reply);
-+    assert_int_equal(ret, EOK);
-+
-+    dbus_message_unref(msg);
-+    dbus_message_unref(reply);
-+}
-+
-+void test_sbus_reply_check__error(void **state)
-+{
-+    DBusMessage *msg;
-+    DBusMessage *reply;
-+    errno_t ret;
-+
-+    msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    dbus_message_set_serial(msg, 1);
-+
-+    reply = dbus_message_new_error(msg, SBUS_ERROR_KILLED, "Test error!");
-+    assert_non_null(reply);
-+
-+    ret = sbus_reply_check(reply);
-+    assert_int_equal(ret, ERR_SBUS_KILL_CONNECTION);
-+
-+    dbus_message_unref(msg);
-+    dbus_message_unref(reply);
-+}
-+
-+void test_sbus_reply_check__wrong_type(void **state)
-+{
-+    DBusMessage *msg;
-+    errno_t ret;
-+
-+    msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
-+    assert_non_null(msg);
-+    dbus_message_set_serial(msg, 1);
-+
-+    ret = sbus_reply_check(msg);
-+    assert_int_not_equal(ret, EOK);
-+
-+    dbus_message_unref(msg);
-+}
-+
-+int main(int argc, const char *argv[])
-+{
-+    poptContext pc;
-+    int opt;
-+    struct poptOption long_options[] = {
-+        POPT_AUTOHELP
-+        SSSD_DEBUG_OPTS
-+        POPT_TABLEEND
-+    };
-+
-+    const struct CMUnitTest tests[] = {
-+        cmocka_unit_test_setup_teardown(test_sbus_message_bound__null,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_message_bound__unref,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_message_bound__free,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__null,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__invalid,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__free,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_method_create_empty__unref,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_method_create_empty__free,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_method_create__unref,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_method_create__free,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_signal_create_empty__unref,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_signal_create_empty__free,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_signal_create__unref,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_signal_create__free,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_reply_parse__ok,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_reply_parse__error,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_reply_parse__wrong_type,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_reply_check__ok,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_reply_check__error,
-+                                        test_setup, test_teardown),
-+        cmocka_unit_test_setup_teardown(test_sbus_reply_check__wrong_type,
-+                                        test_setup, test_teardown),
-+    };
-+
-+    /* Set debug level to invalid value so we can decide if -d 0 was used. */
-+    debug_level = SSSDBG_INVALID;
-+
-+    pc = poptGetContext(argv[0], argc, argv, long_options, 0);
-+    while((opt = poptGetNextOpt(pc)) != -1) {
-+        switch(opt) {
-+        default:
-+            fprintf(stderr, "\nInvalid option %s: %s\n\n",
-+                    poptBadOption(pc, 0), poptStrerror(opt));
-+            poptPrintUsage(pc, stderr, 0);
-+            return 1;
-+        }
-+    }
-+    poptFreeContext(pc);
-+
-+    DEBUG_CLI_INIT(debug_level);
-+
-+    return cmocka_run_group_tests(tests, NULL, NULL);
-+}
--- 
-2.9.5
-
diff --git a/0010-SELINUX-Always-add-SELinux-user-to-the-semanage-data.patch b/0010-SELINUX-Always-add-SELinux-user-to-the-semanage-data.patch
deleted file mode 100644
index e881240..0000000
--- a/0010-SELINUX-Always-add-SELinux-user-to-the-semanage-data.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 945865ae16120ffade267227ca48cefd58822fd2 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Thu, 23 Aug 2018 13:55:51 +0200
-Subject: [PATCH 13/83] SELINUX: Always add SELinux user to the semanage
- database if it doesn't exist
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Previously, we tried to optimize too much and only set the SELinux user
-to Linux user mapping in case the SELinux user was different from the
-system default. But this doesn't work for the case where the Linux user
-has a non-standard home directory, because then SELinux would not have
-any idea that this user's home directory should be labeled as a home
-directory.
-
-This patch relaxes the optimization in the sense that on the first
-login, the SELinux context is saved regardless of whether it is the same
-as the default or different.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3819
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
----
- src/providers/ipa/selinux_child.c | 10 ++++++++--
- src/util/sss_semanage.c           | 30 ++++++++++++++++++++++++++++++
- src/util/util.h                   |  1 +
- src/util/util_errors.c            |  1 +
- src/util/util_errors.h            |  1 +
- 5 files changed, 41 insertions(+), 2 deletions(-)
-
-diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
-index d061417..925591e 100644
---- a/src/providers/ipa/selinux_child.c
-+++ b/src/providers/ipa/selinux_child.c
-@@ -176,13 +176,16 @@ static bool seuser_needs_update(const char *username,
- 
-     ret = sss_get_seuser(username, &db_seuser, &db_mls_range);
-     DEBUG(SSSDBG_TRACE_INTERNAL,
--          "getseuserbyname: ret: %d seuser: %s mls: %s\n",
-+          "sss_get_seuser: ret: %d seuser: %s mls: %s\n",
-           ret, db_seuser ? db_seuser : "unknown",
-           db_mls_range ? db_mls_range : "unknown");
-     if (ret == EOK && db_seuser && db_mls_range &&
-             strcmp(db_seuser, seuser) == 0 &&
-             strcmp(db_mls_range, mls_range) == 0) {
--        needs_update = false;
-+        ret = sss_seuser_exists(username);
-+        if (ret == EOK) {
-+            needs_update = false;
-+        }
-     }
-     /* OR */
-     if (ret == ERR_SELINUX_NOT_MANAGED) {
-@@ -191,6 +194,9 @@ static bool seuser_needs_update(const char *username,
- 
-     free(db_seuser);
-     free(db_mls_range);
-+    DEBUG(SSSDBG_TRACE_FUNC,
-+          "The SELinux user does %sneed an update\n",
-+          needs_update ? "" : "not ");
-     return needs_update;
- }
- 
-diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
-index bcce57b..aea0385 100644
---- a/src/util/sss_semanage.c
-+++ b/src/util/sss_semanage.c
-@@ -248,6 +248,36 @@ done:
-     return ret;
- }
- 
-+int sss_seuser_exists(const char *linuxuser)
-+{
-+    int ret;
-+    int exists;
-+    semanage_seuser_key_t *sm_key = NULL;
-+    semanage_handle_t *sm_handle = NULL;
-+
-+    ret = sss_semanage_init(&sm_handle);
-+    if (ret != EOK) {
-+        return ret;
-+    }
-+
-+    ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key);
-+    if (ret < 0) {
-+        sss_semanage_close(sm_handle);
-+        return EIO;
-+    }
-+
-+    ret = semanage_seuser_exists(sm_handle, sm_key, &exists);
-+    semanage_seuser_key_free(sm_key);
-+    sss_semanage_close(sm_handle);
-+    if (ret < 0) {
-+        return EIO;
-+    }
-+
-+    DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no");
-+
-+    return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND;
-+}
-+
- int sss_get_seuser(const char *linuxuser,
-                    char **selinuxuser,
-                    char **level)
-diff --git a/src/util/util.h b/src/util/util.h
-index 867acf2..59e7a96 100644
---- a/src/util/util.h
-+++ b/src/util/util.h
-@@ -663,6 +663,7 @@ int sss_del_seuser(const char *login_name);
- int sss_get_seuser(const char *linuxuser,
-                    char **selinuxuser,
-                    char **level);
-+int sss_seuser_exists(const char *linuxuser);
- 
- /* convert time from generalized form to unix time */
- errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);
-diff --git a/src/util/util_errors.c b/src/util/util_errors.c
-index 920a178..5f8a2a2 100644
---- a/src/util/util_errors.c
-+++ b/src/util/util_errors.c
-@@ -75,6 +75,7 @@ struct err_string error_to_str[] = {
-     { "LDAP search returned a referral" }, /* ERR_REFERRAL */
-     { "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
-     { "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
-+    { "SELinux user does not exist" }, /* ERR_SELINUX_USER_NOT_FOUND */
-     { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
-     { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
-     { "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */
-diff --git a/src/util/util_errors.h b/src/util/util_errors.h
-index 5a50936..c6731d4 100644
---- a/src/util/util_errors.h
-+++ b/src/util/util_errors.h
-@@ -97,6 +97,7 @@ enum sssd_errors {
-     ERR_REFERRAL,
-     ERR_SELINUX_CONTEXT,
-     ERR_SELINUX_NOT_MANAGED,
-+    ERR_SELINUX_USER_NOT_FOUND,
-     ERR_REGEX_NOMATCH,
-     ERR_TIMESPEC_NOT_SUPPORTED,
-     ERR_INVALID_CONFIG,
--- 
-2.9.5
-
diff --git a/0011-intg-flush-the-SSSD-caches-to-sync-with-files.patch b/0011-intg-flush-the-SSSD-caches-to-sync-with-files.patch
deleted file mode 100644
index 0fb726a..0000000
--- a/0011-intg-flush-the-SSSD-caches-to-sync-with-files.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 1e2398870e8aa512ead3012d46cbe6252429467a Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 10 Sep 2018 15:35:45 +0200
-Subject: [PATCH 16/83] intg: flush the SSSD caches to sync with files
-
-To make sure that SSSD has synced with the latest data added to the
-passwd file sss_cache is called in two places where the current sync
-scheme was not reliable. This was mainly observed when running the
-integration tests on Debian.
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tests/intg/test_files_provider.py | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
-index 9f30d2b..ead1cc4 100644
---- a/src/tests/intg/test_files_provider.py
-+++ b/src/tests/intg/test_files_provider.py
-@@ -644,6 +644,10 @@ def test_enum_users(setup_pw_with_canary, files_domain_only):
-         user = user_generator(i)
-         setup_pw_with_canary.useradd(**user)
- 
-+    # syncing with the help of the canary is not reliable after adding
-+    # multiple users because the canary might still be in some caches so that
-+    # the data is not refreshed properly.
-+    subprocess.call(["sss_cache", "-E"])
-     sssd_getpwnam_sync(CANARY["name"])
-     user_list = call_sssd_enumeration()
-     # +1 because the canary is added
-@@ -1043,6 +1047,10 @@ def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
- 
-     # Add this user and verify it's been added as a member
-     pwd_ops.useradd(**USER2)
-+    # The negative cache might still have user2 from the previous request,
-+    # flushing the caches might help to prevent a failed lookup after adding
-+    # the user.
-+    subprocess.call(["sss_cache", "-E"])
-     res, groups = sssd_id_sync('user2')
-     assert res == sssd_id.NssReturnCode.SUCCESS
-     assert len(groups) == 2
--- 
-2.9.5
-
diff --git a/0012-sbus-dectect-python-binary-for-sbus_generate.sh.patch b/0012-sbus-dectect-python-binary-for-sbus_generate.sh.patch
deleted file mode 100644
index f554b23..0000000
--- a/0012-sbus-dectect-python-binary-for-sbus_generate.sh.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From b03179ead11db7dbfd6a00d3eeef3dac0990f826 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 10 Sep 2018 15:40:14 +0200
-Subject: [PATCH 17/83] sbus: dectect python binary for sbus_generate.sh
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We already detect python2 and python3 binaries during configure. With
-this patch PYTHON_EXEC is set to the python3 binary if python3 bindings
-are generated and to the python2 binary otherwise. With the help of an
-environment variable sbus_generate.sh is made aware of it.
-
-Related to https://pagure.io/SSSD/sssd/issue/3807
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- Makefile.am                             | 4 ++--
- configure.ac                            | 8 ++++++++
- sbus_generate.sh => sbus_generate.sh.in | 2 +-
- 3 files changed, 11 insertions(+), 3 deletions(-)
- rename sbus_generate.sh => sbus_generate.sh.in (93%)
-
-diff --git a/Makefile.am b/Makefile.am
-index 11d0405..deb9ce3 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -1020,14 +1020,14 @@ libsss_cert_la_LDFLAGS = \
-     $(NULL)
- 
- generate-sbus-code:
--	$(srcdir)/sbus_generate.sh $(abs_srcdir)
-+	$(builddir)/sbus_generate.sh $(abs_srcdir)
- 
- .PHONY: generate-sbus-code
- 
- BUILT_SOURCES += generate-sbus-code
- 
- EXTRA_DIST += \
--    sbus_generate.sh \
-+    sbus_generate.sh.in \
-     src/sbus/codegen/dbus.xml \
-     src/sbus/codegen/sbus_CodeGen.py \
-     src/sbus/codegen/sbus_DataType.py \
-diff --git a/configure.ac b/configure.ac
-index 1aac65f..bb18ad4 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -373,6 +373,13 @@ them please use argument --without-python3-bindings when running configure.])])
-     SSS_CLEAN_PYTHON_VARIABLES
- fi
- 
-+if test x$HAVE_PYTHON3_BINDINGS = x1; then
-+    PYTHON_EXEC=$PYTHON3
-+else
-+    PYTHON_EXEC=$PYTHON2
-+fi
-+AC_SUBST(PYTHON_EXEC)
-+
- AM_CONDITIONAL([BUILD_PYTHON_BINDINGS],
-                [test x"$with_python2_bindings" = xyes \
-                      -o x"$with_python3_bindings" = xyes])
-@@ -524,4 +531,5 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config
-                  src/config/setup.py
-                  src/systemtap/sssd.stp
-                  src/config/SSSDConfig/__init__.py])
-+AC_CONFIG_FILES([sbus_generate.sh], [chmod +x sbus_generate.sh])
- AC_OUTPUT
-diff --git a/sbus_generate.sh b/sbus_generate.sh.in
-similarity index 93%
-rename from sbus_generate.sh
-rename to sbus_generate.sh.in
-index 338fd9d..b2c695e 100755
---- a/sbus_generate.sh
-+++ b/sbus_generate.sh.in
-@@ -13,7 +13,7 @@ generate() {
- 
-     echo "Generating sbus code for: $XML"
- 
--    python $CODEGEN --sbus sbus --util util \
-+    @PYTHON_EXEC@ $CODEGEN --sbus sbus --util util \
-         --headers "$HEADERS" \
-         --dest "$SRCDIR/src/$DEST" \
-         --fileprefix "sbus_${PREFIX}_" \
--- 
-2.9.5
-
diff --git a/0013-sudo-respect-case-sensitivity-in-sudo-responder.patch b/0013-sudo-respect-case-sensitivity-in-sudo-responder.patch
deleted file mode 100644
index c51d7e7..0000000
--- a/0013-sudo-respect-case-sensitivity-in-sudo-responder.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From d7f0b58e2896ed2ef9ed5a390815c1e4df6caaee Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Thu, 6 Sep 2018 13:38:56 +0200
-Subject: [PATCH 18/83] sudo: respect case sensitivity in sudo responder
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the domain is not case sensitive and the case of the original user
-or group name differs from the name in the rule we failed to find the
-rule.
-
-Now we filter the rule only with lower cased values in such domain.
-
-Steps to reproduce:
-1. Add user/group with upper case, e.g. USER-1
-2. Add sudo rule with lower cased name, e.g. sudoUser: user-1
-3. Login to system with lower case, e.g. user-1
-4. Run sudo -l
-
-Without the patch, rule is not found.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3820
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
----
- src/db/sysdb_sudo.c | 17 ++++++++++++++---
- 1 file changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
-index 3ad462d..19ed97b 100644
---- a/src/db/sysdb_sudo.c
-+++ b/src/db/sysdb_sudo.c
-@@ -418,7 +418,17 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
-         ret = EINVAL;
-         goto done;
-     }
--    DEBUG(SSSDBG_TRACE_FUNC, "original name: %s\n", orig_name);
-+
-+    DEBUG(SSSDBG_TRACE_FUNC, "Original name: %s\n", orig_name);
-+
-+    orig_name = sss_get_cased_name(tmp_ctx, orig_name, domain->case_sensitive);
-+    if (orig_name == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
-+        ret = ENOMEM;
-+        goto done;
-+    }
-+
-+    DEBUG(SSSDBG_TRACE_FUNC, "Cased name: %s\n", orig_name);
- 
-     if (_uid != NULL) {
-         uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
-@@ -450,8 +460,9 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
-                     continue;
-                 }
- 
--                sysdb_groupnames[num_groups] = talloc_strdup(sysdb_groupnames,
--                                                             groupname);
-+                sysdb_groupnames[num_groups] = \
-+                    sss_get_cased_name(sysdb_groupnames, groupname,
-+                                       domain->case_sensitive);
-                 if (sysdb_groupnames[num_groups] == NULL) {
-                     DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname);
-                     continue;
--- 
-2.9.5
-
diff --git a/0014-GPO-Add-gpo_implicit_deny-option.patch b/0014-GPO-Add-gpo_implicit_deny-option.patch
deleted file mode 100644
index 9fedf00..0000000
--- a/0014-GPO-Add-gpo_implicit_deny-option.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From 3bd67c772c951f33422261ef658a104ccecc9561 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
-Date: Tue, 3 Jul 2018 20:03:39 +0200
-Subject: [PATCH 19/83] GPO: Add gpo_implicit_deny option
-
-This option (when set to True) can be used to deny access to
-users even if there is not applicable GPO. Normally users are
-allowed access in this situation.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3701
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/config/cfg_rules.ini     |  1 +
- src/man/sssd-ad.5.xml        | 21 +++++++++++++++++++++
- src/providers/ad/ad_common.h |  1 +
- src/providers/ad/ad_gpo.c    | 13 ++++++++++++-
- src/providers/ad/ad_opts.c   |  1 +
- 5 files changed, 36 insertions(+), 1 deletion(-)
-
-diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
-index 36e83a9..78f215e 100644
---- a/src/config/cfg_rules.ini
-+++ b/src/config/cfg_rules.ini
-@@ -437,6 +437,7 @@ option = ad_enable_dns_sites
- option = ad_enabled_domains
- option = ad_enable_gc
- option = ad_gpo_access_control
-+option = ad_gpo_implicit_deny
- option = ad_gpo_cache_timeout
- option = ad_gpo_default_right
- option = ad_gpo_map_batch
-diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
-index f43c7fc..0eac382 100644
---- a/src/man/sssd-ad.5.xml
-+++ b/src/man/sssd-ad.5.xml
-@@ -418,6 +418,27 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
-                 </varlistentry>
- 
-                 <varlistentry>
-+                    <term>ad_gpo_implicit_deny (boolean)</term>
-+                    <listitem>
-+                        <para>
-+                            Normally when no applicable GPOs are found the
-+                            users are allowed access. When this option is set
-+                            to True users will be allowed access only when
-+                            explicitly allowed by a GPO rule. Otherwise users
-+                            will be denied access. This can be used to harden
-+                            security but be careful when using this option
-+                            because it can deny access even to users in the
-+                            built-in Administrators group if no GPO rules
-+                            apply to them.
-+                        </para>
-+                        <para>
-+                            Default: False (seconds)
-+                        </para>
-+                    </listitem>
-+                </varlistentry>
-+
-+
-+                <varlistentry>
-                     <term>ad_gpo_cache_timeout (integer)</term>
-                     <listitem>
-                         <para>
-diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
-index dd440da..2c52c99 100644
---- a/src/providers/ad/ad_common.h
-+++ b/src/providers/ad/ad_common.h
-@@ -52,6 +52,7 @@ enum ad_basic_opt {
-     AD_ACCESS_FILTER,
-     AD_ENABLE_GC,
-     AD_GPO_ACCESS_CONTROL,
-+    AD_GPO_IMPLICIT_DENY,
-     AD_GPO_CACHE_TIMEOUT,
-     AD_GPO_MAP_INTERACTIVE,
-     AD_GPO_MAP_REMOTE_INTERACTIVE,
-diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
-index d568643..f3be723 100644
---- a/src/providers/ad/ad_gpo.c
-+++ b/src/providers/ad/ad_gpo.c
-@@ -1586,6 +1586,7 @@ struct ad_gpo_access_state {
-     struct ldb_context *ldb_ctx;
-     struct ad_access_ctx *access_ctx;
-     enum gpo_access_control_mode gpo_mode;
-+    bool gpo_implicit_deny;
-     enum gpo_map_type gpo_map_type;
-     struct sdap_id_conn_ctx *conn;
-     struct sdap_id_op *sdap_op;
-@@ -1712,6 +1713,8 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
-     state->gpo_mode = ctx->gpo_access_control_mode;
-     state->gpo_timeout_option = ctx->gpo_cache_timeout;
-     state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME);
-+    state->gpo_implicit_deny = dp_opt_get_bool(ctx->ad_options,
-+                                               AD_GPO_IMPLICIT_DENY);
-     state->access_ctx = ctx;
-     state->opts = ctx->sdap_access_ctx->id_ctx->opts;
-     state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
-@@ -2171,7 +2174,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
-             }
-         }
- 
--        ret = EOK;
-+        if (state->gpo_implicit_deny == true) {
-+            DEBUG(SSSDBG_TRACE_FUNC,
-+                  "No applicable GPOs have been found and ad_gpo_implicit_deny"
-+                  " is set to 'true'. The user will be denied access.\n");
-+            ret = ERR_ACCESS_DENIED;
-+        } else {
-+            ret = EOK;
-+        }
-+
-         goto done;
-     }
- 
-diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
-index ac93327..c1d9cd7 100644
---- a/src/providers/ad/ad_opts.c
-+++ b/src/providers/ad/ad_opts.c
-@@ -38,6 +38,7 @@ struct dp_option ad_basic_opts[] = {
-     { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
-     { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
-     { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
-+    { "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-     { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
-     { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-     { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
--- 
-2.9.5
-
diff --git a/0015-Skip-local-domain-if-not-supported.patch b/0015-Skip-local-domain-if-not-supported.patch
deleted file mode 100644
index 29a0668..0000000
--- a/0015-Skip-local-domain-if-not-supported.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 10fa27eddb9bbe135277d587c6a2de4b311da6df Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
-Date: Tue, 18 Sep 2018 15:23:54 +0200
-Subject: [PATCH 20/83] CONFDB: Skip 'local' domain if not supported
-
-When SSSD is built without the support for local
-domain, we should gracegully skip local domains
-and let other domains start.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3828
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/confdb/confdb.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
-index 22068ca..621647e 100644
---- a/src/confdb/confdb.c
-+++ b/src/confdb/confdb.c
-@@ -945,8 +945,14 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
-         goto done;
-     }
- 
--    if (local_provider_is_built()
--            && strcasecmp(domain->provider, "local") == 0) {
-+    if (strcasecmp(domain->provider, "local") == 0) {
-+        if (!local_provider_is_built()) {
-+            DEBUG(SSSDBG_FATAL_FAILURE,
-+                  "ID provider 'local' no longer supported, disabling\n");
-+            ret = EINVAL;
-+            goto done;
-+        }
-+
-         /* If this is the local provider, we need to ensure that
-          * no other provider was specified for other types, since
-          * the local provider cannot load them.
--- 
-2.9.5
-
diff --git a/0016-sysdb-extract-sysdb_ldb_msg_attr_to_certmap_info-cal.patch b/0016-sysdb-extract-sysdb_ldb_msg_attr_to_certmap_info-cal.patch
deleted file mode 100644
index 4a686de..0000000
--- a/0016-sysdb-extract-sysdb_ldb_msg_attr_to_certmap_info-cal.patch
+++ /dev/null
@@ -1,259 +0,0 @@
-From 7c619ae08f05a7595d15cf11b64461a7d19cfaa7 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 29 Jun 2018 17:49:50 +0200
-Subject: [PATCH 21/83] sysdb: extract sysdb_ldb_msg_attr_to_certmap_info()
- call
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/db/sysdb.h         |   4 ++
- src/db/sysdb_certmap.c | 191 ++++++++++++++++++++++++++++---------------------
- 2 files changed, 112 insertions(+), 83 deletions(-)
-
-diff --git a/src/db/sysdb.h b/src/db/sysdb.h
-index d72af5a..cb04e1b 100644
---- a/src/db/sysdb.h
-+++ b/src/db/sysdb.h
-@@ -702,6 +702,10 @@ errno_t sysdb_update_certmap(struct sysdb_ctx *sysdb,
-                              struct certmap_info **certmaps,
-                              bool user_name_hint);
- 
-+errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
-+                                           struct ldb_message *msg,
-+                                           struct certmap_info **certmap);
-+
- errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
-                           struct certmap_info ***certmaps,
-                           bool *user_name_hint);
-diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
-index 6d83ba0..e61cc05 100644
---- a/src/db/sysdb_certmap.c
-+++ b/src/db/sysdb_certmap.c
-@@ -262,19 +262,119 @@ done:
-     return ret;
- }
- 
-+errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
-+                                           struct ldb_message *msg,
-+                                           struct certmap_info **certmap)
-+{
-+    int ret;
-+    size_t d;
-+    size_t num_values;
-+    struct certmap_info *map = NULL;
-+    const char *tmp_str;
-+    uint64_t tmp_uint;
-+    struct ldb_message_element *tmp_el;
-+
-+
-+    map = talloc_zero(mem_ctx, struct certmap_info);
-+    if (map == NULL) {
-+        return ENOMEM;
-+    }
-+
-+    tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
-+    if (tmp_str == NULL) {
-+        DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
-+                                    ldb_dn_get_linearized(msg->dn));
-+        ret = EINVAL;
-+        goto done;
-+    }
-+
-+    map->name = talloc_strdup(map, tmp_str);
-+    if (map->name == NULL) {
-+        ret = ENOMEM;
-+        goto done;
-+    }
-+
-+    tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MAPPING_RULE,
-+                                          NULL);
-+    if (tmp_str != NULL) {
-+        map->map_rule = talloc_strdup(map, tmp_str);
-+        if (map->map_rule == NULL) {
-+            DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
-+            ret = ENOMEM;
-+            goto done;
-+        }
-+    }
-+
-+    tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MATCHING_RULE,
-+                                          NULL);
-+    if (tmp_str != NULL) {
-+        map->match_rule = talloc_strdup(map, tmp_str);
-+        if (map->match_rule == NULL) {
-+            DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
-+            ret = ENOMEM;
-+            goto done;
-+        }
-+    }
-+
-+    tmp_uint = ldb_msg_find_attr_as_uint64(msg, SYSDB_CERTMAP_PRIORITY,
-+                                           (uint64_t) -1);
-+    if (tmp_uint != (uint64_t) -1) {
-+        if (tmp_uint > UINT32_MAX) {
-+            DEBUG(SSSDBG_OP_FAILURE, "Priority value [%lu] too large.\n",
-+                                     (unsigned long) tmp_uint);
-+            ret = EINVAL;
-+            goto done;
-+        }
-+
-+        map->priority = (uint32_t) tmp_uint;
-+    }
-+
-+    tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
-+    if (tmp_el != NULL) {
-+        num_values = tmp_el->num_values;
-+    } else {
-+        num_values = 0;
-+    }
-+
-+    map->domains = talloc_zero_array(map, const char *, num_values + 1);
-+    if (map->domains == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
-+        ret = ENOMEM;
-+        goto done;
-+    }
-+
-+    for (d = 0; d < num_values; d++) {
-+        map->domains[d] = talloc_strndup(map->domains,
-+                                         (char *) tmp_el->values[d].data,
-+                                         tmp_el->values[d].length);
-+        if (map->domains[d] == NULL) {
-+            DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
-+            ret = ENOMEM;
-+            goto done;
-+        }
-+    }
-+
-+    *certmap = map;
-+
-+    ret = EOK;
-+
-+done:
-+    if (ret != EOK) {
-+        talloc_free(map);
-+    }
-+
-+    return ret;
-+}
-+
- errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
-                           struct certmap_info ***certmaps, bool *user_name_hint)
- {
-     size_t c;
--    size_t d;
-     struct ldb_dn *container_dn = NULL;
-     int ret;
-     struct certmap_info **maps = NULL;
-     TALLOC_CTX *tmp_ctx = NULL;
-     struct ldb_result *res;
--    const char *tmp_str;
--    uint64_t tmp_uint;
--    struct ldb_message_element *tmp_el;
-     const char *attrs[] = {SYSDB_NAME,
-                            SYSDB_CERTMAP_PRIORITY,
-                            SYSDB_CERTMAP_MATCHING_RULE,
-@@ -283,7 +383,6 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
-                            NULL};
-     const char *config_attrs[] = {SYSDB_CERTMAP_USER_NAME_HINT,
-                                   NULL};
--    size_t num_values;
-     bool hint = false;
- 
-     tmp_ctx = talloc_new(NULL);
-@@ -332,86 +431,12 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
-     }
- 
-     for (c = 0; c < res->count; c++) {
--        maps[c] = talloc_zero(maps, struct certmap_info);
--        if (maps[c] == NULL) {
--            ret = ENOMEM;
--            goto done;
--        }
--        tmp_str = ldb_msg_find_attr_as_string(res->msgs[c], SYSDB_NAME, NULL);
--        if (tmp_str == NULL) {
--            DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
--                                       ldb_dn_get_linearized(res->msgs[c]->dn));
--            ret = EINVAL;
--            goto done;
--        }
--
--        maps[c]->name = talloc_strdup(maps, tmp_str);
--        if (maps[c]->name == NULL) {
--            ret = ENOMEM;
--            goto done;
--        }
--
--        tmp_str = ldb_msg_find_attr_as_string(res->msgs[c],
--                                              SYSDB_CERTMAP_MAPPING_RULE, NULL);
--        if (tmp_str != NULL) {
--            maps[c]->map_rule = talloc_strdup(maps, tmp_str);
--            if (maps[c]->map_rule == NULL) {
--                DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
--                ret = ENOMEM;
--                goto done;
--            }
--        }
--
--        tmp_str = ldb_msg_find_attr_as_string(res->msgs[c],
--                                              SYSDB_CERTMAP_MATCHING_RULE, NULL);
--        if (tmp_str != NULL) {
--            maps[c]->match_rule = talloc_strdup(maps, tmp_str);
--            if (maps[c]->match_rule == NULL) {
--                DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
--                ret = ENOMEM;
--                goto done;
--            }
--        }
--
--        tmp_uint = ldb_msg_find_attr_as_uint64(res->msgs[c],
--                                               SYSDB_CERTMAP_PRIORITY,
--                                               (uint64_t) -1);
--        if (tmp_uint != (uint64_t) -1) {
--            if (tmp_uint > UINT32_MAX) {
--                DEBUG(SSSDBG_OP_FAILURE, "Priority value [%lu] too large.\n",
--                                         (unsigned long) tmp_uint);
--                ret = EINVAL;
--                goto done;
--            }
--
--            maps[c]->priority = (uint32_t) tmp_uint;
--        }
--
--        tmp_el = ldb_msg_find_element(res->msgs[c], SYSDB_CERTMAP_DOMAINS);
--        if (tmp_el != NULL) {
--            num_values = tmp_el->num_values;
--        } else {
--            num_values = 0;
--        }
--
--        maps[c]->domains = talloc_zero_array(maps[c], const char *,
--                                             num_values + 1);
--        if (maps[c]->domains == NULL) {
--            DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
--            ret = ENOMEM;
-+        ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], &maps[c]);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_OP_FAILURE,
-+                  "sysdb_ldb_msg_attr_to_certmap_info failed.\n");
-             goto done;
-         }
--
--        for (d = 0; d < num_values; d++) {
--            maps[c]->domains[d] = talloc_strndup(maps[c]->domains,
--                                            (char *) tmp_el->values[d].data,
--                                            tmp_el->values[d].length);
--            if (maps[c]->domains[d] == NULL) {
--                DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
--                ret = ENOMEM;
--                goto done;
--            }
--        }
-     }
- 
-     ret = EOK;
--- 
-2.9.5
-
diff --git a/0017-sysdb_ldb_msg_attr_to_certmap_info-set-SSS_CERTMAP_M.patch b/0017-sysdb_ldb_msg_attr_to_certmap_info-set-SSS_CERTMAP_M.patch
deleted file mode 100644
index b56c5c7..0000000
--- a/0017-sysdb_ldb_msg_attr_to_certmap_info-set-SSS_CERTMAP_M.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From d1dd7f7703b4f40d2fbb830e28969b31b8a1673e Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 3 Jul 2018 11:30:07 +0200
-Subject: [PATCH 22/83] sysdb_ldb_msg_attr_to_certmap_info: set
- SSS_CERTMAP_MIN_PRIO
-
-Make sure that priority is always set.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/db/sysdb_certmap.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
-index e61cc05..0bb7ebc 100644
---- a/src/db/sysdb_certmap.c
-+++ b/src/db/sysdb_certmap.c
-@@ -22,6 +22,7 @@
- 
- #include "util/util.h"
- #include "db/sysdb_private.h"
-+#include "lib/certmap/sss_certmap.h"
- 
- static errno_t sysdb_create_certmap_container(struct sysdb_ctx *sysdb,
-                                               bool user_name_hint)
-@@ -327,6 +328,8 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
-         }
- 
-         map->priority = (uint32_t) tmp_uint;
-+    } else {
-+        map->priority = SSS_CERTMAP_MIN_PRIO;
-     }
- 
-     tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
--- 
-2.9.5
-
diff --git a/0018-sysdb-add-attr_map-attribute-to-sysdb_ldb_msg_attr_t.patch b/0018-sysdb-add-attr_map-attribute-to-sysdb_ldb_msg_attr_t.patch
deleted file mode 100644
index e981cea..0000000
--- a/0018-sysdb-add-attr_map-attribute-to-sysdb_ldb_msg_attr_t.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From 0bf709ad348ca115443bd21e4e369abd5d7698c4 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 29 Jun 2018 18:13:59 +0200
-Subject: [PATCH 23/83] sysdb: add attr_map attribute to
- sysdb_ldb_msg_attr_to_certmap_info()
-
-Allow more flexible attribute mapping in
-sysdb_ldb_msg_attr_to_certmap_info()
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/db/sysdb.h         |  1 +
- src/db/sysdb_certmap.c | 39 +++++++++++++++++++++++++++++++--------
- 2 files changed, 32 insertions(+), 8 deletions(-)
-
-diff --git a/src/db/sysdb.h b/src/db/sysdb.h
-index cb04e1b..2187947 100644
---- a/src/db/sysdb.h
-+++ b/src/db/sysdb.h
-@@ -704,6 +704,7 @@ errno_t sysdb_update_certmap(struct sysdb_ctx *sysdb,
- 
- errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
-                                            struct ldb_message *msg,
-+                                           const char **attr_map,
-                                            struct certmap_info **certmap);
- 
- errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
-diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
-index 0bb7ebc..e37f1ba 100644
---- a/src/db/sysdb_certmap.c
-+++ b/src/db/sysdb_certmap.c
-@@ -263,8 +263,19 @@ done:
-     return ret;
- }
- 
-+enum certmap_info_member {
-+    SSS_CMIM_NAME = 0,
-+    SSS_CMIM_MAPPING_RULE,
-+    SSS_CMIM_MATCHING_RULE,
-+    SSS_CMIM_PRIORITY,
-+    SSS_CMIM_DOMAINS,
-+
-+    SSS_CMIM_SENTINEL
-+};
-+
- errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
-                                            struct ldb_message *msg,
-+                                           const char **attr_map,
-                                            struct certmap_info **certmap)
- {
-     int ret;
-@@ -275,13 +286,24 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
-     uint64_t tmp_uint;
-     struct ldb_message_element *tmp_el;
- 
-+    if (msg == NULL || attr_map == NULL || certmap == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Invalid input.\n");
-+        return EINVAL;
-+    }
-+
-+    for (d = 0; d < SSS_CMIM_SENTINEL; d++) {
-+        if (attr_map[d] == NULL) {
-+            DEBUG(SSSDBG_CRIT_FAILURE, "Invalid attribute map");
-+            return EINVAL;
-+        }
-+    }
- 
-     map = talloc_zero(mem_ctx, struct certmap_info);
-     if (map == NULL) {
-         return ENOMEM;
-     }
- 
--    tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
-+    tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_NAME], NULL);
-     if (tmp_str == NULL) {
-         DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
-                                     ldb_dn_get_linearized(msg->dn));
-@@ -295,7 +317,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
-         goto done;
-     }
- 
--    tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MAPPING_RULE,
-+    tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_MAPPING_RULE],
-                                           NULL);
-     if (tmp_str != NULL) {
-         map->map_rule = talloc_strdup(map, tmp_str);
-@@ -306,7 +328,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
-         }
-     }
- 
--    tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MATCHING_RULE,
-+    tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_MATCHING_RULE],
-                                           NULL);
-     if (tmp_str != NULL) {
-         map->match_rule = talloc_strdup(map, tmp_str);
-@@ -317,7 +339,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
-         }
-     }
- 
--    tmp_uint = ldb_msg_find_attr_as_uint64(msg, SYSDB_CERTMAP_PRIORITY,
-+    tmp_uint = ldb_msg_find_attr_as_uint64(msg, attr_map[SSS_CMIM_PRIORITY],
-                                            (uint64_t) -1);
-     if (tmp_uint != (uint64_t) -1) {
-         if (tmp_uint > UINT32_MAX) {
-@@ -332,7 +354,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
-         map->priority = SSS_CERTMAP_MIN_PRIO;
-     }
- 
--    tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
-+    tmp_el = ldb_msg_find_element(msg, attr_map[SSS_CMIM_DOMAINS]);
-     if (tmp_el != NULL) {
-         num_values = tmp_el->num_values;
-     } else {
-@@ -379,9 +401,9 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
-     TALLOC_CTX *tmp_ctx = NULL;
-     struct ldb_result *res;
-     const char *attrs[] = {SYSDB_NAME,
--                           SYSDB_CERTMAP_PRIORITY,
--                           SYSDB_CERTMAP_MATCHING_RULE,
-                            SYSDB_CERTMAP_MAPPING_RULE,
-+                           SYSDB_CERTMAP_MATCHING_RULE,
-+                           SYSDB_CERTMAP_PRIORITY,
-                            SYSDB_CERTMAP_DOMAINS,
-                            NULL};
-     const char *config_attrs[] = {SYSDB_CERTMAP_USER_NAME_HINT,
-@@ -434,7 +456,8 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
-     }
- 
-     for (c = 0; c < res->count; c++) {
--        ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], &maps[c]);
-+        ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], attrs,
-+                                                 &maps[c]);
-         if (ret != EOK) {
-             DEBUG(SSSDBG_OP_FAILURE,
-                   "sysdb_ldb_msg_attr_to_certmap_info failed.\n");
--- 
-2.9.5
-
diff --git a/0019-confdb-add-confdb_certmap_to_sysdb.patch b/0019-confdb-add-confdb_certmap_to_sysdb.patch
deleted file mode 100644
index 0668358..0000000
--- a/0019-confdb-add-confdb_certmap_to_sysdb.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-From d9cc38008a51a8a5189904f175e4d10cbde4a974 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 2 Jul 2018 10:38:54 +0200
-Subject: [PATCH 24/83] confdb: add confdb_certmap_to_sysdb()
-
-Add a function to write certificate mapping and matching rules from the
-config database to the cache of a domain.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/confdb/confdb.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++
- src/confdb/confdb.h | 23 +++++++++++++
- 2 files changed, 122 insertions(+)
-
-diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
-index 621647e..26415ca 100644
---- a/src/confdb/confdb.c
-+++ b/src/confdb/confdb.c
-@@ -2202,3 +2202,102 @@ done:
-     talloc_free(tmp_ctx);
-     return ret;
- }
-+
-+static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
-+                                       struct confdb_ctx *cdb,
-+                                       struct sss_domain_info *dom,
-+                                       struct certmap_info ***_certmap_list)
-+{
-+    TALLOC_CTX *tmp_ctx = NULL;
-+    struct ldb_dn *dn = NULL;
-+    struct ldb_result *res = NULL;
-+    /* The attributte order is important, because it is used in
-+     * sysdb_ldb_msg_attr_to_certmap_info and must match
-+     * enum certmap_info_member. */
-+    static const char *attrs[] = { CONFDB_CERTMAP_NAME,
-+                                   CONFDB_CERTMAP_MAPRULE,
-+                                   CONFDB_CERTMAP_MATCHRULE,
-+                                   CONFDB_CERTMAP_PRIORITY,
-+                                   CONFDB_CERTMAP_DOMAINS,
-+                                   NULL};
-+    struct certmap_info **certmap_list = NULL;
-+    size_t c;
-+    int ret;
-+
-+    tmp_ctx = talloc_new(NULL);
-+    if (tmp_ctx == NULL) {
-+        return ENOMEM;
-+    }
-+
-+    dn = ldb_dn_new_fmt(tmp_ctx, cdb->ldb, "cn=%s,%s", dom->name,
-+                                                       CONFDB_CERTMAP_BASEDN);
-+    if (dn == NULL) {
-+        ret = ENOMEM;
-+        goto done;
-+    }
-+
-+    ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
-+                     attrs, NULL);
-+    if (ret != LDB_SUCCESS) {
-+        ret = EIO;
-+        goto done;
-+    }
-+
-+    certmap_list = talloc_zero_array(tmp_ctx, struct certmap_info *,
-+                                     res->count + 1);
-+    if (certmap_list == NULL) {
-+        ret = ENOMEM;
-+        goto done;
-+    }
-+
-+    for (c = 0; c < res->count; c++) {
-+        ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
-+                                                 attrs, &certmap_list[c]);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_OP_FAILURE,
-+                  "sysdb_ldb_msg_attr_to_certmap_info failed.\n");
-+            goto done;
-+        }
-+    }
-+
-+    *_certmap_list = talloc_steal(mem_ctx, certmap_list);
-+
-+    ret = EOK;
-+
-+done:
-+    talloc_free(tmp_ctx);
-+    return ret;
-+}
-+
-+int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
-+                            struct sss_domain_info *dom)
-+{
-+    int ret;
-+    TALLOC_CTX *tmp_ctx;
-+    struct certmap_info **certmap_list;
-+
-+    tmp_ctx = talloc_new(NULL);
-+    if (tmp_ctx == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
-+        return ENOMEM;
-+    }
-+
-+    ret = confdb_get_all_certmaps(tmp_ctx, cdb, dom, &certmap_list);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_OP_FAILURE, "confdb_get_all_certmaps failed.\n");
-+        goto done;
-+    }
-+
-+    ret = sysdb_update_certmap(dom->sysdb, certmap_list, false /* TODO */);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_certmap failed.\n");
-+        goto done;
-+    }
-+
-+    ret = EOK;
-+
-+done:
-+    talloc_free(tmp_ctx);
-+
-+    return ret;
-+}
-diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
-index 2266501..2aae93a 100644
---- a/src/confdb/confdb.h
-+++ b/src/confdb/confdb.h
-@@ -265,6 +265,15 @@
- #define CONFDB_KCM_SOCKET "socket_path"
- #define CONFDB_KCM_DB "ccache_storage" /* Undocumented on purpose */
- 
-+/* Certificate mapping rules */
-+#define CONFDB_CERTMAP_BASEDN "cn=certmap,cn=config"
-+#define CONFDB_CERTMAP_NAME "cn"
-+#define CONFDB_CERTMAP_MAPRULE "maprule"
-+#define CONFDB_CERTMAP_MATCHRULE "matchrule"
-+#define CONFDB_CERTMAP_DOMAINS "domains"
-+#define CONFDB_CERTMAP_PRIORITY "priority"
-+
-+
- struct confdb_ctx;
- struct config_file_ctx;
- 
-@@ -662,6 +671,20 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
-                             const char *section,
-                             char ***sections,
-                             int *num_sections);
-+
-+/**
-+ * @brief Convenience function to write the certificate mapping and matching
-+ * rules from the configuration database to the cache of a domain
-+ *
-+ * @param[in] cdb The connection object to the confdb
-+ * @param[in] dom Target domain where to rules should be written to
-+ *
-+ * @return 0 - Successfully retrieved the entry (or used the default)
-+ * @return ENOMEM - There was insufficient memory to complete the operation
-+ * @return EINVAL - Typically internal processing error
-+ */
-+int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
-+                            struct sss_domain_info *dom);
- /**
-  * @}
-  */
--- 
-2.9.5
-
diff --git a/0020-AD-LDAP-read-certificate-mapping-rules-from-config-f.patch b/0020-AD-LDAP-read-certificate-mapping-rules-from-config-f.patch
deleted file mode 100644
index fd50750..0000000
--- a/0020-AD-LDAP-read-certificate-mapping-rules-from-config-f.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 15301db1dc1e5e2aafc1805a30e3b28756218c9b Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 2 Jul 2018 12:20:53 +0200
-Subject: [PATCH 25/83] AD/LDAP: read certificate mapping rules from config
- file
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/providers/ad/ad_init.c     | 16 ++++++++++++++++
- src/providers/ldap/ldap_init.c | 16 ++++++++++++++++
- 2 files changed, 32 insertions(+)
-
-diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
-index 637efb7..a908571 100644
---- a/src/providers/ad/ad_init.c
-+++ b/src/providers/ad/ad_init.c
-@@ -419,6 +419,22 @@ static errno_t ad_init_misc(struct be_ctx *be_ctx,
-         return ret;
-     }
- 
-+    ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              "Failed to initialize certificate mapping rules. "
-+              "Authentication with certificates/Smartcards might not work "
-+              "as expected.\n");
-+        /* not fatal, ignored */
-+    }
-+
-+    ret = sdap_init_certmap(sdap_id_ctx, sdap_id_ctx);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              "Failed to initialized certificate mapping.\n");
-+        return ret;
-+    }
-+
-     return EOK;
- }
- 
-diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
-index 44b3e9a..95e6561 100644
---- a/src/providers/ldap/ldap_init.c
-+++ b/src/providers/ldap/ldap_init.c
-@@ -438,6 +438,22 @@ static errno_t ldap_init_misc(struct be_ctx *be_ctx,
-               "[%d]: %s\n", ret, sss_strerror(ret));
-     }
- 
-+    ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              "Failed to initialize certificate mapping rules. "
-+              "Authentication with certificates/Smartcards might not work "
-+              "as expected.\n");
-+        /* not fatal, ignored */
-+    }
-+
-+    ret = sdap_init_certmap(id_ctx, id_ctx);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              "Failed to initialized certificate mapping.\n");
-+        return ret;
-+    }
-+
-     return EOK;
- }
- 
--- 
-2.9.5
-
diff --git a/0021-sysdb-sysdb_certmap_add-handle-domains-more-flexible.patch b/0021-sysdb-sysdb_certmap_add-handle-domains-more-flexible.patch
deleted file mode 100644
index 99a9814..0000000
--- a/0021-sysdb-sysdb_certmap_add-handle-domains-more-flexible.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 06f7005d38d164879b727708feff80004b422f91 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 3 Jul 2018 11:31:12 +0200
-Subject: [PATCH 26/83] sysdb: sysdb_certmap_add() handle domains more flexible
-
-sysdb_ldb_msg_attr_to_certmap_info() creates an empty list if there are
-no domains defined, sysdb_certmap_add() should be able to handle both a
-missing or an empty domains list.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/db/sysdb_certmap.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
-index e37f1ba..0bcc54c 100644
---- a/src/db/sysdb_certmap.c
-+++ b/src/db/sysdb_certmap.c
-@@ -131,7 +131,7 @@ static errno_t sysdb_certmap_add(struct sysdb_ctx *sysdb,
-         }
-     }
- 
--    if (certmap->domains != NULL) {
-+    if (certmap->domains != NULL && certmap->domains[0] != NULL) {
-         for (c = 0; certmap->domains[c] != NULL; c++);
-         el = talloc_zero(tmp_ctx, struct ldb_message_element);
-         if (el == NULL) {
--- 
-2.9.5
-
diff --git a/0022-confdb-add-special-handling-for-rules-for-the-files-.patch b/0022-confdb-add-special-handling-for-rules-for-the-files-.patch
deleted file mode 100644
index 838012b..0000000
--- a/0022-confdb-add-special-handling-for-rules-for-the-files-.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From 9386ef605ffbc03abe2bc273efddbc099441fe3b Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 6 Jul 2018 15:17:10 +0200
-Subject: [PATCH 27/83] confdb: add special handling for rules for the files
- provider
-
-To make the configuration more simple there are some special assumption
-for local users, i.e. user managed by the files provider.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/confdb/confdb.c              | 59 ++++++++++++++++++++++++++++++++++++++++
- src/confdb/confdb.h              |  1 +
- src/providers/files/files_init.c | 10 +++++++
- 3 files changed, 70 insertions(+)
-
-diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
-index 26415ca..954c3ba 100644
---- a/src/confdb/confdb.c
-+++ b/src/confdb/confdb.c
-@@ -2203,6 +2203,56 @@ done:
-     return ret;
- }
- 
-+static errno_t certmap_local_check(struct ldb_message *msg)
-+{
-+    const char *rule_name;
-+    const char *tmp_str;
-+    int ret;
-+
-+    rule_name = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_NAME, NULL);
-+    if (rule_name == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Certficate mapping rule [%s] has no name.",
-+                                   ldb_dn_get_linearized(msg->dn));
-+        return EINVAL;
-+    }
-+
-+    tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_DOMAINS, NULL);
-+    if (tmp_str != NULL) {
-+        DEBUG(SSSDBG_CONF_SETTINGS,
-+              "Option [%s] is ignored for local certmap rules.\n",
-+              CONFDB_CERTMAP_DOMAINS);
-+    }
-+
-+    tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_MAPRULE, NULL);
-+    if (tmp_str != NULL) {
-+        if (tmp_str[0] != '(' || tmp_str[strlen(tmp_str) - 1] != ')') {
-+            DEBUG(SSSDBG_CONF_SETTINGS,
-+                  "Mapping rule must be in braces (...).\n");
-+            return EINVAL;
-+        }
-+        DEBUG(SSSDBG_TRACE_ALL, "Using [%s] mapping rule of [%s].\n",
-+                                tmp_str, ldb_dn_get_linearized(msg->dn));
-+        return EOK;
-+    }
-+
-+    tmp_str = talloc_asprintf(msg, "(%s)", rule_name);
-+    if (tmp_str == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
-+        return ENOMEM;
-+    }
-+    ret = ldb_msg_add_string(msg, CONFDB_CERTMAP_MAPRULE, tmp_str);
-+    if (ret != LDB_SUCCESS) {
-+        talloc_free(discard_const(tmp_str));
-+        DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_string failed.\n");
-+        return EIO;
-+    }
-+
-+    DEBUG(SSSDBG_TRACE_ALL, "Using [%s] as mapping rule for [%s].\n",
-+                            tmp_str, ldb_dn_get_linearized(msg->dn));
-+
-+    return EOK;
-+}
-+
- static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
-                                        struct confdb_ctx *cdb,
-                                        struct sss_domain_info *dom,
-@@ -2251,6 +2301,15 @@ static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
-     }
- 
-     for (c = 0; c < res->count; c++) {
-+        if (is_files_provider(dom)) {
-+            ret = certmap_local_check(res->msgs[c]);
-+            if (ret != EOK) {
-+                DEBUG(SSSDBG_CONF_SETTINGS,
-+                      "Invalid certificate mapping [%s] for local user, "
-+                      "ignored.\n", ldb_dn_get_linearized(res->msgs[c]->dn));
-+                continue;
-+            }
-+        }
-         ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
-                                                  attrs, &certmap_list[c]);
-         if (ret != EOK) {
-diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
-index 2aae93a..625d156 100644
---- a/src/confdb/confdb.h
-+++ b/src/confdb/confdb.h
-@@ -685,6 +685,7 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
-  */
- int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
-                             struct sss_domain_info *dom);
-+
- /**
-  * @}
-  */
-diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
-index 746c04a..c793bed 100644
---- a/src/providers/files/files_init.c
-+++ b/src/providers/files/files_init.c
-@@ -189,6 +189,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
-         goto done;
-     }
- 
-+    ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              "Failed to initialize certificate mapping rules. "
-+              "Authentication with certificates/Smartcards might not work "
-+              "as expected.\n");
-+        /* not fatal, ignored */
-+    }
-+
-+
-     *_module_data = ctx;
-     ret = EOK;
- done:
--- 
-2.9.5
-
diff --git a/0023-files-add-support-for-Smartcard-authentication.patch b/0023-files-add-support-for-Smartcard-authentication.patch
deleted file mode 100644
index 10d8e5f..0000000
--- a/0023-files-add-support-for-Smartcard-authentication.patch
+++ /dev/null
@@ -1,414 +0,0 @@
-From 275eeed24adc31f3df51cf278f509a4be76a3a3c Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 9 Jul 2018 18:37:46 +0200
-Subject: [PATCH 28/83] files: add support for Smartcard authentication
-
-To support certificate based authentication the files provider must be
-able to map a certificate to a user during a BE_REQ_BY_CERT request.
-
-Additionally the authentication request should be handled by the PAM
-responder code which is responsible for the local Smartcard
-authentication. To be consistent with the other backend an authentication
-handler is added to the files provider which unconditionally returns the
-offline error code telling the PAM responder to handle the
-authentication if it has access to the needed credentials.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- Makefile.am                         |   2 +
- src/providers/files/files_auth.c    |  69 +++++++++++++
- src/providers/files/files_certmap.c | 186 ++++++++++++++++++++++++++++++++++++
- src/providers/files/files_id.c      |  20 ++++
- src/providers/files/files_init.c    |  21 +++-
- src/providers/files/files_private.h |  17 ++++
- 6 files changed, 314 insertions(+), 1 deletion(-)
- create mode 100644 src/providers/files/files_auth.c
- create mode 100644 src/providers/files/files_certmap.c
-
-diff --git a/Makefile.am b/Makefile.am
-index deb9ce3..3667856 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -4285,6 +4285,8 @@ libsss_proxy_la_LDFLAGS = \
- libsss_files_la_SOURCES = \
-     src/providers/files/files_init.c \
-     src/providers/files/files_id.c \
-+    src/providers/files/files_auth.c \
-+    src/providers/files/files_certmap.c \
-     src/providers/files/files_ops.c \
-     src/util/inotify.c \
-     $(NULL)
-diff --git a/src/providers/files/files_auth.c b/src/providers/files/files_auth.c
-new file mode 100644
-index 0000000..b71de69
---- /dev/null
-+++ b/src/providers/files/files_auth.c
-@@ -0,0 +1,69 @@
-+/*
-+    SSSD
-+
-+    files_auth.c - PAM operations on the files provider
-+
-+    Copyright (C) 2018 Red Hat
-+
-+    This program is free software; you can redistribute it and/or modify
-+    it under the terms of the GNU General Public License as published by
-+    the Free Software Foundation; either version 3 of the License, or
-+    (at your option) any later version.
-+
-+    This program is distributed in the hope that it will be useful,
-+    but WITHOUT ANY WARRANTY; without even the implied warranty of
-+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+    GNU General Public License for more details.
-+
-+    You should have received a copy of the GNU General Public License
-+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include <security/pam_modules.h>
-+
-+#include "providers/data_provider/dp.h"
-+#include "providers/data_provider.h"
-+#include "providers/files/files_private.h"
-+#include "util/cert.h"
-+
-+struct files_auth_ctx {
-+    struct pam_data *pd;
-+};
-+
-+struct tevent_req *
-+files_auth_handler_send(TALLOC_CTX *mem_ctx,
-+                        void *unused,
-+                        struct pam_data *pd,
-+                        struct dp_req_params *params)
-+{
-+    struct files_auth_ctx *state;
-+    struct tevent_req *req;
-+
-+    req = tevent_req_create(mem_ctx, &state, struct files_auth_ctx);
-+    if (req == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
-+        return NULL;
-+    }
-+
-+    state->pd = pd;
-+    state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
-+
-+    tevent_req_done(req);
-+    tevent_req_post(req, params->ev);
-+    return req;
-+}
-+
-+errno_t files_auth_handler_recv(TALLOC_CTX *mem_ctx,
-+                                struct tevent_req *req,
-+                                struct pam_data **_data)
-+{
-+    struct files_auth_ctx *state = NULL;
-+
-+    state = tevent_req_data(req, struct files_auth_ctx);
-+
-+    TEVENT_REQ_RETURN_ON_ERROR(req);
-+
-+    *_data = talloc_steal(mem_ctx, state->pd);
-+
-+    return EOK;
-+}
-diff --git a/src/providers/files/files_certmap.c b/src/providers/files/files_certmap.c
-new file mode 100644
-index 0000000..7d90a1f
---- /dev/null
-+++ b/src/providers/files/files_certmap.c
-@@ -0,0 +1,186 @@
-+/*
-+    SSSD
-+
-+    files_init.c - Initialization of the files provider
-+
-+    Copyright (C) 2018 Red Hat
-+
-+    This program is free software; you can redistribute it and/or modify
-+    it under the terms of the GNU General Public License as published by
-+    the Free Software Foundation; either version 3 of the License, or
-+    (at your option) any later version.
-+
-+    This program is distributed in the hope that it will be useful,
-+    but WITHOUT ANY WARRANTY; without even the implied warranty of
-+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+    GNU General Public License for more details.
-+
-+    You should have received a copy of the GNU General Public License
-+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include "providers/files/files_private.h"
-+#include "util/util.h"
-+#include "util/cert.h"
-+#include "lib/certmap/sss_certmap.h"
-+
-+struct priv_sss_debug {
-+    int level;
-+};
-+
-+static void ext_debug(void *private, const char *file, long line,
-+                      const char *function, const char *format, ...)
-+{
-+    va_list ap;
-+    struct priv_sss_debug *data = private;
-+    int level = SSSDBG_OP_FAILURE;
-+
-+    if (data != NULL) {
-+        level = data->level;
-+    }
-+
-+    if (DEBUG_IS_SET(level)) {
-+        va_start(ap, format);
-+        sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED,
-+                      format, ap);
-+        va_end(ap);
-+    }
-+}
-+
-+errno_t files_init_certmap(TALLOC_CTX *mem_ctx, struct files_id_ctx *id_ctx)
-+{
-+    int ret;
-+    bool hint;
-+    struct certmap_info **certmap_list = NULL;
-+    size_t c;
-+
-+    ret = sysdb_get_certmap(mem_ctx, id_ctx->be->domain->sysdb,
-+                            &certmap_list, &hint);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
-+        goto done;
-+    }
-+
-+    if (certmap_list == NULL || *certmap_list == NULL) {
-+        DEBUG(SSSDBG_TRACE_ALL, "No certmap data, nothing to do.\n");
-+        ret = EOK;
-+        goto done;
-+    }
-+
-+    ret = sss_certmap_init(mem_ctx, ext_debug, NULL, &id_ctx->sss_certmap_ctx);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n");
-+        goto done;
-+    }
-+
-+    for (c = 0; certmap_list[c] != NULL; c++) {
-+        DEBUG(SSSDBG_TRACE_ALL, "Trying to add rule [%s][%d][%s][%s].\n",
-+                                certmap_list[c]->name,
-+                                certmap_list[c]->priority,
-+                                certmap_list[c]->match_rule,
-+                                certmap_list[c]->map_rule);
-+
-+        ret = sss_certmap_add_rule(id_ctx->sss_certmap_ctx,
-+                                   certmap_list[c]->priority,
-+                                   certmap_list[c]->match_rule,
-+                                   certmap_list[c]->map_rule,
-+                                   certmap_list[c]->domains);
-+        if (ret != 0) {
-+            DEBUG(SSSDBG_CRIT_FAILURE,
-+                  "sss_certmap_add_rule failed for rule [%s] "
-+                  "with error [%d][%s], skipping. "
-+                  "Please check for typos and if rule syntax is supported.\n",
-+                  certmap_list[c]->name, ret, sss_strerror(ret));
-+            continue;
-+        }
-+    }
-+
-+    ret = EOK;
-+
-+done:
-+    talloc_free(certmap_list);
-+
-+    return ret;
-+}
-+
-+errno_t files_map_cert_to_user(struct files_id_ctx *id_ctx,
-+                               struct dp_id_data *data)
-+{
-+    errno_t ret;
-+    char *filter;
-+    char *user;
-+    struct ldb_message *msg = NULL;
-+    struct sysdb_attrs *attrs = NULL;
-+    TALLOC_CTX *tmp_ctx;
-+
-+    tmp_ctx = talloc_new(NULL);
-+    if (tmp_ctx == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
-+        return ENOMEM;
-+    }
-+
-+    ret = sss_cert_derb64_to_ldap_filter(tmp_ctx, data->filter_value, "",
-+                                         id_ctx->sss_certmap_ctx,
-+                                         id_ctx->domain, &filter);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_OP_FAILURE,
-+              "sss_cert_derb64_to_ldap_filter failed.\n");
-+        goto done;
-+    }
-+    if (filter == NULL || filter[0] != '('
-+                       || filter[strlen(filter) - 1] != ')') {
-+        DEBUG(SSSDBG_OP_FAILURE,
-+              "sss_cert_derb64_to_ldap_filter returned bad filter [%s].\n",
-+              filter);
-+        ret = EINVAL;
-+        goto done;
-+    }
-+
-+    filter[strlen(filter) - 1] = '\0';
-+    user = sss_create_internal_fqname(tmp_ctx, &filter[1],
-+                                      id_ctx->domain->name);
-+    if (user == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed.\n");
-+        ret = ENOMEM;
-+        goto done;
-+    }
-+    DEBUG(SSSDBG_TRACE_ALL, "Certificate mapped to user: [%s].\n", user);
-+
-+    ret = sysdb_search_user_by_name(tmp_ctx, id_ctx->domain, user, NULL, &msg);
-+    if (ret == EOK) {
-+        attrs = sysdb_new_attrs(tmp_ctx);
-+        if (attrs == NULL) {
-+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
-+            ret = ENOMEM;
-+            goto done;
-+        }
-+
-+        ret = sysdb_attrs_add_base64_blob(attrs, SYSDB_USER_MAPPED_CERT,
-+                                          data->filter_value);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n");
-+            goto done;
-+        }
-+
-+        ret = sysdb_set_entry_attr(id_ctx->domain->sysdb, msg->dn, attrs,
-+                                   SYSDB_MOD_ADD);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
-+            goto done;
-+        }
-+    } else if (ret == ENOENT) {
-+        DEBUG(SSSDBG_TRACE_ALL, "Mapped user [%s] not found.\n", user);
-+        ret = EOK;
-+        goto done;
-+    } else {
-+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
-+        goto done;
-+    }
-+
-+    ret = EOK;
-+
-+done:
-+    talloc_free(tmp_ctx);
-+
-+    return ret;
-+}
-diff --git a/src/providers/files/files_id.c b/src/providers/files/files_id.c
-index 41314c6..f6f8c73 100644
---- a/src/providers/files/files_id.c
-+++ b/src/providers/files/files_id.c
-@@ -87,6 +87,26 @@ files_account_info_handler_send(TALLOC_CTX *mem_ctx,
-                        ? true \
-                        : false;
-         break;
-+    case BE_REQ_BY_CERT:
-+        if (data->filter_type != BE_FILTER_CERT) {
-+            DEBUG(SSSDBG_CRIT_FAILURE,
-+                  "Unexpected filter type for lookup by cert: %d\n",
-+                  data->filter_type);
-+            ret = EINVAL;
-+            goto immediate;
-+        }
-+        if (id_ctx->sss_certmap_ctx == NULL) {
-+            DEBUG(SSSDBG_TRACE_ALL, "Certificate mapping not configured.\n");
-+            ret = EOK;
-+            goto immediate;
-+        }
-+
-+        ret = files_map_cert_to_user(id_ctx, data);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_OP_FAILURE, "files_map_cert_to_user failed");
-+        }
-+        goto immediate;
-+        break;
-     default:
-         DEBUG(SSSDBG_CRIT_FAILURE,
-               "Unexpected entry type: %d\n", data->entry_type & BE_REQ_TYPE_MASK);
-diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
-index c793bed..1ce4bcf 100644
---- a/src/providers/files/files_init.c
-+++ b/src/providers/files/files_init.c
-@@ -196,9 +196,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
-               "Authentication with certificates/Smartcards might not work "
-               "as expected.\n");
-         /* not fatal, ignored */
-+    } else {
-+        ret = files_init_certmap(ctx, ctx);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_CRIT_FAILURE, "files_init_certmap failed. "
-+                  "Authentication with certificates/Smartcards might not work "
-+                  "as expected.\n");
-+            /* not fatal, ignored */
-+        }
-     }
- 
--
-     *_module_data = ctx;
-     ret = EOK;
- done:
-@@ -234,3 +241,15 @@ int sssm_files_id_init(TALLOC_CTX *mem_ctx,
- 
-     return EOK;
- }
-+
-+int sssm_files_auth_init(TALLOC_CTX *mem_ctx,
-+                         struct be_ctx *be_ctx,
-+                         void *module_data,
-+                         struct dp_method *dp_methods)
-+{
-+    dp_set_method(dp_methods, DPM_AUTH_HANDLER,
-+                  files_auth_handler_send, files_auth_handler_recv, NULL, void,
-+                  struct pam_data, struct pam_data *);
-+
-+    return EOK;
-+}
-diff --git a/src/providers/files/files_private.h b/src/providers/files/files_private.h
-index f44e6d4..fd17819 100644
---- a/src/providers/files/files_private.h
-+++ b/src/providers/files/files_private.h
-@@ -38,6 +38,7 @@ struct files_id_ctx {
-     struct be_ctx *be;
-     struct sss_domain_info *domain;
-     struct files_ctx *fctx;
-+    struct sss_certmap_ctx *sss_certmap_ctx;
- 
-     const char **passwd_files;
-     const char **group_files;
-@@ -71,4 +72,20 @@ errno_t files_account_info_handler_recv(TALLOC_CTX *mem_ctx,
- void files_account_info_finished(struct files_id_ctx *id_ctx,
-                                  int req_type,
-                                  errno_t ret);
-+
-+/* files_auth.c */
-+struct tevent_req *files_auth_handler_send(TALLOC_CTX *mem_ctx,
-+                                           void *unused,
-+                                           struct pam_data *pd,
-+                                           struct dp_req_params *params);
-+
-+errno_t files_auth_handler_recv(TALLOC_CTX *mem_ctx,
-+                                struct tevent_req *req,
-+                                struct pam_data **_data);
-+
-+/* files_certmap.c */
-+errno_t files_init_certmap(TALLOC_CTX *mem_ctx, struct files_id_ctx *id_ctx);
-+
-+errno_t files_map_cert_to_user(struct files_id_ctx *id_ctx,
-+                               struct dp_id_data *data);
- #endif /* __FILES_PRIVATE_H_ */
--- 
-2.9.5
-
diff --git a/0024-responder-make-sure-SSS_DP_CERT-is-passed-to-files-p.patch b/0024-responder-make-sure-SSS_DP_CERT-is-passed-to-files-p.patch
deleted file mode 100644
index e192048..0000000
--- a/0024-responder-make-sure-SSS_DP_CERT-is-passed-to-files-p.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 9fdc5f1d87a133885e6a22810a7eb980c60dcb55 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 9 Jul 2018 18:45:21 +0200
-Subject: [PATCH 29/83] responder: make sure SSS_DP_CERT is passed to files
- provider
-
-Currently the files provider is only contacted once in a while to update
-the full cache with fresh data from the passwd file. To allow rule based
-certificate mapping the lookup by certificate request must be always
-send to the file provider so that it can evaluate the rules and add the
-certificate to cached entry of the matching user.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/common/responder_dp.c | 20 +++++++++++++-------
- 1 file changed, 13 insertions(+), 7 deletions(-)
-
-diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
-index 878aa1d..39f0f20 100644
---- a/src/responder/common/responder_dp.c
-+++ b/src/responder/common/responder_dp.c
-@@ -34,15 +34,17 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
-                             enum sss_dp_acct_type *_type_out,
-                             const char **_opt_name_out)
- {
--    if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
-+    if (type_in != SSS_DP_CERT) {
-+        if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
-+            DEBUG(SSSDBG_TRACE_INTERNAL,
-+                  "The entries in the files domain are up-to-date\n");
-+            return EOK;
-+        }
-+
-         DEBUG(SSSDBG_TRACE_INTERNAL,
--              "The entries in the files domain are up-to-date\n");
--        return EOK;
-+              "Domain files is not consistent, issuing update\n");
-     }
- 
--    DEBUG(SSSDBG_TRACE_INTERNAL,
--          "Domain files is not consistent, issuing update\n");
--
-     switch(type_in) {
-     case SSS_DP_USER:
-     case SSS_DP_GROUP:
-@@ -56,12 +58,16 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
-         *_type_out = type_in;
-         *_opt_name_out = DP_REQ_OPT_FILES_INITGR;
-         return EAGAIN;
-+    case SSS_DP_CERT:
-+        /* Let the backend handle certificate mapping for local users */
-+        *_type_out = type_in;
-+        *_opt_name_out = opt_name_in;
-+        return EAGAIN;
-     /* These are not handled by the files provider, just fall back */
-     case SSS_DP_NETGR:
-     case SSS_DP_SERVICES:
-     case SSS_DP_SECID:
-     case SSS_DP_USER_AND_GROUP:
--    case SSS_DP_CERT:
-     case SSS_DP_WILDCARD_USER:
-     case SSS_DP_WILDCARD_GROUP:
-         return EOK;
--- 
-2.9.5
-
diff --git a/0025-PAM-add-certificate-matching-rules-from-all-domains.patch b/0025-PAM-add-certificate-matching-rules-from-all-domains.patch
deleted file mode 100644
index e25ac3b..0000000
--- a/0025-PAM-add-certificate-matching-rules-from-all-domains.patch
+++ /dev/null
@@ -1,166 +0,0 @@
-From d42f44d54453d3ddb54875374c1b61dc1e7cd821 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 9 Jul 2018 18:56:26 +0200
-Subject: [PATCH 30/83] PAM: add certificate matching rules from all domains
-
-Currently the PAM responder only reads the certificate mapping and
-matching rules from the first domain. To support Smartcard
-authentication for local and remote users all configured domains must be
-taken into account.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/pam/pamsrv.h     |  2 +-
- src/responder/pam/pamsrv_cmd.c |  2 +-
- src/responder/pam/pamsrv_p11.c | 77 +++++++++++++++++++++++++++---------------
- 3 files changed, 51 insertions(+), 30 deletions(-)
-
-diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
-index d189ccc..5d87756 100644
---- a/src/responder/pam/pamsrv.h
-+++ b/src/responder/pam/pamsrv.h
-@@ -114,7 +114,7 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
- bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
- 
- errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
--                                struct certmap_info **certmap_list);
-+                                struct sss_domain_info *domains);
- 
- errno_t
- pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain,
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index a6bb289..ed9ad57 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -1737,7 +1737,7 @@ static void pam_forwarder_cb(struct tevent_req *req)
-         goto done;
-     }
- 
--    ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains->certmaps);
-+    ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_OP_FAILURE,
-               "p11_refresh_certmap_ctx failed, "
-diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
-index bf72207..ffa6787 100644
---- a/src/responder/pam/pamsrv_p11.c
-+++ b/src/responder/pam/pamsrv_p11.c
-@@ -142,11 +142,14 @@ static void ext_debug(void *private, const char *file, long line,
- }
- 
- errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
--                                struct certmap_info **certmap_list)
-+                                struct sss_domain_info *domains)
- {
-     int ret;
-     struct sss_certmap_ctx *sss_certmap_ctx = NULL;
-     size_t c;
-+    struct sss_domain_info *dom;
-+    bool certmap_found = false;
-+    struct certmap_info **certmap_list;
- 
-     ret = sss_certmap_init(pctx, ext_debug, NULL, &sss_certmap_ctx);
-     if (ret != EOK) {
-@@ -154,7 +157,15 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
-         goto done;
-     }
- 
--    if (certmap_list == NULL || *certmap_list == NULL) {
-+    DLIST_FOR_EACH(dom, domains) {
-+        certmap_list = dom->certmaps;
-+        if (certmap_list != NULL && *certmap_list != NULL) {
-+            certmap_found = true;
-+            break;
-+        }
-+    }
-+
-+    if (!certmap_found) {
-         /* Try to add default matching rule */
-         ret = sss_certmap_add_rule(sss_certmap_ctx, SSS_CERTMAP_MIN_PRIO,
-                                    CERT_AUTH_DEFAULT_MATCHING_RULE, NULL, NULL);
-@@ -166,24 +177,32 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
-         goto done;
-     }
- 
--    for (c = 0; certmap_list[c] != NULL; c++) {
--        DEBUG(SSSDBG_TRACE_ALL,
--              "Trying to add rule [%s][%d][%s][%s].\n",
--              certmap_list[c]->name, certmap_list[c]->priority,
--              certmap_list[c]->match_rule, certmap_list[c]->map_rule);
--
--        ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority,
--                                   certmap_list[c]->match_rule,
--                                   certmap_list[c]->map_rule,
--                                   certmap_list[c]->domains);
--        if (ret != 0) {
--            DEBUG(SSSDBG_CRIT_FAILURE,
--                  "sss_certmap_add_rule failed for rule [%s] "
--                  "with error [%d][%s], skipping. "
--                  "Please check for typos and if rule syntax is supported.\n",
--                  certmap_list[c]->name, ret, sss_strerror(ret));
-+    DLIST_FOR_EACH(dom, domains) {
-+        certmap_list = dom->certmaps;
-+        if (certmap_list == NULL || *certmap_list == NULL) {
-             continue;
-         }
-+
-+        for (c = 0; certmap_list[c] != NULL; c++) {
-+            DEBUG(SSSDBG_TRACE_ALL,
-+                  "Trying to add rule [%s][%d][%s][%s].\n",
-+                  certmap_list[c]->name, certmap_list[c]->priority,
-+                  certmap_list[c]->match_rule, certmap_list[c]->map_rule);
-+
-+            ret = sss_certmap_add_rule(sss_certmap_ctx,
-+                                       certmap_list[c]->priority,
-+                                       certmap_list[c]->match_rule,
-+                                       certmap_list[c]->map_rule,
-+                                       certmap_list[c]->domains);
-+            if (ret != 0) {
-+                DEBUG(SSSDBG_CRIT_FAILURE,
-+                      "sss_certmap_add_rule failed for rule [%s] "
-+                      "with error [%d][%s], skipping. "
-+                      "Please check for typos and if rule syntax is supported.\n",
-+                      certmap_list[c]->name, ret, sss_strerror(ret));
-+                continue;
-+            }
-+        }
-     }
- 
-     ret = EOK;
-@@ -204,19 +223,21 @@ errno_t p11_child_init(struct pam_ctx *pctx)
-     int ret;
-     struct certmap_info **certmaps;
-     bool user_name_hint;
--    struct sss_domain_info *dom = pctx->rctx->domains;
-+    struct sss_domain_info *dom;
- 
--    ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
--    if (ret != EOK) {
--        DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
--        return ret;
--    }
-+    DLIST_FOR_EACH(dom, pctx->rctx->domains) {
-+        ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
-+            return ret;
-+        }
- 
--    dom->user_name_hint = user_name_hint;
--    talloc_free(dom->certmaps);
--    dom->certmaps = certmaps;
-+        dom->user_name_hint = user_name_hint;
-+        talloc_free(dom->certmaps);
-+        dom->certmaps = certmaps;
-+    }
- 
--    ret = p11_refresh_certmap_ctx(pctx, dom->certmaps);
-+    ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
-         return ret;
--- 
-2.9.5
-
diff --git a/0026-doc-add-certificate-mapping-section-to-man-page.patch b/0026-doc-add-certificate-mapping-section-to-man-page.patch
deleted file mode 100644
index 0e2388a..0000000
--- a/0026-doc-add-certificate-mapping-section-to-man-page.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-From 0c739e969a617bdb4c06cdfd63772bf6d283c518 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 3 Sep 2018 18:38:42 +0200
-Subject: [PATCH 31/83] doc: add certificate mapping section to man page
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/man/sssd.conf.5.xml | 149 ++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 149 insertions(+)
-
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index 881ffc6..04143f1 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -3299,6 +3299,135 @@ ldap_user_extra_attrs = phone:telephoneNumber
-         </para>
-     </refsect1>
- 
-+    <refsect1 id='certmap'>
-+        <title>CERTIFICATE MAPPING SECTION</title>
-+        <para>
-+            To allow authentication with Smartcards and certificates SSSD must
-+            be able to map certificates to users. This can be done by adding the
-+            full certificate to the LDAP object of the user or to a local
-+            override. While using the full certificate is required to use the
-+            Smartcard authentication feature of SSH (see
-+                <citerefentry>
-+                    <refentrytitle>sss_ssh_authorizedkeys</refentrytitle>
-+                    <manvolnum>8</manvolnum>
-+                </citerefentry>
-+            for details) it might be cumbersome or not even possible to do this
-+            for the general case where local services use PAM for
-+            authentication.
-+        </para>
-+        <para>
-+            To make the mapping more flexible mapping and matching rules were
-+            added to SSSD (see
-+                <citerefentry>
-+                    <refentrytitle>sss-certmap</refentrytitle>
-+                    <manvolnum>5</manvolnum>
-+                </citerefentry>
-+            for details).
-+        </para>
-+        <para>
-+            A mapping and matching rule can be added to the SSSD configuration
-+            in a section on its own with a name like
-+            <quote>[certmap/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</replaceable>]</quote>.
-+            In this section the following options are allowed:
-+        </para>
-+        <variablelist>
-+            <varlistentry>
-+                <term>matchrule (string)</term>
-+                <listitem>
-+                    <para>
-+                        Only certificates from the Smartcard which matches this
-+                        rule will be processed, all others are ignored.
-+                    </para>
-+                    <para>
-+                        Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only
-+                        certificates which have the Extended Key Usage
-+                        <quote>clientAuth</quote>
-+                    </para>
-+                </listitem>
-+            </varlistentry>
-+            <varlistentry>
-+                <term>maprule (string)</term>
-+                <listitem>
-+                    <para>
-+                        Defines how the user is found for a given certificate.
-+                    </para>
-+                    <para>
-+                        Default:
-+                        <itemizedlist>
-+                            <listitem>
-+                                <para>LDAP:(userCertificate;binary={cert!bin})
-+                                for LDAP based providers like
-+                                <quote>ldap</quote>, <quote>AD</quote> or
-+                                <quote>ipa</quote>.</para>
-+                            </listitem>
-+                            <listitem>
-+                                <para>The RULE_NAME for the <quote>files</quote>
-+                                provider which tries to find a user with the
-+                                same name.</para>
-+                            </listitem>
-+                        </itemizedlist>
-+                    </para>
-+                </listitem>
-+            </varlistentry>
-+            <varlistentry>
-+                <term>domains (string)</term>
-+                <listitem>
-+                    <para>
-+                        Comma separated list of domain names the rule should be
-+                        applied. By default a rule is only valid in the domain
-+                        configured in sssd.conf. If the provider supports
-+                        subdomains this option can be used to add the rule to
-+                        subdomains as well.
-+                    </para>
-+                    <para>
-+                        Default: the configured domain in sssd.conf
-+                    </para>
-+                </listitem>
-+            </varlistentry>
-+            <varlistentry>
-+                <term>priority (integer)</term>
-+                <listitem>
-+                    <para>
-+                        Unsigned integer value defining the priority of the
-+                        rule. The higher the number the lower the priority.
-+                        <quote>0</quote> stands for the highest priority while
-+                        <quote>4294967295</quote> is the lowest.
-+                    </para>
-+                    <para>
-+                        Default: the lowest priority
-+                    </para>
-+                </listitem>
-+            </varlistentry>
-+        </variablelist>
-+        <para>
-+            To make the configuration simple and reduce the amount of
-+            configuration options the <quote>files</quote> provider has some
-+            special properties:
-+            <itemizedlist>
-+                <listitem>
-+                    <para>
-+                        if maprule is not set the RULE_NAME name is assumed to
-+                        be the name of the matching user
-+                    </para>
-+                </listitem>
-+                <listitem>
-+                    <para>
-+                        if a maprule is used both a single user name or a
-+                        template like
-+                        <quote>{subject_rfc822_name.short_name}</quote> must
-+                        be in braces like e.g. <quote>(username)</quote> or
-+                        <quote>({subject_rfc822_name.short_name})</quote>
-+                    </para>
-+                </listitem>
-+                <listitem>
-+                    <para>
-+                        the <quote>domains</quote> option is ignored
-+                    </para>
-+                </listitem>
-+            </itemizedlist>
-+        </para>
-+    </refsect1>
-+
-     <refsect1 id='example'>
-         <title>EXAMPLES</title>
-         <para>
-@@ -3343,6 +3472,26 @@ enumerate = False
- use_fully_qualified_names = false
- </programlisting>
-         </para>
-+        <para>
-+            3. The following example shows the configuration for two certificate
-+            mapping rules. The first is valid for the configured domain
-+            <quote>my.domain</quote> and additionally for the subdomains
-+            <quote>your.domain</quote> and uses the full certificate in the
-+            search filter. The second example is valid for the domain
-+            <quote>files</quote> where it is assumed the files provider is used
-+            for this domain and contains a matching rule for the local user
-+            <quote>myname</quote>.
-+<programlisting>
-+[certmap/my.domain/rule_name]
-+matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$
-+maprule = (userCertificate;binary={cert!bin})
-+domains = my.domain, your.domain
-+priority = 10
-+
-+[certmap/files/myname]
-+matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;^CN=User.Name,DC=MY,DC=DOMAIN$
-+</programlisting>
-+        </para>
-     </refsect1>
- 
- 	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
--- 
-2.9.5
-
diff --git a/0027-intg-user-default-locale.patch b/0027-intg-user-default-locale.patch
deleted file mode 100644
index 3c77d35..0000000
--- a/0027-intg-user-default-locale.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 16941c47a6f0fc2f1679725d55cde221f3c3a6ef Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 7 Sep 2018 22:12:02 +0200
-Subject: [PATCH 32/83] intg: user default locale
-
-Some checks depend on english error messages so checks should be always
-run with the default locale.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tests/intg/Makefile.am | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
-index 65da9ca..6f7605b 100644
---- a/src/tests/intg/Makefile.am
-+++ b/src/tests/intg/Makefile.am
-@@ -126,6 +126,7 @@ intgcheck-installed: config.py passwd group
- 	PATH="$$(dirname -- $(SLAPD)):$$PATH" \
- 	PATH="$(DESTDIR)$(sbindir):$(DESTDIR)$(bindir):$$PATH" \
- 	PATH="$$PATH:$(abs_builddir):$(abs_srcdir)" \
-+	LANG=C \
- 	PYTHONPATH="$(abs_builddir):$(abs_srcdir)" \
- 	LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
- 	NON_WRAPPED_UID=$$(id -u) \
--- 
-2.9.5
-
diff --git a/0028-PAM-use-better-PAM-error-code-for-failed-Smartcard-a.patch b/0028-PAM-use-better-PAM-error-code-for-failed-Smartcard-a.patch
deleted file mode 100644
index 0162c56..0000000
--- a/0028-PAM-use-better-PAM-error-code-for-failed-Smartcard-a.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 442ae7b1d0704cdd667d4f1ba4c165ce3f3ffed4 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 7 Sep 2018 22:16:50 +0200
-Subject: [PATCH 33/83] PAM: use better PAM error code for failed Smartcard
- authentication
-
-If the user enters a wrong PIN the PAM responder currently returns
-PAM_USER_UNKNOWN better is PAM_AUTH_ERR.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/pam/pamsrv_cmd.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index ed9ad57..817f3c5 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -1436,7 +1436,9 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
-             if (pd->cmd == SSS_PAM_AUTHENTICATE) {
-                 DEBUG(SSSDBG_CRIT_FAILURE,
-                       "No certificate returned, authentication failed.\n");
--                ret = ENOENT;
-+                preq->pd->pam_status = PAM_AUTH_ERR;
-+                pam_reply(preq);
-+                return;
-             } else {
-                 ret = pam_check_user_search(preq);
-             }
--- 
-2.9.5
-
diff --git a/0029-test_ca-test-library-only-for-readable.patch b/0029-test_ca-test-library-only-for-readable.patch
deleted file mode 100644
index 72a5c78..0000000
--- a/0029-test_ca-test-library-only-for-readable.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 91aea762d02731193eb66a00b930ff1fe8bc5ab8 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 10 Sep 2018 22:03:55 +0200
-Subject: [PATCH 34/83] test_ca: test library only for readable
-
-On Debian libraries typically do not have the execute-bit set so it is
-better to only check for readability.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/external/test_ca.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4
-index 2cdb3c7..bb48726 100644
---- a/src/external/test_ca.m4
-+++ b/src/external/test_ca.m4
-@@ -58,7 +58,7 @@ AC_DEFUN([AM_CHECK_TEST_CA],
-             AC_MSG_NOTICE([Could not find p11tool])
-         fi
- 
--        AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$SOFTHSM2_PATH" -a -x "$SOFTHSM2_UTIL" -a -x "$P11TOOL"])
-+        AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -r "$SOFTHSM2_PATH" -a -x "$SOFTHSM2_UTIL" -a -x "$P11TOOL"])
-     fi
- 
-     AM_COND_IF([BUILD_TEST_CA],
--- 
-2.9.5
-
diff --git a/0030-test_ca-set-a-password-PIN-to-nss-databases.patch b/0030-test_ca-set-a-password-PIN-to-nss-databases.patch
deleted file mode 100644
index c3ea0cc..0000000
--- a/0030-test_ca-set-a-password-PIN-to-nss-databases.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From a45a410dc7fa7cf84bcac541e693ee8781e25431 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 7 Sep 2018 22:17:47 +0200
-Subject: [PATCH 35/83] test_ca: set a password/PIN to nss databases
-
-To make sure the PIN is properly checked during tests the NSS databases
-need a password.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tests/test_CA/Makefile.am | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
-index 0c70993..1bce2c3 100644
---- a/src/tests/test_CA/Makefile.am
-+++ b/src/tests/test_CA/Makefile.am
-@@ -33,7 +33,7 @@ endif
- ca_all: clean serial SSSD_test_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(extra)
- 
- $(pwdfile):
--	@echo "12345678" > $@
-+	@echo "123456" > $@
- 
- SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial
- 	$(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@
-@@ -65,18 +65,18 @@ SSSD_test_cert_pubsshkey_%.h: SSSD_test_cert_pubsshkey_%.pub
- # - src/tests/cmocka/test_pam_srv.c
- p11_nssdb: SSSD_test_cert_pkcs12_0001.pem SSSD_test_CA.pem $(pwdfile)
- 	mkdir $@
--	$(CERTUTIL) -d sql:./$@ -N --empty-password
--	$(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
--	$(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
-+	$(CERTUTIL) -d sql:./$@ -N -f $(pwdfile)
-+	$(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem -f $(pwdfile)
-+	$(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) -k $(pwdfile)
- 
- # This nss db is used in
- # - src/tests/cmocka/test_pam_srv.c
- p11_nssdb_2certs: SSSD_test_cert_pkcs12_0001.pem SSSD_test_cert_pkcs12_0002.pem SSSD_test_CA.pem $(pwdfile)
- 	mkdir $@
--	$(CERTUTIL) -d sql:./$@ -N --empty-password
--	$(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
--	$(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
--	$(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile)
-+	$(CERTUTIL) -d sql:./$@ -N -f $(pwdfile)
-+	$(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem -f $(pwdfile)
-+	$(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) -k $(pwdfile)
-+	$(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile) -k $(pwdfile)
- 
- # The softhsm2 PKCS#11 setups are used in
- # - src/tests/cmocka/test_pam_srv.c
--- 
-2.9.5
-
diff --git a/0031-getsockopt_wrapper-add-support-for-PAM-clients.patch b/0031-getsockopt_wrapper-add-support-for-PAM-clients.patch
deleted file mode 100644
index 7bd96a2..0000000
--- a/0031-getsockopt_wrapper-add-support-for-PAM-clients.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 7 Sep 2018 22:19:26 +0200
-Subject: [PATCH 36/83] getsockopt_wrapper: add support for PAM clients
-
-PAM clients expect that the private socket of the PAM responder is
-handled by root. With this patch getsockopt_wrapper can return the
-expected UID and GID to PAM clients.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tests/intg/getsockopt_wrapper.c | 34 ++++++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
-
-diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c
-index 5109123..2f50889 100644
---- a/src/tests/intg/getsockopt_wrapper.c
-+++ b/src/tests/intg/getsockopt_wrapper.c
-@@ -45,6 +45,23 @@ static bool is_secrets_socket(int fd)
-     return NULL != strstr(unix_socket->sun_path, "secrets.socket");
- }
- 
-+static bool peer_is_private_pam(int fd)
-+{
-+    int ret;
-+    struct sockaddr_storage addr = { 0 };
-+    socklen_t addrlen = sizeof(addr);
-+    struct sockaddr_un *unix_socket;
-+
-+    ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen);
-+    if (ret != 0) return false;
-+
-+    if (addr.ss_family != AF_UNIX) return false;
-+
-+    unix_socket = (struct sockaddr_un *)&addr;
-+
-+    return NULL != strstr(unix_socket->sun_path, "private/pam");
-+}
-+
- static uid_t fake_secret_peer(uid_t orig_id)
- {
-     char *val;
-@@ -57,6 +74,21 @@ static uid_t fake_secret_peer(uid_t orig_id)
-     return atoi(val);
- }
- 
-+static void fake_peer_uid_gid(uid_t *uid, gid_t *gid)
-+{
-+    char *val;
-+
-+    val = getenv("SSSD_INTG_PEER_UID");
-+    if (val != NULL) {
-+        *uid = atoi(val);
-+    }
-+
-+    val = getenv("SSSD_INTG_PEER_GID");
-+    if (val != NULL) {
-+        *gid = atoi(val);
-+    }
-+}
-+
- typedef typeof(getsockopt) getsockopt_fn_t;
- 
- static getsockopt_fn_t *orig_getsockopt = NULL;
-@@ -84,6 +116,8 @@ int getsockopt(int sockfd, int level, int optname,
-             cr->uid = 0;
-         } else if (is_secrets_socket(sockfd)) {
-             cr->uid = fake_secret_peer(cr->uid);
-+        } else if (peer_is_private_pam(sockfd)) {
-+            fake_peer_uid_gid(&cr->uid, &cr->gid);
-         }
-     }
- 
--- 
-2.9.5
-
diff --git a/0032-intg-add-Smartcard-authentication-tests.patch b/0032-intg-add-Smartcard-authentication-tests.patch
deleted file mode 100644
index 626563e..0000000
--- a/0032-intg-add-Smartcard-authentication-tests.patch
+++ /dev/null
@@ -1,330 +0,0 @@
-From 657f3b89bca9adfb13f0867c91f1d76845d2d6dd Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 7 Sep 2018 22:26:21 +0200
-Subject: [PATCH 37/83] intg: add Smartcard authentication tests
-
-Two test for Smartcard authentication of a local user, i.e. a user
-managed by the files provider, are added. One for a successful
-authentication, the other for a failed authentication with a wrong PIN.
-
-Related to https://pagure.io/SSSD/sssd/issue/3500
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- configure.ac                         |   1 +
- contrib/ci/deps.sh                   |   2 +
- contrib/sssd.spec.in                 |   1 +
- src/external/cwrap.m4                |   5 ++
- src/external/intgcheck.m4            |   1 +
- src/tests/intg/Makefile.am           |  24 ++++++-
- src/tests/intg/test_pam_responder.py | 131 ++++++++++++++++++++++++++++++++---
- 7 files changed, 155 insertions(+), 10 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index bb18ad4..5816b04 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -495,6 +495,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x])
- AM_CHECK_CMOCKA
- AM_CHECK_UID_WRAPPER
- AM_CHECK_NSS_WRAPPER
-+AM_CHECK_PAM_WRAPPER
- AM_CHECK_TEST_CA
- 
- # Check if the user wants SSSD to be compiled with systemtap probes
-diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
-index 5906e53..c04c7aa 100644
---- a/contrib/ci/deps.sh
-+++ b/contrib/ci/deps.sh
-@@ -46,6 +46,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
-         pyldb
-         rpm-build
-         uid_wrapper
-+        pam_wrapper
-         python-requests
-         curl-devel
-         krb5-server
-@@ -117,6 +118,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
-         fakeroot
-         libnss-wrapper
-         libuid-wrapper
-+        libpam-wrapper
-         python-pytest
-         python-ldap
-         python-ldb
-diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
-index 5ebd51f..26fae6d 100644
---- a/contrib/sssd.spec.in
-+++ b/contrib/sssd.spec.in
-@@ -237,6 +237,7 @@ BuildRequires: selinux-policy-targeted
- BuildRequires: libcmocka-devel >= 1.0.0
- BuildRequires: uid_wrapper
- BuildRequires: nss_wrapper
-+BuildRequires: pam_wrapper
- 
- # Test CA requires openssl independent if SSSD is build with NSS or openssl,
- # openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil.
-diff --git a/src/external/cwrap.m4 b/src/external/cwrap.m4
-index b8489cc..6e3487c 100644
---- a/src/external/cwrap.m4
-+++ b/src/external/cwrap.m4
-@@ -28,3 +28,8 @@ AC_DEFUN([AM_CHECK_NSS_WRAPPER],
- [
-     AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)
- ])
-+
-+AC_DEFUN([AM_CHECK_PAM_WRAPPER],
-+[
-+    AM_CHECK_WRAPPER(pam_wrapper, HAVE_PAM_WRAPPER)
-+])
-diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4
-index 60a7bf3..c14f669 100644
---- a/src/external/intgcheck.m4
-+++ b/src/external/intgcheck.m4
-@@ -22,6 +22,7 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [
-     if test x"$enable_intgcheck_reqs" = xyes; then
-         SSS_INTGCHECK_REQ([HAVE_UID_WRAPPER], [uid_wrapper])
-         SSS_INTGCHECK_REQ([HAVE_NSS_WRAPPER], [nss_wrapper])
-+        SSS_INTGCHECK_REQ([HAVE_PAM_WRAPPER], [pam_wrapper])
-         SSS_INTGCHECK_REQ([HAVE_SLAPD], [slapd])
-         SSS_INTGCHECK_REQ([HAVE_LDAPMODIFY], [ldapmodify])
-         SSS_INTGCHECK_REQ([HAVE_FAKEROOT], [fakeroot])
-diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
-index 6f7605b..bb3a7f0 100644
---- a/src/tests/intg/Makefile.am
-+++ b/src/tests/intg/Makefile.am
-@@ -105,13 +105,29 @@ passwd: root
- group:
- 	echo "root:x:0:" > $@
- 
-+PAM_SERVICE_DIR=pam_service_dir
-+pam_sss_service:
-+	$(MKDIR_P) $(PAM_SERVICE_DIR)
-+	echo "auth     required       $(DESTDIR)$(pammoddir)/pam_sss.so"  > $(PAM_SERVICE_DIR)/$@
-+	echo "account  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
-+	echo "password required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
-+	echo "session  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
-+
- CLEANFILES=config.py config.pyc passwd group
- 
- clean-local:
- 	rm -Rf root
- 	rm -f $(builddir)/cwrap-dbus-system.conf
- 
--intgcheck-installed: config.py passwd group
-+if HAVE_NSS
-+PAM_CERT_DB_PATH="sql:$(DESTDIR)$(sysconfdir)/pki/nssdb"
-+SOFTHSM2_CONF=""
-+else
-+PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
-+SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
-+endif
-+
-+intgcheck-installed: config.py passwd group pam_sss_service
- 	pipepath="$(DESTDIR)$(pipepath)"; \
- 	if test $${#pipepath} -gt 80; then \
- 	    echo "error: Pipe directory path too long," \
-@@ -131,12 +147,18 @@ intgcheck-installed: config.py passwd group
- 	LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
- 	NON_WRAPPED_UID=$$(id -u) \
- 	LD_PRELOAD="$(libdir)/getsockopt_wrapper.so:$$nss_wrapper:$$uid_wrapper" \
-+	LD_LIBRARY_PATH="$$LD_LIBRARY_PATH:$(DESTDIR)$(nsslibdir)" \
- 	NSS_WRAPPER_PASSWD="$(abs_builddir)/passwd" \
- 	NSS_WRAPPER_GROUP="$(abs_builddir)/group" \
- 	NSS_WRAPPER_MODULE_SO_PATH="$(DESTDIR)$(nsslibdir)/libnss_sss.so.2" \
- 	NSS_WRAPPER_MODULE_FN_PREFIX="sss" \
- 	UID_WRAPPER=1 \
- 	UID_WRAPPER_ROOT=1 \
-+	PAM_WRAPPER=0 \
-+	PAM_WRAPPER_SERVICE_DIR="$(abs_builddir)/$(PAM_SERVICE_DIR)" \
-+	PAM_WRAPPER_PATH=$$(pkg-config --libs pam_wrapper) \
-+	PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
-+	SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
- 	DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
- 	DBUS_SESSION_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/fake_socket" \
- 	DBUS_SYSTEM_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/system_bus_socket" \
-diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
-index cf6fff2..c6d048c 100644
---- a/src/tests/intg/test_pam_responder.py
-+++ b/src/tests/intg/test_pam_responder.py
-@@ -27,31 +27,44 @@ import signal
- import errno
- import subprocess
- import time
--import pytest
-+import shutil
- 
- import config
- 
--from util import unindent
-+import pytest
-+
-+from intg.util import unindent
-+from intg.files_ops import passwd_ops_setup
- 
-+USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
-+             gecos='User for tests',
-+             dir='/home/user1',
-+             shell='/bin/bash')
- 
--def format_pam_cert_auth_conf():
-+
-+def format_pam_cert_auth_conf(config):
-     """Format a basic SSSD configuration"""
-     return unindent("""\
-         [sssd]
-+        debug_level = 10
-         domains = auth_only
--        services = pam
-+        services = pam, nss
- 
-         [nss]
-+        debug_level = 10
- 
-         [pam]
-         pam_cert_auth = True
-+        pam_p11_allowed_services = +pam_sss_service
-+        pam_cert_db_path = {config.PAM_CERT_DB_PATH}
-         debug_level = 10
- 
-         [domain/auth_only]
--        id_provider = ldap
--        auth_provider = ldap
--        chpass_provider = ldap
--        access_provider = ldap
-+        debug_level = 10
-+        id_provider = files
-+
-+        [certmap/auth_only/user1]
-+        matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
-     """).format(**locals())
- 
- 
-@@ -79,6 +92,8 @@ def create_conf_fixture(request, contents):
- 
- def create_sssd_process():
-     """Start the SSSD process"""
-+    os.environ["SSS_FILES_PASSWD"] = os.environ["NSS_WRAPPER_PASSWD"]
-+    os.environ["SSS_FILES_GROUP"] = os.environ["NSS_WRAPPER_GROUP"]
-     if subprocess.call(["sssd", "-D", "-f"]) != 0:
-         raise Exception("sssd start failed")
- 
-@@ -116,12 +131,41 @@ def create_sssd_fixture(request):
-     request.addfinalizer(cleanup_sssd_process)
- 
- 
-+def create_nssdb():
-+    os.mkdir(config.SYSCONFDIR + "/pki")
-+    os.mkdir(config.SYSCONFDIR + "/pki/nssdb")
-+    if subprocess.call(["certutil", "-N", "-d",
-+                        "sql:" + config.SYSCONFDIR + "/pki/nssdb/",
-+                        "--empty-password"]) != 0:
-+        raise Exception("certutil failed")
-+
-+    pkcs11_txt = open(config.SYSCONFDIR + "/pki/nssdb/pkcs11.txt", "w")
-+    pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" +
-+                     "parameters=configdir='sql:" + config.ABS_BUILDDIR +
-+                     "/../test_CA/p11_nssdb' " +
-+                     "dbSlotDescription='SSSD Test Slot' " +
-+                     "dbTokenDescription='SSSD Test Token' " +
-+                     "secmod='secmod.db' flags=readOnly)\n\n")
-+    pkcs11_txt.close()
-+
-+
-+def cleanup_nssdb():
-+    shutil.rmtree(config.SYSCONFDIR + "/pki")
-+
-+
-+def create_nssdb_fixture(request):
-+    create_nssdb()
-+    request.addfinalizer(cleanup_nssdb)
-+
-+
- @pytest.fixture
- def simple_pam_cert_auth(request):
-     """Setup SSSD with pam_cert_auth=True"""
--    conf = format_pam_cert_auth_conf()
-+    config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
-+    conf = format_pam_cert_auth_conf(config)
-     create_conf_fixture(request, conf)
-     create_sssd_fixture(request)
-+    create_nssdb_fixture(request)
-     return None
- 
- 
-@@ -129,3 +173,72 @@ def test_preauth_indicator(simple_pam_cert_auth):
-     """Check if preauth indicator file is created"""
-     statinfo = os.stat(config.PUBCONF_PATH + "/pam_preauth_available")
-     assert stat.S_ISREG(statinfo.st_mode)
-+
-+
-+@pytest.fixture
-+def pam_wrapper_setup(request):
-+    pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
-+    if pwrap_runtimedir is None:
-+        raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
-+
-+
-+def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
-+                           passwd_ops_setup):
-+
-+    passwd_ops_setup.useradd(**USER1)
-+    current_env = os.environ.copy()
-+    current_env['PAM_WRAPPER'] = "1"
-+    current_env['SSSD_INTG_PEER_UID'] = "0"
-+    current_env['SSSD_INTG_PEER_GID'] = "0"
-+    current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
-+
-+    sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
-+                               "--action=auth", "--service=pam_sss_service"],
-+                              universal_newlines=True,
-+                              env=current_env, stdin=subprocess.PIPE,
-+                              stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+
-+    try:
-+        out, err = sssctl.communicate(input="111")
-+    except:
-+        sssctl.kill()
-+        out, err = sssctl.communicate()
-+
-+    sssctl.stdin.close()
-+    sssctl.stdout.close()
-+
-+    if sssctl.wait() != 0:
-+        raise Exception("sssctl failed")
-+
-+    assert err.find("pam_authenticate for user [user1]: " +
-+                    "Authentication failure") != -1
-+
-+
-+def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):
-+
-+    passwd_ops_setup.useradd(**USER1)
-+    current_env = os.environ.copy()
-+    current_env['PAM_WRAPPER'] = "1"
-+    current_env['SSSD_INTG_PEER_UID'] = "0"
-+    current_env['SSSD_INTG_PEER_GID'] = "0"
-+    current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
-+
-+    sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
-+                               "--action=auth", "--service=pam_sss_service"],
-+                              universal_newlines=True,
-+                              env=current_env, stdin=subprocess.PIPE,
-+                              stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+
-+    try:
-+        out, err = sssctl.communicate(input="123456")
-+    except:
-+        sssctl.kill()
-+        out, err = sssctl.communicate()
-+
-+    sssctl.stdin.close()
-+    sssctl.stdout.close()
-+
-+    if sssctl.wait() != 0:
-+        raise Exception("sssctl failed")
-+
-+    assert err.find("pam_authenticate for user [user1]: Success") != -1
--- 
-2.9.5
-
diff --git a/0033-proxy-access-provider-directly-not-through-be_ctx.patch b/0033-proxy-access-provider-directly-not-through-be_ctx.patch
deleted file mode 100644
index 4ce6842..0000000
--- a/0033-proxy-access-provider-directly-not-through-be_ctx.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 4ffe3ab9023ff858410256bc5c38a03d9cd88cf9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Wed, 5 Sep 2018 13:35:54 +0200
-Subject: [PATCH 39/83] proxy: access provider directly not through be_ctx
-
-Modules are initialized as part of dp_init_send() but be_ctx->provider is set
-only after this request is finished therefore it is not available here.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3812
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/providers/proxy/proxy_init.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
-index cf4f82e..98c6dd1 100644
---- a/src/providers/proxy/proxy_init.c
-+++ b/src/providers/proxy/proxy_init.c
-@@ -192,6 +192,7 @@ static errno_t proxy_auth_conf(TALLOC_CTX *mem_ctx,
- 
- static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
-                                    struct be_ctx *be_ctx,
-+                                   struct data_provider *provider,
-                                    struct proxy_auth_ctx **_auth_ctx)
- {
-     struct proxy_auth_ctx *auth_ctx;
-@@ -213,7 +214,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
-         goto done;
-     }
- 
--    ret = proxy_client_init(dp_sbus_conn(be_ctx->provider), auth_ctx);
-+    ret = proxy_client_init(dp_sbus_conn(provider), auth_ctx);
-     if (ret != EOK) {
-         goto done;
-     }
-@@ -273,7 +274,7 @@ errno_t sssm_proxy_init(TALLOC_CTX *mem_ctx,
- 
-     /* Initialize auth_ctx since one of the access, auth or chpass is set. */
- 
--    ret = proxy_init_auth_ctx(mem_ctx, be_ctx, &auth_ctx);
-+    ret = proxy_init_auth_ctx(mem_ctx, be_ctx, provider, &auth_ctx);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context [%d]: %s\n",
-               ret, sss_strerror(ret));
--- 
-2.9.5
-
diff --git a/0034-dp-set-be_ctx-provider-as-part-of-dp_init-request.patch b/0034-dp-set-be_ctx-provider-as-part-of-dp_init-request.patch
deleted file mode 100644
index 640cfbc..0000000
--- a/0034-dp-set-be_ctx-provider-as-part-of-dp_init-request.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-From 4c5a1afa0df41aac05d34455c6e54a6f52a8dd28 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Wed, 5 Sep 2018 13:51:55 +0200
-Subject: [PATCH 40/83] dp: set be_ctx->provider as part of dp_init request
-
-Backend context is overused inside sssd code even during its initialization.
-Some parts of initialization code requires access to be_ctx->provider so we
-must make it available as soon as possible.
-
-Better solution would be to always use 'provider' directly in initialization
-but this makes it safer for any future changes as one does not have to keep
-in mind when it is safe to use be_ctx->provider and when not. Now it is
-always safe.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3812
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/providers/data_provider/dp.c | 21 +++++++++++++--------
- src/providers/data_provider/dp.h |  1 -
- src/providers/data_provider_be.c |  2 +-
- src/providers/proxy/proxy_init.c |  2 +-
- 4 files changed, 15 insertions(+), 11 deletions(-)
-
-diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c
-index fd19d28..bd003c8 100644
---- a/src/providers/data_provider/dp.c
-+++ b/src/providers/data_provider/dp.c
-@@ -120,6 +120,7 @@ static int dp_destructor(struct data_provider *provider)
- }
- 
- struct dp_init_state {
-+    struct be_ctx *be_ctx;
-     struct data_provider *provider;
-     char *sbus_name;
- };
-@@ -158,6 +159,7 @@ dp_init_send(TALLOC_CTX *mem_ctx,
-         goto done;
-     }
- 
-+    state->be_ctx = be_ctx;
-     state->provider->ev = ev;
-     state->provider->uid = uid;
-     state->provider->gid = gid;
-@@ -224,12 +226,14 @@ static void dp_init_done(struct tevent_req *subreq)
-     sbus_server_set_on_connection(state->provider->sbus_server,
-                                   dp_client_init, state->provider);
- 
-+    /* be_ctx->provider must be accessible from modules and targets */
-+    state->be_ctx->provider = talloc_steal(state->be_ctx, state->provider);
-+
-     ret = dp_init_modules(state->provider, &state->provider->modules);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP modules "
-               "[%d]: %s\n", ret, sss_strerror(ret));
--        tevent_req_error(req, ret);
--        return;
-+        goto done;
-     }
- 
-     ret = dp_init_targets(state->provider, state->provider->be_ctx,
-@@ -237,25 +241,27 @@ static void dp_init_done(struct tevent_req *subreq)
-     if (ret != EOK) {
-         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP targets "
-               "[%d]: %s\n", ret, sss_strerror(ret));
--        tevent_req_error(req, ret);
--        return;
-+        goto done;
-     }
- 
-     ret = dp_init_interface(state->provider);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP interface "
-               "[%d]: %s\n", ret, sss_strerror(ret));
-+        goto done;
-+    }
-+
-+done:
-+    if (ret != EOK) {
-+        talloc_zfree(state->be_ctx->provider);
-         tevent_req_error(req, ret);
--        return;
-     }
- 
-     tevent_req_done(req);
--    return;
- }
- 
- errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
-                      struct tevent_req *req,
--                     struct data_provider **_provider,
-                      const char **_sbus_name)
- {
-     struct dp_init_state *state;
-@@ -263,7 +269,6 @@ errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
- 
-     TEVENT_REQ_RETURN_ON_ERROR(req);
- 
--    *_provider = talloc_steal(mem_ctx, state->provider);
-     *_sbus_name = talloc_steal(mem_ctx, state->sbus_name);
- 
-     return EOK;
-diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
-index 33e6e65..0028eb1 100644
---- a/src/providers/data_provider/dp.h
-+++ b/src/providers/data_provider/dp.h
-@@ -117,7 +117,6 @@ dp_init_send(TALLOC_CTX *mem_ctx,
- 
- errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
-                      struct tevent_req *req,
--                     struct data_provider **_provider,
-                      const char **_sbus_name);
- 
- bool _dp_target_enabled(struct data_provider *provider,
-diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
-index 670ddb4..6d2477e 100644
---- a/src/providers/data_provider_be.c
-+++ b/src/providers/data_provider_be.c
-@@ -541,7 +541,7 @@ static void dp_initialized(struct tevent_req *req)
- 
-     be_ctx = tevent_req_callback_data(req, struct be_ctx);
- 
--    ret = dp_init_recv(be_ctx, req, &be_ctx->provider, &be_ctx->sbus_name);
-+    ret = dp_init_recv(be_ctx, req, &be_ctx->sbus_name);
-     talloc_zfree(req);
-     if (ret !=  EOK) {
-         goto done;
-diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
-index 98c6dd1..32343a3 100644
---- a/src/providers/proxy/proxy_init.c
-+++ b/src/providers/proxy/proxy_init.c
-@@ -214,7 +214,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
-         goto done;
-     }
- 
--    ret = proxy_client_init(dp_sbus_conn(provider), auth_ctx);
-+    ret = proxy_client_init(dp_sbus_conn(be_ctx->provider), auth_ctx);
-     if (ret != EOK) {
-         goto done;
-     }
--- 
-2.9.5
-
diff --git a/0035-sbus-read-destination-after-sender-is-set.patch b/0035-sbus-read-destination-after-sender-is-set.patch
deleted file mode 100644
index 41347d4..0000000
--- a/0035-sbus-read-destination-after-sender-is-set.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 9245bf1afe6767a0412212bc0040e606ee850e7d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Wed, 12 Sep 2018 13:21:11 +0200
-Subject: [PATCH 41/83] sbus: read destination after sender is set
-
-dbus_message_set_sender may reallocate internal fields which will yield pointer
-obtained by dbus_message_get_* invalid.
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/sbus/server/sbus_server_handler.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/src/sbus/server/sbus_server_handler.c b/src/sbus/server/sbus_server_handler.c
-index c300d81..d4e4547 100644
---- a/src/sbus/server/sbus_server_handler.c
-+++ b/src/sbus/server/sbus_server_handler.c
-@@ -148,9 +148,6 @@ sbus_server_filter(DBusConnection *dbus_conn,
-         return DBUS_HANDLER_RESULT_HANDLED;
-     }
- 
--    destination = dbus_message_get_destination(message);
--    type = dbus_message_get_type(message);
--
-     conn = dbus_connection_get_data(dbus_conn, server->data_slot);
-     if (conn == NULL) {
-         DEBUG(SSSDBG_CRIT_FAILURE, "Unknown connection!\n");
-@@ -173,6 +170,11 @@ sbus_server_filter(DBusConnection *dbus_conn,
-         return DBUS_HANDLER_RESULT_HANDLED;
-     }
- 
-+    /* Set sender may reallocate internal fields so this needs to be read
-+     * after we call dbus_message_set_sender(). */
-+    destination = dbus_message_get_destination(message);
-+    type = dbus_message_get_type(message);
-+
-     if (type == DBUS_MESSAGE_TYPE_SIGNAL) {
-         return sbus_server_route_signal(server, conn, message, destination);
-     }
--- 
-2.9.5
-
diff --git a/0036-sbus-do-not-try-to-remove-signal-listeners-when-disc.patch b/0036-sbus-do-not-try-to-remove-signal-listeners-when-disc.patch
deleted file mode 100644
index d7c5e96..0000000
--- a/0036-sbus-do-not-try-to-remove-signal-listeners-when-disc.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From b821ee3ca93beb94a7a9b22b6f7a205e4900212e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Wed, 12 Sep 2018 13:22:34 +0200
-Subject: [PATCH 42/83] sbus: do not try to remove signal listeners when
- disconnecting
-
-This may cause some troubles if the dbus connection was dropped
-as dbus will try to actually send the messages. Also when the
-connectin is being freed, tevent integration is already disabled
-so there is no point in doing this.
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/sbus/router/sbus_router_hash.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/sbus/router/sbus_router_hash.c b/src/sbus/router/sbus_router_hash.c
-index 186dc61..2d407b2 100644
---- a/src/sbus/router/sbus_router_hash.c
-+++ b/src/sbus/router/sbus_router_hash.c
-@@ -384,6 +384,10 @@ sbus_router_listeners_delete_cb(hash_entry_t *item,
-         return;
-     }
- 
-+    if (conn->disconnecting) {
-+        return;
-+    }
-+
-     /* If we still have the D-Bus connection available, we try to unregister
-      * the previously registered listener when its removed from table. */
- 
--- 
-2.9.5
-
diff --git a/0037-sbus-free-watch_fd-fdevent-explicitly.patch b/0037-sbus-free-watch_fd-fdevent-explicitly.patch
deleted file mode 100644
index 1f6bdb3..0000000
--- a/0037-sbus-free-watch_fd-fdevent-explicitly.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From f1f9af528f71f42ac41bb7a272f4f7d940fd3a0f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Wed, 12 Sep 2018 13:24:27 +0200
-Subject: [PATCH 43/83] sbus: free watch_fd->fdevent explicitly
-
-We never reproduced this with gdb but valgrind shows invalid read in sbus_watch_handler
-after the watch_fd was freed. This should not be needed since watch_fd is memory parent
-of fdevent but it seems to help.
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/sbus/connection/sbus_watch.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/sbus/connection/sbus_watch.c b/src/sbus/connection/sbus_watch.c
-index 3898311..0e4bd01 100644
---- a/src/sbus/connection/sbus_watch.c
-+++ b/src/sbus/connection/sbus_watch.c
-@@ -280,6 +280,7 @@ sbus_watch_remove(DBusWatch *dbus_watch, void *data)
- 
-     if (watch_fd->dbus_watch.read == NULL
-             && watch_fd->dbus_watch.write == NULL) {
-+        talloc_free(watch_fd->fdevent);
-         talloc_free(watch_fd);
-     }
- }
--- 
-2.9.5
-
diff --git a/0038-doc-remove-local-provider-reference-from-manpages.patch b/0038-doc-remove-local-provider-reference-from-manpages.patch
deleted file mode 100644
index 71cfae9..0000000
--- a/0038-doc-remove-local-provider-reference-from-manpages.patch
+++ /dev/null
@@ -1,139 +0,0 @@
-From de8c9caf61e7b971cda9563cc5851ea222db5830 Mon Sep 17 00:00:00 2001
-From: Tomas Halman <thalman@redhat.com>
-Date: Thu, 27 Sep 2018 16:03:40 +0200
-Subject: [PATCH 44/83] doc: remove local provider reference from manpages
-
-Introduce new condition for documentation build. Related part of
-documentation is excluded, if build is done without local provider.
-
-Resolves https://pagure.io/SSSD/sssd/issue/3826
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/man/Makefile.am         |  6 +++++-
- src/man/include/seealso.xml | 44 +++++++++++++++++++++++---------------------
- src/man/sssd.conf.5.xml     | 15 +++++++++------
- 3 files changed, 37 insertions(+), 28 deletions(-)
-
-diff --git a/src/man/Makefile.am b/src/man/Makefile.am
-index b4c20d8..54a30d1 100644
---- a/src/man/Makefile.am
-+++ b/src/man/Makefile.am
-@@ -51,7 +51,11 @@ CRYPTO_CONDS = ;with_nss
- else
- CRYPTO_CONDS = ;with_openssl
- endif
--CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS)
-+if BUILD_LOCAL_PROVIDER
-+LOCAL_PROVIDER_CONDS = ;enable_local_provider
-+endif
-+
-+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS)$(LOCAL_PROVIDER_CONDS)
- 
- 
- #Special Rules:
-diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
-index 52798e4..f324b66 100644
---- a/src/man/include/seealso.xml
-+++ b/src/man/include/seealso.xml
-@@ -44,27 +44,29 @@
-             <citerefentry>
-                 <refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum>
-             </citerefentry>,
--            <citerefentry>
--                <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
--            </citerefentry>,
--            <citerefentry>
--                <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
--            </citerefentry>,
--            <citerefentry>
--                <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
--            </citerefentry>,
--            <citerefentry>
--                <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
--            </citerefentry>,
--            <citerefentry>
--                <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
--            </citerefentry>,
--            <citerefentry>
--                <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
--            </citerefentry>,
--            <citerefentry>
--                <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
--            </citerefentry>,
-+            <phrase condition="enable_local_provider">
-+                <citerefentry>
-+                    <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
-+                </citerefentry>,
-+                <citerefentry>
-+                    <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
-+                </citerefentry>,
-+                <citerefentry>
-+                    <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
-+                </citerefentry>,
-+                <citerefentry>
-+                    <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
-+                </citerefentry>,
-+                <citerefentry>
-+                    <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
-+                </citerefentry>,
-+                <citerefentry>
-+                    <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
-+                </citerefentry>,
-+                <citerefentry>
-+                    <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
-+                </citerefentry>,
-+            </phrase>
-             <citerefentry>
-                 <refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum>
-             </citerefentry>,
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index 04143f1..c1e3895 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -2179,7 +2179,7 @@ pam_p11_allowed_services = +my_pam_service, -login
-                         <para>
-                             <quote>proxy</quote>: Support a legacy NSS provider.
-                         </para>
--                        <para>
-+                        <para condition="enable_local_provider">
-                             <quote>local</quote>: SSSD internal provider for
-                             local users (DEPRECATED).
-                         </para>
-@@ -2324,7 +2324,7 @@ pam_p11_allowed_services = +my_pam_service, -login
-                         <para>
-                             <quote>proxy</quote> for relaying authentication to some other PAM target.
-                         </para>
--                        <para>
-+                        <para condition="enable_local_provider">
-                             <quote>local</quote>: SSSD internal provider for
-                             local users
-                         </para>
-@@ -2836,9 +2836,12 @@ pam_p11_allowed_services = +my_pam_service, -login
-                     <term>case_sensitive (string)</term>
-                     <listitem>
-                         <para>
--                            Treat user and group names as case sensitive. At
--                            the moment, this option is not supported in
--                            the local provider. Possible option values are:
-+                            Treat user and group names as case sensitive.
-+                            <phrase condition="enable_local_provider">
-+                                At the moment, this option is not supported in
-+                                the local provider.
-+                            </phrase>
-+                            Possible option values are:
-                         <variablelist>
-                             <varlistentry>
-                                 <term>True</term>
-@@ -3148,7 +3151,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
- </programlisting>
-         </refsect2>
- 
--        <refsect2 id='local_domain'>
-+        <refsect2 id='local_domain' condition="enable_local_provider">
-             <title>The local domain section</title>
-             <para>
-                 This section contains settings for domain that stores users and
--- 
-2.9.5
-
diff --git a/0039-confdb-log-an-error-when-domain-is-misconfigured.patch b/0039-confdb-log-an-error-when-domain-is-misconfigured.patch
deleted file mode 100644
index 76723c8..0000000
--- a/0039-confdb-log-an-error-when-domain-is-misconfigured.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 081b18e75c746f9a2ad1fb412c825293090311f8 Mon Sep 17 00:00:00 2001
-From: Tomas Halman <thalman@redhat.com>
-Date: Mon, 1 Oct 2018 15:49:06 +0200
-Subject: [PATCH 54/83] confdb: log an error when domain is misconfigured
-
-We need to inform user that there is misconfiguration
-and particular domain will not be started.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3827
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/confdb/confdb.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
-index 954c3ba..2f3d900 100644
---- a/src/confdb/confdb.c
-+++ b/src/confdb/confdb.c
-@@ -39,6 +39,9 @@
- #define SAME_DOMAINS_ERROR_MSG "Domain '%s' is the same as or differs only "\
-                                "in case from domain '%s'.\n"
- 
-+#define RETRIEVE_DOMAIN_ERROR_MSG "Error (%d [%s]) retrieving domain [%s], "\
-+                                  "skipping!\n"
-+
- static char *prepend_cn(char *str, int *slen, const char *comp, int clen)
- {
-     char *ret;
-@@ -1522,8 +1525,12 @@ int confdb_get_domains(struct confdb_ctx *cdb,
-         ret = confdb_get_domain_internal(cdb, cdb, domlist[i], &domain);
-         if (ret) {
-             DEBUG(SSSDBG_FATAL_FAILURE,
--                  "Error (%d [%s]) retrieving domain [%s], skipping!\n",
-+                  RETRIEVE_DOMAIN_ERROR_MSG,
-                   ret, sss_strerror(ret), domlist[i]);
-+            sss_log(SSS_LOG_CRIT,
-+                    RETRIEVE_DOMAIN_ERROR_MSG,
-+                    ret, sss_strerror(ret), domlist[i]);
-+
-             continue;
-         }
- 
--- 
-2.9.5
-
diff --git a/0040-be-use-be_is_offline-for-the-main-domain-when-asking.patch b/0040-be-use-be_is_offline-for-the-main-domain-when-asking.patch
deleted file mode 100644
index b8fde63..0000000
--- a/0040-be-use-be_is_offline-for-the-main-domain-when-asking.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From dfa7bf1133f002a9fbbd3495a70909913db25b16 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Fri, 14 Sep 2018 12:30:57 +0200
-Subject: [PATCH 55/83] be: use be_is_offline for the main domain when asking
- for domain status
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The DOM_ACTIVE/INACTIVE flag is not used with the main domain as it
-is used only for subdomains.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3830
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
----
- src/providers/data_provider/dp_iface_backend.c | 20 ++++++++++++++------
- 1 file changed, 14 insertions(+), 6 deletions(-)
-
-diff --git a/src/providers/data_provider/dp_iface_backend.c b/src/providers/data_provider/dp_iface_backend.c
-index 25a00f3..85159a7 100644
---- a/src/providers/data_provider/dp_iface_backend.c
-+++ b/src/providers/data_provider/dp_iface_backend.c
-@@ -37,15 +37,23 @@ dp_backend_is_online(TALLOC_CTX *mem_ctx,
-     struct sss_domain_info *domain;
- 
-     if (SBUS_REQ_STRING_IS_EMPTY(domname)) {
--        *_is_online = be_is_offline(be_ctx);
--        return EOK;
-+        domain = be_ctx->domain;
-+    } else {
-+        domain = find_domain_by_name(be_ctx->domain, domname, false);
-+        if (domain == NULL) {
-+            return ERR_DOMAIN_NOT_FOUND;
-+        }
-     }
- 
--    domain = find_domain_by_name(be_ctx->domain, domname, false);
--    if (domain == NULL) {
--        return ERR_DOMAIN_NOT_FOUND;
-+    /**
-+     * FIXME: https://pagure.io/SSSD/sssd/issue/3831
-+     * domain->state is set only for subdomains not for the main domain
-+     */
-+    if (be_ctx->domain == domain) {
-+        *_is_online = be_is_offline(be_ctx) == false;
-+    } else {
-+        *_is_online = domain->state == DOM_ACTIVE;
-     }
- 
--    *_is_online = domain->state == DOM_ACTIVE;
-     return EOK;
- }
--- 
-2.9.5
-
diff --git a/0041-p11-handle-multiple-certs-during-auth-with-OpenSSL.patch b/0041-p11-handle-multiple-certs-during-auth-with-OpenSSL.patch
deleted file mode 100644
index 2086bcb..0000000
--- a/0041-p11-handle-multiple-certs-during-auth-with-OpenSSL.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-From e29b82077a78157a1e4d90e2308c1272d7612f3d Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 2 Oct 2018 12:13:29 +0200
-Subject: [PATCH 56/83] p11: handle multiple certs during auth with OpenSSL
-
-This patch adds missing code already available in the NSS version to
-select a certificate for authentication if multiple certificates are
-available on the Smartcard. A unit test to check this feature is added
-as well.
-
-Related to https://pagure.io/SSSD/sssd/issue/3489
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/p11_child/p11_child_openssl.c | 46 ++++++++++++++++++++++++++++++++++++++-
- src/tests/cmocka/test_pam_srv.c   | 36 ++++++++++++++++++++++++++++++
- 2 files changed, 81 insertions(+), 1 deletion(-)
-
-diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
-index be58726..bf4418f 100644
---- a/src/p11_child/p11_child_openssl.c
-+++ b/src/p11_child/p11_child_openssl.c
-@@ -572,8 +572,10 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-     char *slot_name = NULL;
-     char *token_name = NULL;
-     CK_SESSION_HANDLE session = 0;
-+    struct cert_list *all_cert_list = NULL;
-     struct cert_list *cert_list = NULL;
-     struct cert_list *item = NULL;
-+    struct cert_list *tmp_cert = NULL;
-     char *multi = NULL;
-     bool pkcs11_session = false;
-     bool pkcs11_login = false;
-@@ -691,12 +693,54 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-         DEBUG(SSSDBG_TRACE_ALL, "Login NOT required.\n");
-     }
- 
--    ret = read_certs(mem_ctx, module, session, p11_ctx, &cert_list);
-+    ret = read_certs(mem_ctx, module, session, p11_ctx, &all_cert_list);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_OP_FAILURE, "read_certs failed.\n");
-         goto done;
-     }
- 
-+    DLIST_FOR_EACH(item, all_cert_list) {
-+        /* Check if we found the certificates we needed for authentication or
-+         * the requested ones for pre-auth. For authentication all attributes
-+         * must be given and match, for pre-auth only the given ones must
-+         * match. */
-+        DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s %s %s.\n",
-+              module_name_in, module_file_name, token_name_in, token_name,
-+              key_id_in, item->id);
-+
-+        if ((mode == OP_AUTH
-+                && module_name_in != NULL
-+                && token_name_in != NULL
-+                && key_id_in != NULL
-+                && item->id != NULL
-+                && strcmp(key_id_in, item->id) == 0
-+                && strcmp(token_name_in, token_name) == 0
-+                && strcmp(module_name_in, module_file_name) == 0)
-+            || (mode == OP_PREAUTH
-+                && (module_name_in == NULL
-+                    || (module_name_in != NULL
-+                        && strcmp(module_name_in, module_file_name) == 0))
-+                && (token_name_in == NULL
-+                    || (token_name_in != NULL
-+                        && strcmp(token_name_in, token_name) == 0))
-+                && (key_id_in == NULL
-+                    || (key_id_in != NULL && item->id != NULL
-+                        && strcmp(key_id_in, item->id) == 0)))) {
-+
-+            tmp_cert = talloc_memdup(mem_ctx, item, sizeof(struct cert_list));
-+            if (tmp_cert == NULL) {
-+                DEBUG(SSSDBG_OP_FAILURE, "talloc_memdup failed.\n");
-+                ret = ENOMEM;
-+                goto done;
-+            }
-+            tmp_cert->prev = NULL;
-+            tmp_cert->next = NULL;
-+
-+            DLIST_ADD(cert_list, tmp_cert);
-+
-+        }
-+    }
-+
-     /* TODO: check module_name_in, token_name_in, key_id_in */
- 
-     if (cert_list == NULL) {
-diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
-index 446985d..2b02ac2 100644
---- a/src/tests/cmocka/test_pam_srv.c
-+++ b/src/tests/cmocka/test_pam_srv.c
-@@ -2443,6 +2443,40 @@ void test_pam_cert_preauth_2certs_two_mappings(void **state)
-     assert_int_equal(ret, EOK);
- }
- 
-+void test_pam_cert_auth_2certs_one_mapping(void **state)
-+{
-+    int ret;
-+
-+#ifdef HAVE_NSS
-+    set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS);
-+#else
-+    set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
-+    putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_two.conf"));
-+#endif
-+
-+    mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
-+                        TEST_MODULE_NAME,
-+                        "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
-+                        test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
-+                        true);
-+
-+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
-+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-+
-+    /* Assume backend cannot handle Smartcard credentials */
-+    pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
-+
-+    set_cmd_cb(test_pam_simple_check_success);
-+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
-+                          pam_test_ctx->pam_cmds);
-+    assert_int_equal(ret, EOK);
-+
-+    /* Wait until the test finishes with EOK */
-+    ret = test_ev_loop(pam_test_ctx->tctx);
-+    assert_int_equal(ret, EOK);
-+}
-+
-+
- void test_filter_response(void **state)
- {
-     int ret;
-@@ -2875,6 +2909,8 @@ int main(int argc, const char *argv[])
-                                         pam_test_setup, pam_test_teardown),
-         cmocka_unit_test_setup_teardown(test_pam_cert_preauth_2certs_two_mappings,
-                                         pam_test_setup, pam_test_teardown),
-+        cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_one_mapping,
-+                                        pam_test_setup, pam_test_teardown),
-         cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name,
-                                         pam_test_setup, pam_test_teardown),
-         cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
--- 
-2.9.5
-
diff --git a/0042-doc-Add-nsswitch.conf-note-to-manpage.patch b/0042-doc-Add-nsswitch.conf-note-to-manpage.patch
deleted file mode 100644
index c08ac4c..0000000
--- a/0042-doc-Add-nsswitch.conf-note-to-manpage.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 0be037bbedd0aed6a7eccead6aabe0d07258242a Mon Sep 17 00:00:00 2001
-From: Tomas Halman <thalman@redhat.com>
-Date: Mon, 1 Oct 2018 13:45:52 +0200
-Subject: [PATCH 57/83] doc: Add nsswitch.conf note to manpage
-
-We want to add note about nsswitch.conf configuration
-into sssd-files manpage.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3750
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
----
- src/man/sssd-files.5.xml | 34 +++++++++++++++++++++++++++++++++-
- 1 file changed, 33 insertions(+), 1 deletion(-)
-
-diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml
-index 59e1b65..067e219 100644
---- a/src/man/sssd-files.5.xml
-+++ b/src/man/sssd-files.5.xml
-@@ -51,6 +51,27 @@
-                 <manvolnum>5</manvolnum>
-             </citerefentry>.
-         </para>
-+        <para>
-+            Another reason is to provide efficient caching of local users and groups.
-+        </para>
-+        <para>
-+            Please note that some distributions enable the files domain automatically,
-+            prepending the domain before any explicitly configured domains.
-+            See enable_files_domain in
-+            <citerefentry>
-+                <refentrytitle>sssd.conf</refentrytitle>
-+                <manvolnum>5</manvolnum>
-+            </citerefentry>.
-+        </para>
-+        <para>
-+            SSSD never handles resolution of user/group "root". Also resolution of
-+            UID/GID 0 is not handled by SSSD. Such requests are passed to next
-+            NSS module (usually files).
-+        </para>
-+        <para>
-+            When SSSD is not running or responding, nss_sss returns the UNAVAIL code
-+            which causes the request to be passed to the next module.
-+        </para>
-     </refsect1>
- 
-     <refsect1 id='configuration-options'>
-@@ -112,9 +133,20 @@
- id_provider = files
- </programlisting>
-         </para>
-+        <para>
-+            To leverage caching of local users and groups by SSSD
-+            nss_sss module must be listed before nss_files module
-+            in /etc/nsswitch.conf.
-+        </para>
-+        <para>
-+<programlisting>
-+passwd:     sss files
-+group:      sss files
-+</programlisting>
-+        </para>
-     </refsect1>
- 
--	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
-+        <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
- 
- </refentry>
- </reference>
--- 
-2.9.5
-
diff --git a/0043-MAN-Fix-typo-in-ad_gpo_implicit_deny-default-value.patch b/0043-MAN-Fix-typo-in-ad_gpo_implicit_deny-default-value.patch
deleted file mode 100644
index 04be0e5..0000000
--- a/0043-MAN-Fix-typo-in-ad_gpo_implicit_deny-default-value.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From e5dc30e0092b240a32f2004966eeecdc57d50fb8 Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Mon, 8 Oct 2018 07:45:45 +0000
-Subject: [PATCH 58/83] MAN: Fix typo in ad_gpo_implicit_deny default value
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Merges: https://pagure.io/SSSD/sssd/pull-request/3846
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
----
- src/man/sssd-ad.5.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
-index 0eac382..ea0adf7 100644
---- a/src/man/sssd-ad.5.xml
-+++ b/src/man/sssd-ad.5.xml
-@@ -432,7 +432,7 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
-                             apply to them.
-                         </para>
-                         <para>
--                            Default: False (seconds)
-+                            Default: False
-                         </para>
-                     </listitem>
-                 </varlistentry>
--- 
-2.9.5
-
diff --git a/0044-p11_child-add-wait_for_card-option.patch b/0044-p11_child-add-wait_for_card-option.patch
deleted file mode 100644
index af5b3ee..0000000
--- a/0044-p11_child-add-wait_for_card-option.patch
+++ /dev/null
@@ -1,470 +0,0 @@
-From 42f69e26e5b858dd03492cc2a148d02c2ccc2161 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 14 Sep 2018 12:47:00 +0200
-Subject: [PATCH 59/83] p11_child: add --wait_for_card option
-
-The --wait_for_card option will let the p11_child wait until a
-Smartcard/token is available in a slot with the removable flag.
-
-Related to  https://pagure.io/SSSD/sssd/issue/3650
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/p11_child/p11_child.h         |   5 +-
- src/p11_child/p11_child_common.c  |  12 +++-
- src/p11_child/p11_child_nss.c     | 105 ++++++++++++++++++++---------
- src/p11_child/p11_child_openssl.c | 136 ++++++++++++++++++++++++++++++--------
- 4 files changed, 196 insertions(+), 62 deletions(-)
-
-diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
-index 1e9fc3d..dd8fdea 100644
---- a/src/p11_child/p11_child.h
-+++ b/src/p11_child/p11_child.h
-@@ -25,6 +25,9 @@
- #ifndef __P11_CHILD_H__
- #define __P11_CHILD_H__
- 
-+/* Time to wait during a C_Finalize C_Initialize cycle to discover
-+ * new slots. */
-+#define PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME 3
- struct p11_ctx;
- 
- enum op_mode {
-@@ -41,7 +44,7 @@ enum pin_mode {
- };
- 
- errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *nss_db,
--                     struct p11_ctx **p11_ctx);
-+                     bool wait_for_card, struct p11_ctx **p11_ctx);
- 
- errno_t init_verification(struct p11_ctx *p11_ctx,
-                           struct cert_verify_opts *cert_verify_opts);
-diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
-index 125430d..bc5f6b0 100644
---- a/src/p11_child/p11_child_common.c
-+++ b/src/p11_child/p11_child_common.c
-@@ -57,6 +57,7 @@ static const char *op_mode_str(enum op_mode mode)
- 
- static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
-                    struct cert_verify_opts *cert_verify_opts,
-+                   bool wait_for_card,
-                    const char *cert_b64, const char *pin,
-                    const char *module_name, const char *token_name,
-                    const char *key_id, char **multi)
-@@ -64,7 +65,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
-     int ret;
-     struct p11_ctx *p11_ctx;
- 
--    ret = init_p11_ctx(mem_ctx, ca_db, &p11_ctx);
-+    ret = init_p11_ctx(mem_ctx, ca_db, wait_for_card, &p11_ctx);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_OP_FAILURE, "init_p11_ctx failed.\n");
-         return ret;
-@@ -157,6 +158,7 @@ int main(int argc, const char *argv[])
-     char *token_name = NULL;
-     char *key_id = NULL;
-     char *cert_b64 = NULL;
-+    bool wait_for_card = false;
- 
-     struct poptOption long_options[] = {
-         POPT_AUTOHELP
-@@ -174,6 +176,7 @@ int main(int argc, const char *argv[])
-         SSSD_LOGGER_OPTS
-         {"auth", 0, POPT_ARG_NONE, NULL, 'a', _("Run in auth mode"), NULL},
-         {"pre", 0, POPT_ARG_NONE, NULL, 'p', _("Run in pre-auth mode"), NULL},
-+        {"wait_for_card", 0, POPT_ARG_NONE, NULL, 'w', _("Wait until card is available"), NULL},
-         {"verification", 0, POPT_ARG_NONE, NULL, 'v', _("Run in verification mode"),
-          NULL},
-         {"pin", 0, POPT_ARG_NONE, NULL, 'i', _("Expect PIN on stdin"), NULL},
-@@ -258,6 +261,9 @@ int main(int argc, const char *argv[])
-             }
-             pin_mode = PIN_KEYPAD;
-             break;
-+        case 'w':
-+            wait_for_card = true;
-+            break;
-         default:
-             fprintf(stderr, "\nInvalid option %s: %s\n\n",
-                   poptBadOption(pc, 0), poptStrerror(opt));
-@@ -360,8 +366,8 @@ int main(int argc, const char *argv[])
-         }
-     }
- 
--    ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, cert_b64,
--                 pin, module_name, token_name, key_id, &multi);
-+    ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, wait_for_card,
-+                  cert_b64, pin, module_name, token_name, key_id, &multi);
-     if (ret != 0) {
-         DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
-         goto fail;
-diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
-index d6a0b80..b2777d1 100644
---- a/src/p11_child/p11_child_nss.c
-+++ b/src/p11_child/p11_child_nss.c
-@@ -51,6 +51,7 @@ struct p11_ctx {
-     CERTCertDBHandle *handle;
-     struct cert_verify_opts *cert_verify_opts;
-     const char *nss_db;
-+    bool wait_for_card;
- };
- 
- #define EXP_USAGES (  certificateUsageSSLClient \
-@@ -141,6 +142,19 @@ static int talloc_free_handle(struct p11_ctx *p11_ctx)
-     return 0;
- }
- 
-+static NSSInitContext *get_nss_ctx(const char *nss_db)
-+{
-+    uint32_t flags = NSS_INIT_READONLY
-+                                   | NSS_INIT_FORCEOPEN
-+                                   | NSS_INIT_NOROOTINIT
-+                                   | NSS_INIT_OPTIMIZESPACE
-+                                   | NSS_INIT_PK11RELOAD;
-+    NSSInitParameters parameters = { 0 };
-+    parameters.length =  sizeof (parameters);
-+
-+    return NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters, flags);
-+}
-+
- errno_t init_verification(struct p11_ctx *p11_ctx,
-                           struct cert_verify_opts *cert_verify_opts)
- {
-@@ -256,14 +270,15 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-     SECItem signed_random_value = {0};
-     SECKEYPublicKey *pub_key;
-     CERTCertificate *found_cert = NULL;
--    PK11SlotList *list = NULL;
--    PK11SlotListElement *le;
-     const char *label;
-     char *key_id_str = NULL;
-     CERTCertList *valid_certs = NULL;
-     char *cert_b64 = NULL;
-     char *multi = NULL;
-     PRCList *node;
-+    CK_SLOT_INFO slInfo;
-+    PK11TokenStatus token_status;
-+    size_t s;
- 
-     PK11_SetPasswordFunc(password_passthrough);
- 
-@@ -297,28 +312,50 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-                                 mod_list_item->module->dllName);
-     }
- 
--    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE,
--                             NULL);
--    if (list == NULL) {
--        DEBUG(SSSDBG_OP_FAILURE, "PK11_GetAllTokens failed.\n");
--        ret = EIO;
--        goto done;
--    }
-+    for (;;)  {
-+        mod_list = SECMOD_GetDefaultModuleList();
-+        for (mod_list_item = mod_list; mod_list_item != NULL;
-+                                       mod_list_item = mod_list_item->next) {
-+            for (s = 0; s < mod_list_item->module->slotCount; s++) {
-+                slInfo.flags = 0;
-+                rv = PK11_GetSlotInfo(mod_list_item->module->slots[s], &slInfo);
-+                DEBUG(SSSDBG_TRACE_ALL,
-+                      "Description [%s] Manufacturer [%s] flags [%lu] "
-+                      "removable [%s] token present [%s].\n",
-+                      slInfo.slotDescription, slInfo.manufacturerID,
-+                      slInfo.flags,
-+                      (slInfo.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
-+                      (slInfo.flags & CKF_TOKEN_PRESENT) ? "true": "false");
-+
-+                if (rv == SECSuccess && (slInfo.flags & CKF_REMOVABLE_DEVICE)) {
-+                    slot = PK11_ReferenceSlot(mod_list_item->module->slots[s]);
-+                    break;
-+                }
-+            }
-+        }
- 
--    for (le = list->head; le; le = le->next) {
--        CK_SLOT_INFO slInfo;
-+        /* When e.g. using Yubikeys the slot isn't present until the device is
-+         * inserted, so we should wait for a slot as well. */
-+        if (p11_ctx->wait_for_card && slot == NULL) {
-+            rv = NSS_ShutdownContext(p11_ctx->nss_ctx);
-+            if (rv != SECSuccess) {
-+                DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d][%s].\n",
-+                      PR_GetError(), PORT_ErrorToString(PR_GetError()));
-+            }
- 
--        slInfo.flags = 0;
--        rv = PK11_GetSlotInfo(le->slot, &slInfo);
--        DEBUG(SSSDBG_TRACE_ALL,
--              "Description [%s] Manufacturer [%s] flags [%lu].\n",
--              slInfo.slotDescription, slInfo.manufacturerID, slInfo.flags);
--        if (rv == SECSuccess && (slInfo.flags & CKF_REMOVABLE_DEVICE)) {
--            slot = PK11_ReferenceSlot(le->slot);
-+            sleep(PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME);
-+
-+            p11_ctx->nss_ctx = get_nss_ctx(p11_ctx->nss_db);
-+            if (p11_ctx->nss_ctx == NULL) {
-+                DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
-+                      PR_GetError(), PORT_ErrorToString(PR_GetError()));
-+                return EIO;
-+            }
-+        } else {
-             break;
-         }
-     }
--    PK11_FreeSlotList(list);
-+
-     if (slot == NULL) {
-         DEBUG(SSSDBG_OP_FAILURE, "No removable slots found.\n");
-         ret = EIO;
-@@ -332,6 +369,22 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-     module = PK11_GetModule(slot);
-     module_name = module->dllName == NULL ? "NSS-Internal" : module->dllName;
- 
-+    if (!(slInfo.flags & CKF_TOKEN_PRESENT)) {
-+        DEBUG(SSSDBG_TRACE_ALL, "Token not present.\n");
-+        if (p11_ctx->wait_for_card) {
-+            token_status = PK11_WaitForTokenEvent(slot, PK11TokenPresentEvent,
-+                                                 PR_INTERVAL_NO_TIMEOUT, 0, 0);
-+            if (token_status != PK11TokenPresent) {
-+                DEBUG(SSSDBG_OP_FAILURE, "PK11_WaitForTokenEvent failed.\n");
-+                ret = EIO;
-+                goto done;
-+            }
-+        } else {
-+            ret = EIO;
-+            goto done;
-+        }
-+    }
-+
-     DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in slot [%s][%d] of module [%d][%s].\n",
-           token_name, slot_name, (int) slot_id, (int) module_id, module_name);
- 
-@@ -651,26 +704,18 @@ static int talloc_nss_shutdown(struct p11_ctx *p11_ctx)
- }
- 
- errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *nss_db,
--                     struct p11_ctx **p11_ctx)
-+                     bool wait_for_card, struct p11_ctx **p11_ctx)
- {
-     struct p11_ctx *ctx;
--    uint32_t flags = NSS_INIT_READONLY
--                                   | NSS_INIT_FORCEOPEN
--                                   | NSS_INIT_NOROOTINIT
--                                   | NSS_INIT_OPTIMIZESPACE
--                                   | NSS_INIT_PK11RELOAD;
--    NSSInitParameters parameters = { 0 };
--    parameters.length =  sizeof (parameters);
--
-     ctx = talloc_zero(mem_ctx, struct p11_ctx);
-     if (ctx == NULL) {
-         DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n");
-         return ENOMEM;
-     }
-     ctx->nss_db = nss_db;
-+    ctx->wait_for_card = wait_for_card;
- 
--    ctx->nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters,
--                                    flags);
-+    ctx->nss_ctx = get_nss_ctx(nss_db);
-     if (ctx->nss_ctx == NULL) {
-         DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
-               PR_GetError(), PORT_ErrorToString(PR_GetError()));
-diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
-index bf4418f..d4572d9 100644
---- a/src/p11_child/p11_child_openssl.c
-+++ b/src/p11_child/p11_child_openssl.c
-@@ -40,6 +40,7 @@
- struct p11_ctx {
-     X509_STORE *x509_store;
-     const char *ca_db;
-+    bool wait_for_card;
- };
- 
- static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
-@@ -48,8 +49,9 @@ static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
- 
-     return 0;
- }
-+
- errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
--                     struct p11_ctx **p11_ctx)
-+                     bool wait_for_card, struct p11_ctx **p11_ctx)
- {
-     int ret;
-     struct p11_ctx *ctx;
-@@ -73,6 +75,7 @@ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
-     }
- 
-     ctx->ca_db = ca_db;
-+    ctx->wait_for_card = wait_for_card;
-     talloc_set_destructor(ctx, talloc_cleanup_openssl);
- 
-     *p11_ctx = ctx;
-@@ -547,6 +550,45 @@ done:
-     return ret;
- }
- 
-+static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
-+{
-+    CK_FLAGS wait_flags = 0;
-+    CK_RV rv;
-+    CK_SLOT_INFO info;
-+
-+    rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
-+    if (rv != CKR_OK) {
-+        if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
-+            DEBUG(SSSDBG_OP_FAILURE,
-+                  "C_WaitForSlotEvent failed [%lu][%s].\n",
-+                  rv, p11_kit_strerror(rv));
-+            return EIO;
-+        }
-+
-+        /* Poor man's wait */
-+        do {
-+            sleep(10);
-+            rv = module->C_GetSlotInfo(*slot_id, &info);
-+            if (rv != CKR_OK) {
-+                DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
-+                return EIO;
-+            }
-+            DEBUG(SSSDBG_TRACE_ALL,
-+                  "Description [%s] Manufacturer [%s] flags [%lu] "
-+                  "removable [%s] token present [%s].\n",
-+                  info.slotDescription, info.manufacturerID, info.flags,
-+                  (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
-+                  (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
-+            if ((info.flags & CKF_REMOVABLE_DEVICE)
-+                    && (info.flags & CKF_TOKEN_PRESENT)) {
-+                break;
-+            }
-+        } while (true);
-+    }
-+
-+    return EOK;
-+}
-+
- #define MAX_SLOTS 64
- 
- errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-@@ -588,39 +630,62 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-         return EIO;
-     }
- 
--    DEBUG(SSSDBG_TRACE_ALL, "Module List:\n");
--    for (c = 0; modules[c] != NULL; c++) {
--        mod_name = p11_kit_module_get_name(modules[c]);
--        mod_file_name = p11_kit_module_get_filename(modules[c]);
--        DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", mod_name);
--        DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", mod_file_name);
--        free(mod_name);
--        free(mod_file_name);
-+    for (;;) {
-+        DEBUG(SSSDBG_TRACE_ALL, "Module List:\n");
-+        for (c = 0; modules[c] != NULL; c++) {
-+            mod_name = p11_kit_module_get_name(modules[c]);
-+            mod_file_name = p11_kit_module_get_filename(modules[c]);
-+            DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", mod_name);
-+            DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", mod_file_name);
-+            free(mod_name);
-+            free(mod_file_name);
- 
--        num_slots = MAX_SLOTS;
--        rv = modules[c]->C_GetSlotList(CK_TRUE, slots, &num_slots);
--        if (rv != CKR_OK) {
--            DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotList failed.\n");
--            ret = EIO;
--            goto done;
--        }
--
--        for (s = 0; s < num_slots; s++) {
--            rv = modules[c]->C_GetSlotInfo(slots[s], &info);
-+            num_slots = MAX_SLOTS;
-+            rv = modules[c]->C_GetSlotList(CK_FALSE, slots, &num_slots);
-             if (rv != CKR_OK) {
--                DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
-+                DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotList failed.\n");
-                 ret = EIO;
-                 goto done;
-             }
--            DEBUG(SSSDBG_TRACE_ALL,
--                  "Description [%s] Manufacturer [%s] flags [%lu] removable [%s].\n",
--                  info.slotDescription, info.manufacturerID, info.flags,
--                  (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false");
--            if ((info.flags & CKF_REMOVABLE_DEVICE)) {
-+
-+            for (s = 0; s < num_slots; s++) {
-+                rv = modules[c]->C_GetSlotInfo(slots[s], &info);
-+                if (rv != CKR_OK) {
-+                    DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
-+                    ret = EIO;
-+                    goto done;
-+                }
-+                DEBUG(SSSDBG_TRACE_ALL,
-+                      "Description [%s] Manufacturer [%s] flags [%lu] "
-+                      "removable [%s] token present [%s].\n",
-+                      info.slotDescription, info.manufacturerID, info.flags,
-+                      (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
-+                      (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
-+                if ((info.flags & CKF_REMOVABLE_DEVICE)) {
-+                    break;
-+                }
-+            }
-+            if (s != num_slots) {
-                 break;
-             }
-         }
--        if (s != num_slots) {
-+
-+        /* When e.g. using Yubikeys the slot isn't present until the device is
-+         * inserted, so we should wait for a slot as well. */
-+        if (p11_ctx->wait_for_card && modules[c] == NULL) {
-+            p11_kit_modules_finalize_and_release(modules);
-+
-+            sleep(PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME);
-+
-+            modules = p11_kit_modules_load_and_initialize(0);
-+            if (modules == NULL) {
-+                DEBUG(SSSDBG_OP_FAILURE,
-+                      "p11_kit_modules_load_and_initialize failed.\n");
-+                ret = EIO;
-+                goto done;
-+            }
-+
-+        } else {
-             break;
-         }
-     }
-@@ -631,14 +696,29 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-         goto done;
-     }
- 
--    rv = modules[c]->C_GetTokenInfo(slots[s], &token_info);
-+    slot_id = slots[s];
-+
-+    if (!(info.flags & CKF_TOKEN_PRESENT)) {
-+        DEBUG(SSSDBG_TRACE_ALL, "Token not present.\n");
-+        if (p11_ctx->wait_for_card) {
-+            ret = wait_for_card(modules[c], &slot_id);
-+            if (ret != EOK) {
-+                DEBUG(SSSDBG_OP_FAILURE, "wait_for_card failed.\n");
-+                goto done;
-+            }
-+        } else {
-+            ret = EIO;
-+            goto done;
-+        }
-+    }
-+
-+    rv = modules[c]->C_GetTokenInfo(slot_id, &token_info);
-     if (rv != CKR_OK) {
-         DEBUG(SSSDBG_OP_FAILURE, "C_GetTokenInfo failed.\n");
-         ret = EIO;
-         goto done;
-     }
- 
--    slot_id = slots[s];
-     module_id = c;
-     slot_name = p11_kit_space_strdup(info.slotDescription,
-                                      sizeof(info.slotDescription));
--- 
-2.9.5
-
diff --git a/0045-PAM-add-p11_wait_for_card_timeout-option.patch b/0045-PAM-add-p11_wait_for_card_timeout-option.patch
deleted file mode 100644
index 219d71f..0000000
--- a/0045-PAM-add-p11_wait_for_card_timeout-option.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From 2e4ecf5a866b212bef44e262fd90c67a88dc616a Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 18 Sep 2018 18:15:02 +0200
-Subject: [PATCH 60/83] PAM: add p11_wait_for_card_timeout option
-
-If the --wait_for_card is used to call p11_child the PAM responder
-should be prepared to wait longer until p11_child can return
-successfully.
-
-Related to https://pagure.io/SSSD/sssd/issue/3650
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/confdb/confdb.h                  |  1 +
- src/config/SSSDConfig/__init__.py.in |  1 +
- src/config/cfg_rules.ini             |  1 +
- src/config/etc/sssd.api.conf         |  1 +
- src/man/sssd.conf.5.xml              | 14 ++++++++++++++
- src/responder/pam/pamsrv_cmd.c       | 15 +++++++++++++++
- src/util/util.h                      |  1 +
- 7 files changed, 34 insertions(+)
-
-diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
-index 625d156..87904c2 100644
---- a/src/confdb/confdb.h
-+++ b/src/confdb/confdb.h
-@@ -130,6 +130,7 @@
- #define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
- #define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
- #define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
-+#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
- #define CONFDB_PAM_APP_SERVICES "pam_app_services"
- #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
- 
-diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
-index 81a03ad..4d1dba2 100644
---- a/src/config/SSSDConfig/__init__.py.in
-+++ b/src/config/SSSDConfig/__init__.py.in
-@@ -104,6 +104,7 @@ option_strings = {
-     'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
-     'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
-     'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
-+    'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
- 
-     # [sudo]
-     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
-diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
-index 78f215e..50a8f1d 100644
---- a/src/config/cfg_rules.ini
-+++ b/src/config/cfg_rules.ini
-@@ -127,6 +127,7 @@ option = pam_cert_db_path
- option = p11_child_timeout
- option = pam_app_services
- option = pam_p11_allowed_services
-+option = p11_wait_for_card_timeout
- 
- [rule/allowed_sudo_options]
- validator = ini_allowed_options
-diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
-index 52494c0..bb686c3 100644
---- a/src/config/etc/sssd.api.conf
-+++ b/src/config/etc/sssd.api.conf
-@@ -76,6 +76,7 @@ pam_cert_db_path = str, None, false
- p11_child_timeout = int, None, false
- pam_app_services = str, None, false
- pam_p11_allowed_services = str, None, false
-+p11_wait_for_card_timeout = int, None, false
- 
- [sudo]
- # sudo service
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index c1e3895..4df0163 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -1464,6 +1464,20 @@ pam_p11_allowed_services = +my_pam_service, -login
-                         </para>
-                     </listitem>
-                 </varlistentry>
-+                <varlistentry>
-+                    <term>p11_wait_for_card_timeout (integer)</term>
-+                    <listitem>
-+                        <para>
-+                            If Smartcard authentication is required how many
-+                            extra seconds in addition to p11_child_timeout
-+                            should the PAM responder wait until a Smartcard is
-+                            inserted.
-+                        </para>
-+                        <para>
-+                            Default: 60
-+                        </para>
-+                    </listitem>
-+                </varlistentry>
-             </variablelist>
-         </refsect2>
- 
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index 817f3c5..c8df32d 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -1297,6 +1297,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
-                           struct pam_data *pd)
- {
-     int p11_child_timeout;
-+    int wait_for_card_timeout;
-     char *cert_verification_opts;
-     errno_t ret;
-     struct tevent_req *req;
-@@ -1311,6 +1312,20 @@ static errno_t check_cert(TALLOC_CTX *mctx,
-               ret, sss_strerror(ret));
-         return ret;
-     }
-+    if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
-+        ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
-+                             CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT,
-+                             P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT,
-+                             &wait_for_card_timeout);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_CRIT_FAILURE,
-+                  "Failed to read wait_for_card_timeout from confdb: [%d]: %s\n",
-+                  ret, sss_strerror(ret));
-+            return ret;
-+        }
-+
-+        p11_child_timeout += wait_for_card_timeout;
-+    }
- 
-     ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_MONITOR_CONF_ENTRY,
-                             CONFDB_MONITOR_CERT_VERIFICATION, NULL,
-diff --git a/src/util/util.h b/src/util/util.h
-index 59e7a96..e3e9100 100644
---- a/src/util/util.h
-+++ b/src/util/util.h
-@@ -724,6 +724,7 @@ errno_t create_preauth_indicator(void);
- #define P11_CHILD_LOG_FILE "p11_child"
- #define P11_CHILD_PATH SSSD_LIBEXEC_PATH"/p11_child"
- #define P11_CHILD_TIMEOUT_DEFAULT 10
-+#define P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT 60
- #endif  /* SSSD_LIBEXEC_PATH */
- 
- #endif /* __SSSD_UTIL_H__ */
--- 
-2.9.5
-
diff --git a/0046-pam_sss-make-flags-public.patch b/0046-pam_sss-make-flags-public.patch
deleted file mode 100644
index 543c97b..0000000
--- a/0046-pam_sss-make-flags-public.patch
+++ /dev/null
@@ -1,244 +0,0 @@
-From d33a8bed5aad9135426c9ebdf101cf600685ab81 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 18 Sep 2018 10:11:02 +0200
-Subject: [PATCH 61/83] pam_sss: make flags public
-
-To allow the PAM responder to act on the config flags set for pam_sss
-the flags have to be made public first.
-
-Related to https://pagure.io/SSSD/sssd/issue/3650
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/sss_client/pam_sss.c | 71 +++++++++++++++++++++---------------------------
- src/sss_client/sss_cli.h |  9 ++++++
- 2 files changed, 40 insertions(+), 40 deletions(-)
-
-diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
-index 59081cc..b336d1f 100644
---- a/src/sss_client/pam_sss.c
-+++ b/src/sss_client/pam_sss.c
-@@ -52,15 +52,6 @@
- #include <libintl.h>
- #define _(STRING) dgettext (PACKAGE, STRING)
- 
--#define FLAGS_USE_FIRST_PASS (1 << 0)
--#define FLAGS_FORWARD_PASS   (1 << 1)
--#define FLAGS_USE_AUTHTOK    (1 << 2)
--#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
--#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
--#define FLAGS_USE_2FA (1 << 5)
--#define FLAGS_ALLOW_MISSING_NAME (1 << 6)
--#define FLAGS_PROMPT_ALWAYS (1 << 7)
--
- #define PWEXP_FLAG "pam_sss:password_expired_flag"
- #define FD_DESTRUCTOR "pam_sss:fd_destructor"
- #define PAM_SSS_AUTHOK_TYPE "pam_sss:authtok_type"
-@@ -1193,13 +1184,13 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
-     pi->pam_service_size=strlen(pi->pam_service)+1;
- 
-     ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user));
--    if (ret == PAM_PERM_DENIED && (flags & FLAGS_ALLOW_MISSING_NAME)) {
-+    if (ret == PAM_PERM_DENIED && (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME)) {
-         pi->pam_user = "";
-         ret = PAM_SUCCESS;
-     }
-     if (ret != PAM_SUCCESS) return ret;
-     if (pi->pam_user == NULL) {
--        if (flags & FLAGS_ALLOW_MISSING_NAME) {
-+        if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) {
-             pi->pam_user = "";
-         } else {
-             D(("No user found, aborting."));
-@@ -1959,11 +1950,11 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
- 
-     for (; argc-- > 0; ++argv) {
-         if (strcmp(*argv, "forward_pass") == 0) {
--            *flags |= FLAGS_FORWARD_PASS;
-+            *flags |= PAM_CLI_FLAGS_FORWARD_PASS;
-         } else if (strcmp(*argv, "use_first_pass") == 0) {
--            *flags |= FLAGS_USE_FIRST_PASS;
-+            *flags |= PAM_CLI_FLAGS_USE_FIRST_PASS;
-         } else if (strcmp(*argv, "use_authtok") == 0) {
--            *flags |= FLAGS_USE_AUTHTOK;
-+            *flags |= PAM_CLI_FLAGS_USE_AUTHTOK;
-         } else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) {
-             if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') {
-                 logger(pamh, LOG_ERR, "Missing argument to option domains.");
-@@ -1997,15 +1988,15 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
-         } else if (strcmp(*argv, "quiet") == 0) {
-             *quiet_mode = true;
-         } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
--            *flags |= FLAGS_IGNORE_UNKNOWN_USER;
-+            *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
-         } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
--            *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
-+            *flags |= PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL;
-         } else if (strcmp(*argv, "use_2fa") == 0) {
--            *flags |= FLAGS_USE_2FA;
-+            *flags |= PAM_CLI_FLAGS_USE_2FA;
-         } else if (strcmp(*argv, "allow_missing_name") == 0) {
--            *flags |= FLAGS_ALLOW_MISSING_NAME;
-+            *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
-         } else if (strcmp(*argv, "prompt_always") == 0) {
--            *flags |= FLAGS_PROMPT_ALWAYS;
-+            *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
-         } else {
-             logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
-         }
-@@ -2020,10 +2011,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
- {
-     int ret;
- 
--    if ((flags & FLAGS_USE_FIRST_PASS)
-+    if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
-             || ( pi->pamstack_authtok != NULL
-                     && *(pi->pamstack_authtok) != '\0'
--                    && !(flags & FLAGS_PROMPT_ALWAYS))) {
-+                    && !(flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))) {
-         pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
-         pi->pam_authtok = strdup(pi->pamstack_authtok);
-         if (pi->pam_authtok == NULL) {
-@@ -2032,7 +2023,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
-         }
-         pi->pam_authtok_size = strlen(pi->pam_authtok);
-     } else {
--        if (flags & FLAGS_USE_2FA
-+        if (flags & PAM_CLI_FLAGS_USE_2FA
-                 || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
-                         && pi->otp_challenge != NULL)) {
-             if (pi->password_prompting) {
-@@ -2062,7 +2053,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
-             return ret;
-         }
- 
--        if (flags & FLAGS_FORWARD_PASS) {
-+        if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
-             if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
-                 ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
-             } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
-@@ -2193,8 +2184,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
-     /* we query for the old password during PAM_PRELIM_CHECK to make
-      * pam_sss work e.g. with pam_cracklib */
-     if (pam_flags & PAM_PRELIM_CHECK) {
--        if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
--            if (flags & FLAGS_USE_2FA
-+        if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
-+            if (flags & PAM_CLI_FLAGS_USE_2FA
-                     || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
-                             && pi->otp_challenge != NULL)) {
-                 if (pi->password_prompting) {
-@@ -2253,7 +2244,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
-         }
-     }
- 
--    if (flags & FLAGS_USE_AUTHTOK) {
-+    if (flags & PAM_CLI_FLAGS_USE_AUTHTOK) {
-         pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
-         pi->pam_newauthtok =  strdup(pi->pamstack_authtok);
-         if (pi->pam_newauthtok == NULL) {
-@@ -2268,7 +2259,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
-             return ret;
-         }
- 
--        if (flags & FLAGS_FORWARD_PASS) {
-+        if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
-             ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok);
-             if (ret != PAM_SUCCESS) {
-                 D(("Failed to set PAM_AUTHTOK [%s], "
-@@ -2376,10 +2367,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
-     ret = get_pam_items(pamh, flags, &pi);
-     if (ret != PAM_SUCCESS) {
-         D(("get items returned error: %s", pam_strerror(pamh,ret)));
--        if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
-+        if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
-             ret = PAM_IGNORE;
-         }
--        if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
-+        if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
-                 && ret == PAM_AUTHINFO_UNAVAIL) {
-             ret = PAM_IGNORE;
-         }
-@@ -2393,13 +2384,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
-             case SSS_PAM_AUTHENTICATE:
-                 /*
-                  * Only do preauth if
--                 * - FLAGS_USE_FIRST_PASS is not set
--                 * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
-+                 * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
-+                 * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
-                  * - preauth indicator file exists.
-                  */
--                if ( !(flags & FLAGS_USE_FIRST_PASS)
-+                if ( !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
-                         && (pi.pam_authtok == NULL
--                                || (flags & FLAGS_PROMPT_ALWAYS))
-+                                || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
-                         && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
-                     pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
-                                                   quiet_mode);
-@@ -2443,14 +2434,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
-                  * The means the preauth step has to be done here as well but
-                  * only if
-                  * - PAM_PRELIM_CHECK is set
--                 * - FLAGS_USE_FIRST_PASS is not set
--                 * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
-+                 * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
-+                 * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
-                  * - preauth indicator file exists.
-                  */
-                 if ( (pam_flags & PAM_PRELIM_CHECK)
--                        && !(flags & FLAGS_USE_FIRST_PASS)
-+                        && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
-                         && (pi.pam_authtok == NULL
--                                || (flags & FLAGS_PROMPT_ALWAYS))
-+                                || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
-                         && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
-                     pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
-                                                   quiet_mode);
-@@ -2497,11 +2488,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
- 
-         pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
- 
--        if (flags & FLAGS_IGNORE_UNKNOWN_USER
-+        if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER
-                 && pam_status == PAM_USER_UNKNOWN) {
-             pam_status = PAM_IGNORE;
-         }
--        if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
-+        if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
-                 && pam_status == PAM_AUTHINFO_UNAVAIL) {
-             pam_status = PAM_IGNORE;
-         }
-@@ -2581,7 +2572,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
-             retry = true;
-             retries--;
- 
--            flags &= ~FLAGS_USE_FIRST_PASS;
-+            flags &= ~PAM_CLI_FLAGS_USE_FIRST_PASS;
-             ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
-             if (ret != PAM_SUCCESS) {
-                 D(("Failed to unset PAM_AUTHTOK [%s]",
-diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
-index 24d28ed..3404715 100644
---- a/src/sss_client/sss_cli.h
-+++ b/src/sss_client/sss_cli.h
-@@ -365,6 +365,15 @@ enum pam_item_type {
-     SSS_PAM_ITEM_REQUESTED_DOMAINS,
- };
- 
-+#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
-+#define PAM_CLI_FLAGS_FORWARD_PASS   (1 << 1)
-+#define PAM_CLI_FLAGS_USE_AUTHTOK    (1 << 2)
-+#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
-+#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
-+#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
-+#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
-+#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
-+
- #define SSS_NSS_MAX_ENTRIES 256
- #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
- struct sss_cli_req_data {
--- 
-2.9.5
-
diff --git a/0047-pam_sss-add-try_cert_auth-option.patch b/0047-pam_sss-add-try_cert_auth-option.patch
deleted file mode 100644
index fd43ffc..0000000
--- a/0047-pam_sss-add-try_cert_auth-option.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From d3a18f06162b9585d2db936472b75fdbff37162d Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 17 Sep 2018 17:54:26 +0200
-Subject: [PATCH 62/83] pam_sss: add try_cert_auth option
-
-With this new option pam_sss can be configured to only do Smartcard
-authentication or return an error if this is not possible.
-
-Related to https://pagure.io/SSSD/sssd/issue/3650
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/man/pam_sss.8.xml    | 23 +++++++++++++++++++++++
- src/sss_client/pam_sss.c |  9 +++++++++
- src/sss_client/sss_cli.h |  1 +
- 3 files changed, 33 insertions(+)
-
-diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
-index d8e6a20..ca2e8e2 100644
---- a/src/man/pam_sss.8.xml
-+++ b/src/man/pam_sss.8.xml
-@@ -50,6 +50,9 @@
-             <arg choice='opt'>
-                 <replaceable>prompt_always</replaceable>
-             </arg>
-+            <arg choice='opt'>
-+                <replaceable>try_cert_auth</replaceable>
-+            </arg>
-         </cmdsynopsis>
-     </refsynopsisdiv>
- 
-@@ -200,6 +203,26 @@ auth sufficient pam_sss.so allow_missing_name
-                     </para>
-                 </listitem>
-             </varlistentry>
-+            <varlistentry>
-+                <term>
-+                    <option>try_cert_auth</option>
-+                </term>
-+                <listitem>
-+                    <para>
-+                        Try to use certificate based authentication, i.e.
-+                        authentication with a Smartcard or similar devices. If a
-+                        Smartcard is available and the service is allowed for
-+                        Smartcard authentication the use will be prompted for a
-+                        PIN and the certificate based authentication will
-+                        continue
-+                    </para>
-+                    <para>
-+                        If no Smartcard is available or certificate based
-+                        authentication is not allowed for the current service
-+                        PAM_AUTHINFO_UNAVAIL is returned.
-+                    </para>
-+                </listitem>
-+            </varlistentry>
-         </variablelist>
-     </refsect1>
- 
-diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
-index b336d1f..96ff15a 100644
---- a/src/sss_client/pam_sss.c
-+++ b/src/sss_client/pam_sss.c
-@@ -1997,6 +1997,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
-             *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
-         } else if (strcmp(*argv, "prompt_always") == 0) {
-             *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
-+        } else if (strcmp(*argv, "try_cert_auth") == 0) {
-+            *flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
-         } else {
-             logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
-         }
-@@ -2405,6 +2407,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
-                     }
-                 }
- 
-+                if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH
-+                        && pi.cert_list == NULL) {
-+                    D(("No certificates for authentication available."));
-+                    overwrite_and_free_pam_items(&pi);
-+                    return PAM_AUTHINFO_UNAVAIL;
-+                }
-+
-                 if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
-                     ret = check_login_token_name(pamh, &pi, quiet_mode);
-                     if (ret != PAM_SUCCESS) {
-diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
-index 3404715..38e3f99 100644
---- a/src/sss_client/sss_cli.h
-+++ b/src/sss_client/sss_cli.h
-@@ -373,6 +373,7 @@ enum pam_item_type {
- #define PAM_CLI_FLAGS_USE_2FA (1 << 5)
- #define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
- #define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
-+#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
- 
- #define SSS_NSS_MAX_ENTRIES 256
- #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
--- 
-2.9.5
-
diff --git a/0048-pam_sss-add-option-require_cert_auth.patch b/0048-pam_sss-add-option-require_cert_auth.patch
deleted file mode 100644
index 3eb4614..0000000
--- a/0048-pam_sss-add-option-require_cert_auth.patch
+++ /dev/null
@@ -1,370 +0,0 @@
-From 49be8974b490c368d349752f3196af0c9ed28dd5 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 18 Sep 2018 09:53:37 +0200
-Subject: [PATCH 63/83] pam_sss: add option require_cert_auth
-
-With this new option pam_sss will wait until a Smartcard is available
-and then try to authenticate with the help of the Smartcard.
-
-Related https://pagure.io/SSSD/sssd/issue/3650
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/man/pam_sss.8.xml          | 25 ++++++++++++
- src/responder/pam/pamsrv_cmd.c | 12 ++++++
- src/responder/pam/pamsrv_p11.c |  5 ++-
- src/sss_client/pam_message.c   |  4 ++
- src/sss_client/pam_message.h   |  1 +
- src/sss_client/pam_sss.c       | 90 ++++++++++++++++++++++++++----------------
- src/sss_client/sss_cli.h       |  2 +
- src/util/sss_pam_data.c        |  1 +
- src/util/sss_pam_data.h        |  1 +
- 9 files changed, 106 insertions(+), 35 deletions(-)
-
-diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
-index ca2e8e2..9998519 100644
---- a/src/man/pam_sss.8.xml
-+++ b/src/man/pam_sss.8.xml
-@@ -53,6 +53,9 @@
-             <arg choice='opt'>
-                 <replaceable>try_cert_auth</replaceable>
-             </arg>
-+            <arg choice='opt'>
-+                <replaceable>require_cert_auth</replaceable>
-+            </arg>
-         </cmdsynopsis>
-     </refsynopsisdiv>
- 
-@@ -223,6 +226,28 @@ auth sufficient pam_sss.so allow_missing_name
-                     </para>
-                 </listitem>
-             </varlistentry>
-+            <varlistentry>
-+                <term>
-+                    <option>require_cert_auth</option>
-+                </term>
-+                <listitem>
-+                    <para>
-+                        Do certificate based authentication, i.e.
-+                        authentication with a Smartcard or similar devices. If a
-+                        Smartcard is not available the user will be prompted to
-+                        insert one. SSSD will wait for a Smartcard until the
-+                        timeout defined by p11_wait_for_card_timeout passed,
-+                        please see
-+                        <citerefentry><refentrytitle>sssd.conf</refentrytitle>
-+                        <manvolnum>5</manvolnum></citerefentry> for details.
-+                    </para>
-+                    <para>
-+                        If no Smartcard is available after the timeout or
-+                        certificate based authentication is not allowed for the
-+                        current service PAM_AUTHINFO_UNAVAIL is returned.
-+                    </para>
-+                </listitem>
-+            </varlistentry>
-         </variablelist>
-     </refsect1>
- 
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index c8df32d..6e37f83 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -317,6 +317,11 @@ static int pam_parse_in_data_v2(struct pam_data *pd,
-                                              size, body, blen, &c);
-                     if (ret != EOK) return ret;
-                     break;
-+                case SSS_PAM_ITEM_FLAGS:
-+                    ret = extract_uint32_t(&pd->cli_flags, size,
-+                                           body, blen, &c);
-+                    if (ret != EOK) return ret;
-+                    break;
-                 default:
-                     DEBUG(SSSDBG_CRIT_FAILURE,
-                           "Ignoring unknown data type [%d].\n", type);
-@@ -1447,6 +1452,13 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
-                   "No certificate found and no logon name given, " \
-                   "authentication not possible.\n");
-             ret = ENOENT;
-+        } else if (pd->cli_flags & PAM_CLI_FLAGS_TRY_CERT_AUTH) {
-+            DEBUG(SSSDBG_TRACE_ALL,
-+                  "try_cert_auth flag set but no certificate available, "
-+                  "request finished.\n");
-+            preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
-+            pam_reply(preq);
-+            return;
-         } else {
-             if (pd->cmd == SSS_PAM_AUTHENTICATE) {
-                 DEBUG(SSSDBG_CRIT_FAILURE,
-diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
-index ffa6787..8b8859d 100644
---- a/src/responder/pam/pamsrv_p11.c
-+++ b/src/responder/pam/pamsrv_p11.c
-@@ -721,7 +721,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
-     struct timeval tv;
-     int pipefd_to_child[2] = PIPE_INIT;
-     int pipefd_from_child[2] = PIPE_INIT;
--    const char *extra_args[13] = { NULL };
-+    const char *extra_args[14] = { NULL };
-     uint8_t *write_buf = NULL;
-     size_t write_buf_len = 0;
-     size_t arg_c;
-@@ -748,6 +748,9 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
- 
-     /* extra_args are added in revers order */
-     arg_c = 0;
-+    if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
-+        extra_args[arg_c++] = "--wait_for_card";
-+    }
-     extra_args[arg_c++] = nss_db;
-     extra_args[arg_c++] = "--nssdb";
-     if (verify_opts != NULL) {
-diff --git a/src/sss_client/pam_message.c b/src/sss_client/pam_message.c
-index b239f6f..036ae2a 100644
---- a/src/sss_client/pam_message.c
-+++ b/src/sss_client/pam_message.c
-@@ -126,6 +126,7 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
-     len += 3*sizeof(uint32_t); /* cli_pid */
-     len += *pi->requested_domains != '\0' ?
-                 2*sizeof(uint32_t) + pi->requested_domains_size : 0;
-+    len += 3*sizeof(uint32_t); /* flags */
- 
-     buf = malloc(len);
-     if (buf == NULL) {
-@@ -164,6 +165,9 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
-                            pi->pam_newauthtok, pi->pam_newauthtok_size,
-                            &buf[rp]);
- 
-+    rp += add_uint32_t_item(SSS_PAM_ITEM_FLAGS, (uint32_t) pi->flags,
-+                            &buf[rp]);
-+
-     SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);
- 
-     if (rp != len) {
-diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
-index 11526a8..50fedcd 100644
---- a/src/sss_client/pam_message.h
-+++ b/src/sss_client/pam_message.h
-@@ -51,6 +51,7 @@ struct pam_items {
-     enum sss_authtok_type pam_newauthtok_type;
-     size_t pam_newauthtok_size;
-     pid_t cli_pid;
-+    uint32_t flags;
-     const char *login_name;
-     char *domain_name;
-     const char *requested_domains;
-diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
-index 96ff15a..b4c1036 100644
---- a/src/sss_client/pam_sss.c
-+++ b/src/sss_client/pam_sss.c
-@@ -134,6 +134,7 @@ static void free_cai(struct cert_auth_info *cai)
-         free(cai->cert_user);
-         free(cai->cert);
-         free(cai->token_name);
-+        free(cai->module_name);
-         free(cai->key_id);
-         free(cai->prompt_str);
-         free(cai);
-@@ -1247,6 +1248,8 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
-     pi->cert_list = NULL;
-     pi->selected_cert = NULL;
- 
-+    pi->flags = flags;
-+
-     return PAM_SUCCESS;
- }
- 
-@@ -1267,6 +1270,7 @@ static void print_pam_items(struct pam_items *pi)
-     D(("Newauthtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_newauthtok)));
-     D(("Cli_PID: %d", pi->cli_pid));
-     D(("Requested domains: %s", pi->requested_domains));
-+    D(("Flags: %d", pi->flags));
- }
- 
- static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
-@@ -1999,6 +2003,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
-             *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
-         } else if (strcmp(*argv, "try_cert_auth") == 0) {
-             *flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
-+        } else if (strcmp(*argv, "require_cert_auth") == 0) {
-+            *flags |= PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
-         } else {
-             logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
-         }
-@@ -2274,55 +2280,51 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
-     return PAM_SUCCESS;
- }
- 
--#define SC_ENTER_FMT "Please enter smart card labeled\n %s\nand press enter"
-+#define SC_ENTER_LABEL_FMT "Please enter smart card labeled\n %s"
-+#define SC_ENTER_FMT "Please enter smart card"
- 
- static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
--                                  bool quiet_mode)
-+                                  int retries, bool quiet_mode)
- {
-     int ret;
-     int pam_status;
-     char *login_token_name;
-     char *prompt = NULL;
--    size_t size;
--    char *answer = NULL;
--    /* TODO: check multiple cert case */
--    struct cert_auth_info *cai = pi->cert_list;
-+    uint32_t orig_flags = pi->flags;
- 
--    if (cai == NULL) {
--        D(("No certificate information available"));
--        return EINVAL;
-+    login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
-+    if (login_token_name == NULL
-+            && !(pi->flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
-+        return PAM_SUCCESS;
-     }
- 
--    login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
-     if (login_token_name == NULL) {
--        return PAM_SUCCESS;
-+        ret = asprintf(&prompt, SC_ENTER_FMT);
-+    } else {
-+        ret = asprintf(&prompt, SC_ENTER_LABEL_FMT, login_token_name);
-+    }
-+    if (ret == -1) {
-+        return ENOMEM;
-     }
- 
--    while (cai->token_name == NULL
--               || strcmp(login_token_name, cai->token_name) != 0) {
--        size = sizeof(SC_ENTER_FMT) + strlen(login_token_name);
--        prompt = malloc(size);
--        if (prompt == NULL) {
--            D(("malloc failed."));
--            return ENOMEM;
--        }
-+    pi->flags |= PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
- 
--        ret = snprintf(prompt, size, SC_ENTER_FMT,
--                       login_token_name);
--        if (ret < 0 || ret >= size) {
--            D(("snprintf failed."));
--            free(prompt);
--            return EFAULT;
-+    /* TODO: check multiple cert case */
-+    while (pi->cert_list == NULL || pi->cert_list->token_name == NULL
-+                || (login_token_name != NULL
-+                        && strcmp(login_token_name,
-+                                  pi->cert_list->token_name) != 0)) {
-+
-+        if (retries < 0) {
-+            ret = PAM_AUTHINFO_UNAVAIL;
-+            goto done;
-         }
-+        retries--;
- 
--        ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
--                                  NULL, &answer);
--        free(prompt);
-+        ret = do_pam_conversation(pamh, PAM_TEXT_INFO, prompt, NULL, NULL);
-         if (ret != PAM_SUCCESS) {
-             D(("do_pam_conversation failed."));
--            return ret;
--        } else {
--            free(answer);
-+            goto done;
-         }
- 
-         pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
-@@ -2335,7 +2337,14 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
-         }
-     }
- 
--    return PAM_SUCCESS;
-+    ret = PAM_SUCCESS;
-+
-+done:
-+
-+    pi->flags = orig_flags;
-+    free(prompt);
-+
-+    return ret;
- }
- 
- static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
-@@ -2394,8 +2403,19 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
-                         && (pi.pam_authtok == NULL
-                                 || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
-                         && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
-+
-+                    if (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) {
-+                        /* Do not use PAM_CLI_FLAGS_REQUIRE_CERT_AUTH in the first
-+                         * SSS_PAM_PREAUTH run. In case a card is already inserted
-+                         * we do not have to prompt to insert a card. */
-+                        pi.flags &= ~PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
-+                        pi.flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
-+                    }
-+
-                     pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
-                                                   quiet_mode);
-+
-+                    pi.flags = flags;
-                     if (pam_status != PAM_SUCCESS) {
-                         D(("send_and_receive returned [%d] during pre-auth",
-                            pam_status));
-@@ -2414,8 +2434,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
-                     return PAM_AUTHINFO_UNAVAIL;
-                 }
- 
--                if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
--                    ret = check_login_token_name(pamh, &pi, quiet_mode);
-+                if (strcmp(pi.pam_service, "gdm-smartcard") == 0
-+                        || (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
-+                    ret = check_login_token_name(pamh, &pi, retries,
-+                                                 quiet_mode);
-                     if (ret != PAM_SUCCESS) {
-                         D(("check_login_token_name failed.\n"));
-                         return ret;
-diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
-index 38e3f99..af8a439 100644
---- a/src/sss_client/sss_cli.h
-+++ b/src/sss_client/sss_cli.h
-@@ -363,6 +363,7 @@ enum pam_item_type {
-     SSS_PAM_ITEM_CLI_LOCALE,
-     SSS_PAM_ITEM_CLI_PID,
-     SSS_PAM_ITEM_REQUESTED_DOMAINS,
-+    SSS_PAM_ITEM_FLAGS,
- };
- 
- #define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
-@@ -374,6 +375,7 @@ enum pam_item_type {
- #define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
- #define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
- #define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
-+#define PAM_CLI_FLAGS_REQUIRE_CERT_AUTH (1 << 9)
- 
- #define SSS_NSS_MAX_ENTRIES 256
- #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
-diff --git a/src/util/sss_pam_data.c b/src/util/sss_pam_data.c
-index 5e41349..cb8779c 100644
---- a/src/util/sss_pam_data.c
-+++ b/src/util/sss_pam_data.c
-@@ -176,6 +176,7 @@ void pam_print_data(int l, struct pam_data *pd)
-     DEBUG(l, "priv: %d\n", pd->priv);
-     DEBUG(l, "cli_pid: %d\n", pd->cli_pid);
-     DEBUG(l, "logon name: %s\n", PAM_SAFE_ITEM(pd->logon_name));
-+    DEBUG(l, "flags: %d\n", pd->cli_flags);
- }
- 
- int pam_add_response(struct pam_data *pd, enum response_type type,
-diff --git a/src/util/sss_pam_data.h b/src/util/sss_pam_data.h
-index 7d74fa6..c989810 100644
---- a/src/util/sss_pam_data.h
-+++ b/src/util/sss_pam_data.h
-@@ -58,6 +58,7 @@ struct pam_data {
-     struct sss_auth_token *newauthtok;
-     uint32_t cli_pid;
-     char *logon_name;
-+    uint32_t cli_flags;
- 
-     int pam_status;
-     int response_delay;
--- 
-2.9.5
-
diff --git a/0049-intg-require-SC-tests.patch b/0049-intg-require-SC-tests.patch
deleted file mode 100644
index 222e7f1..0000000
--- a/0049-intg-require-SC-tests.patch
+++ /dev/null
@@ -1,309 +0,0 @@
-From 5cdb6968f407c7bcaba69f4892f51fd6426dddb2 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 26 Sep 2018 11:48:37 +0200
-Subject: [PATCH 64/83] intg: require SC tests
-
-Integration test for the new try_cert_auth and require_cert_auth option
-for pam_sss.
-
-Related to https://pagure.io/SSSD/sssd/issue/3650
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tests/intg/Makefile.am           |  16 ++-
- src/tests/intg/test_pam_responder.py | 188 +++++++++++++++++++++++++++++++----
- 2 files changed, 182 insertions(+), 22 deletions(-)
-
-diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
-index bb3a7f0..44fb635 100644
---- a/src/tests/intg/Makefile.am
-+++ b/src/tests/intg/Makefile.am
-@@ -113,6 +113,20 @@ pam_sss_service:
- 	echo "password required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
- 	echo "session  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
- 
-+pam_sss_sc_required:
-+	$(MKDIR_P) $(PAM_SERVICE_DIR)
-+	echo "auth     required       $(DESTDIR)$(pammoddir)/pam_sss.so require_cert_auth retry=1"  > $(PAM_SERVICE_DIR)/$@
-+	echo "account  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
-+	echo "password required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
-+	echo "session  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
-+
-+pam_sss_try_sc:
-+	$(MKDIR_P) $(PAM_SERVICE_DIR)
-+	echo "auth     required       $(DESTDIR)$(pammoddir)/pam_sss.so try_cert_auth"  > $(PAM_SERVICE_DIR)/$@
-+	echo "account  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
-+	echo "password required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
-+	echo "session  required       $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
-+
- CLEANFILES=config.py config.pyc passwd group
- 
- clean-local:
-@@ -127,7 +141,7 @@ PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
- SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
- endif
- 
--intgcheck-installed: config.py passwd group pam_sss_service
-+intgcheck-installed: config.py passwd group pam_sss_service pam_sss_sc_required pam_sss_try_sc
- 	pipepath="$(DESTDIR)$(pipepath)"; \
- 	if test $${#pipepath} -gt 80; then \
- 	    echo "error: Pipe directory path too long," \
-diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
-index c6d048c..06f69a3 100644
---- a/src/tests/intg/test_pam_responder.py
-+++ b/src/tests/intg/test_pam_responder.py
-@@ -41,6 +41,11 @@ USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
-              dir='/home/user1',
-              shell='/bin/bash')
- 
-+USER2 = dict(name='user2', passwd='x', uid=10002, gid=20002,
-+             gecos='User with no Smartcard mapping',
-+             dir='/home/user2',
-+             shell='/bin/bash')
-+
- 
- def format_pam_cert_auth_conf(config):
-     """Format a basic SSSD configuration"""
-@@ -55,8 +60,11 @@ def format_pam_cert_auth_conf(config):
- 
-         [pam]
-         pam_cert_auth = True
--        pam_p11_allowed_services = +pam_sss_service
-+        pam_p11_allowed_services = +pam_sss_service, +pam_sss_sc_required, \
-+                                   +pam_sss_try_sc
-         pam_cert_db_path = {config.PAM_CERT_DB_PATH}
-+        p11_child_timeout = 5
-+        p11_wait_for_card_timeout = 5
-         debug_level = 10
- 
-         [domain/auth_only]
-@@ -149,6 +157,15 @@ def create_nssdb():
-     pkcs11_txt.close()
- 
- 
-+def create_nssdb_no_cert():
-+    os.mkdir(config.SYSCONFDIR + "/pki")
-+    os.mkdir(config.SYSCONFDIR + "/pki/nssdb")
-+    if subprocess.call(["certutil", "-N", "-d",
-+                        "sql:" + config.SYSCONFDIR + "/pki/nssdb/",
-+                        "--empty-password"]) != 0:
-+        raise Exception("certutil failed")
-+
-+
- def cleanup_nssdb():
-     shutil.rmtree(config.SYSCONFDIR + "/pki")
- 
-@@ -158,14 +175,42 @@ def create_nssdb_fixture(request):
-     request.addfinalizer(cleanup_nssdb)
- 
- 
-+def create_nssdb_no_cert_fixture(request):
-+    create_nssdb_no_cert()
-+    request.addfinalizer(cleanup_nssdb)
-+
-+
- @pytest.fixture
--def simple_pam_cert_auth(request):
-+def simple_pam_cert_auth(request, passwd_ops_setup):
-     """Setup SSSD with pam_cert_auth=True"""
-     config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
-     conf = format_pam_cert_auth_conf(config)
-     create_conf_fixture(request, conf)
-     create_sssd_fixture(request)
-     create_nssdb_fixture(request)
-+    passwd_ops_setup.useradd(**USER1)
-+    passwd_ops_setup.useradd(**USER2)
-+    return None
-+
-+
-+@pytest.fixture
-+def simple_pam_cert_auth_no_cert(request, passwd_ops_setup):
-+    """Setup SSSD with pam_cert_auth=True"""
-+    config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
-+
-+    old_softhsm2_conf = os.environ['SOFTHSM2_CONF']
-+    del os.environ['SOFTHSM2_CONF']
-+
-+    conf = format_pam_cert_auth_conf(config)
-+    create_conf_fixture(request, conf)
-+    create_sssd_fixture(request)
-+    create_nssdb_no_cert_fixture(request)
-+
-+    os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf
-+
-+    passwd_ops_setup.useradd(**USER1)
-+    passwd_ops_setup.useradd(**USER2)
-+
-     return None
- 
- 
-@@ -176,26 +221,26 @@ def test_preauth_indicator(simple_pam_cert_auth):
- 
- 
- @pytest.fixture
--def pam_wrapper_setup(request):
-+def env_for_sssctl(request):
-     pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
-     if pwrap_runtimedir is None:
-         raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
- 
-+    env_for_sssctl = os.environ.copy()
-+    env_for_sssctl['PAM_WRAPPER'] = "1"
-+    env_for_sssctl['SSSD_INTG_PEER_UID'] = "0"
-+    env_for_sssctl['SSSD_INTG_PEER_GID'] = "0"
-+    env_for_sssctl['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
- 
--def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
--                           passwd_ops_setup):
-+    return env_for_sssctl
- 
--    passwd_ops_setup.useradd(**USER1)
--    current_env = os.environ.copy()
--    current_env['PAM_WRAPPER'] = "1"
--    current_env['SSSD_INTG_PEER_UID'] = "0"
--    current_env['SSSD_INTG_PEER_GID'] = "0"
--    current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
-+
-+def test_sc_auth_wrong_pin(simple_pam_cert_auth, env_for_sssctl):
- 
-     sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
-                                "--action=auth", "--service=pam_sss_service"],
-                               universal_newlines=True,
--                              env=current_env, stdin=subprocess.PIPE,
-+                              env=env_for_sssctl, stdin=subprocess.PIPE,
-                               stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- 
-     try:
-@@ -214,19 +259,120 @@ def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
-                     "Authentication failure") != -1
- 
- 
--def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):
--
--    passwd_ops_setup.useradd(**USER1)
--    current_env = os.environ.copy()
--    current_env['PAM_WRAPPER'] = "1"
--    current_env['SSSD_INTG_PEER_UID'] = "0"
--    current_env['SSSD_INTG_PEER_GID'] = "0"
--    current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
-+def test_sc_auth(simple_pam_cert_auth, env_for_sssctl):
- 
-     sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
-                                "--action=auth", "--service=pam_sss_service"],
-                               universal_newlines=True,
--                              env=current_env, stdin=subprocess.PIPE,
-+                              env=env_for_sssctl, stdin=subprocess.PIPE,
-+                              stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+
-+    try:
-+        out, err = sssctl.communicate(input="123456")
-+    except:
-+        sssctl.kill()
-+        out, err = sssctl.communicate()
-+
-+    sssctl.stdin.close()
-+    sssctl.stdout.close()
-+
-+    if sssctl.wait() != 0:
-+        raise Exception("sssctl failed")
-+
-+    assert err.find("pam_authenticate for user [user1]: Success") != -1
-+
-+
-+def test_require_sc_auth(simple_pam_cert_auth, env_for_sssctl):
-+
-+    sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
-+                               "--action=auth",
-+                               "--service=pam_sss_sc_required"],
-+                              universal_newlines=True,
-+                              env=env_for_sssctl, stdin=subprocess.PIPE,
-+                              stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+
-+    try:
-+        out, err = sssctl.communicate(input="123456")
-+    except:
-+        sssctl.kill()
-+        out, err = sssctl.communicate()
-+
-+    sssctl.stdin.close()
-+    sssctl.stdout.close()
-+
-+    if sssctl.wait() != 0:
-+        raise Exception("sssctl failed")
-+
-+    assert err.find("pam_authenticate for user [user1]: Success") != -1
-+
-+
-+def test_require_sc_auth_no_cert(simple_pam_cert_auth_no_cert, env_for_sssctl):
-+
-+    # We have to wait about 20s before the command returns because there will
-+    # be 2 run since retry=1 in the PAM configuration and both
-+    # p11_child_timeout and p11_wait_for_card_timeout are 5s in sssd.conf,
-+    # so 2*(5+5)=20. */
-+    start_time = time.time()
-+    sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
-+                               "--action=auth",
-+                               "--service=pam_sss_sc_required"],
-+                              universal_newlines=True,
-+                              env=env_for_sssctl, stdin=subprocess.PIPE,
-+                              stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+
-+    try:
-+        out, err = sssctl.communicate(input="123456")
-+    except:
-+        sssctl.kill()
-+        out, err = sssctl.communicate()
-+
-+    sssctl.stdin.close()
-+    sssctl.stdout.close()
-+
-+    if sssctl.wait() != 0:
-+        raise Exception("sssctl failed")
-+
-+    end_time = time.time()
-+    assert end_time > start_time and \
-+        (end_time - start_time) >= 20 and \
-+        (end_time - start_time) < 40
-+    assert out.find("Please enter smart card\nPlease enter smart card") != -1
-+    assert err.find("pam_authenticate for user [user1]: Authentication " +
-+                    "service cannot retrieve authentication info") != -1
-+
-+
-+def test_try_sc_auth_no_map(simple_pam_cert_auth, env_for_sssctl):
-+
-+    sssctl = subprocess.Popen(["sssctl", "user-checks", "user2",
-+                               "--action=auth",
-+                               "--service=pam_sss_try_sc"],
-+                              universal_newlines=True,
-+                              env=env_for_sssctl, stdin=subprocess.PIPE,
-+                              stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+
-+    try:
-+        out, err = sssctl.communicate(input="123456")
-+    except:
-+        sssctl.kill()
-+        out, err = sssctl.communicate()
-+
-+    sssctl.stdin.close()
-+    sssctl.stdout.close()
-+
-+    if sssctl.wait() != 0:
-+        raise Exception("sssctl failed")
-+
-+    assert err.find("pam_authenticate for user [user2]: Authentication " +
-+                    "service cannot retrieve authentication info") != -1
-+
-+
-+def test_try_sc_auth(simple_pam_cert_auth, env_for_sssctl):
-+
-+    sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
-+                               "--action=auth",
-+                               "--service=pam_sss_try_sc"],
-+                              universal_newlines=True,
-+                              env=env_for_sssctl, stdin=subprocess.PIPE,
-                               stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- 
-     try:
--- 
-2.9.5
-
diff --git a/0050-p11_child-show-PKCS-11-URI-in-debug-output.patch b/0050-p11_child-show-PKCS-11-URI-in-debug-output.patch
deleted file mode 100644
index 0e6aa7e..0000000
--- a/0050-p11_child-show-PKCS-11-URI-in-debug-output.patch
+++ /dev/null
@@ -1,407 +0,0 @@
-From 46fd681a73ffef062cd027e7018e1a02d7a0a9df Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 8 Oct 2018 10:45:28 +0200
-Subject: [PATCH 65/83] p11_child: show PKCS#11 URI in debug output
-
-Related to https://pagure.io/SSSD/sssd/issue/3814
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/p11_child/p11_child_nss.c     | 240 ++++++++++++++++++++++++++++++++++++++
- src/p11_child/p11_child_openssl.c |  80 +++++++++++++
- 2 files changed, 320 insertions(+)
-
-diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
-index b2777d1..fff1f25 100644
---- a/src/p11_child/p11_child_nss.c
-+++ b/src/p11_child/p11_child_nss.c
-@@ -39,6 +39,7 @@
- #include <pk11pub.h>
- #include <prerror.h>
- #include <ocsp.h>
-+#include <pkcs11uri.h>
- 
- #include "util/child_common.h"
- #include "providers/backend.h"
-@@ -63,6 +64,239 @@ struct p11_ctx {
-                     | certificateUsageStatusResponder \
-                     | certificateUsageSSLCA )
- 
-+
-+static char *get_pkcs11_string(TALLOC_CTX *mem_ctx, const char *in, size_t len)
-+{
-+    size_t c = len;
-+
-+    if (in == NULL || len == 0) {
-+        return NULL;
-+    }
-+
-+    while(c > 0 && in[c - 1] == ' ') {
-+        c--;
-+    }
-+
-+    return talloc_strndup(mem_ctx, in, c);
-+}
-+
-+static char *pct_encode(TALLOC_CTX *mem_ctx, SECItem *data)
-+{
-+    char *pct;
-+    size_t c;
-+    int ret;
-+
-+    pct = talloc_zero_size(mem_ctx, sizeof(char) * (3*data->len + 1));
-+    if (pct == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
-+        return NULL;
-+    }
-+
-+    for (c = 0; c < data->len; c++) {
-+        ret = snprintf(pct + 3*c, 4, "%%%02X", data->data[c]);
-+        if (ret != 3) {
-+            DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n");
-+            talloc_free(pct);
-+            return NULL;
-+        }
-+    }
-+
-+    return pct;
-+}
-+
-+static char *get_key_id_pct(TALLOC_CTX *mem_ctx, PK11SlotInfo *slot,
-+                            CERTCertificate *cert)
-+{
-+    SECItem *key_id = NULL;
-+    char *key_id_str = NULL;
-+
-+    key_id = PK11_GetLowLevelKeyIDForCert(slot, cert, NULL);
-+    if (key_id == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE,
-+              "PK11_GetLowLevelKeyIDForCert failed [%d][%s].\n",
-+              PR_GetError(), PORT_ErrorToString(PR_GetError()));
-+        return NULL;
-+    }
-+
-+    key_id_str = pct_encode(mem_ctx, key_id);
-+    SECITEM_FreeItem(key_id, PR_TRUE);
-+    if (key_id_str == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "pct_encode failed.\n");
-+        return NULL;
-+    }
-+
-+    return key_id_str;
-+}
-+
-+static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, SECMODModule *mod,
-+                            PK11SlotInfo *slot,
-+                            const char *label, CERTCertificate *cert)
-+{
-+    CK_INFO module_info;
-+    CK_SLOT_INFO slot_info;
-+    CK_TOKEN_INFO token_info;
-+    char *values[13];
-+    PK11URIAttribute attrs[13];
-+    size_t nattrs = 0;
-+    SECStatus rv;
-+    char *tmp_str;
-+    char *uri_str;
-+    PK11URI *uri;
-+    CK_SLOT_ID slot_id;
-+    char *id_pct;
-+
-+    rv = PK11_GetModInfo(mod, &module_info);
-+    if (rv != SECSuccess) {
-+        DEBUG(SSSDBG_OP_FAILURE, "PK11_GetModInfo failed.\n");
-+        return NULL;
-+    }
-+
-+    rv = PK11_GetSlotInfo(slot, &slot_info);
-+    if (rv != SECSuccess) {
-+        DEBUG(SSSDBG_OP_FAILURE, "PK11_GetSlotInfo failed.\n");
-+        return NULL;
-+    }
-+
-+    rv = PK11_GetTokenInfo(slot, &token_info);
-+    if (rv != SECSuccess) {
-+        DEBUG(SSSDBG_OP_FAILURE, "PK11_GetTokenInfo failed.\n");
-+        return NULL;
-+    }
-+    values[nattrs] = get_pkcs11_string(mem_ctx,
-+                                       (char *)module_info.libraryDescription,
-+                                       sizeof(module_info.libraryDescription));
-+    if (values[nattrs] != NULL && *values[nattrs] != '\0') {
-+        attrs[nattrs].name = PK11URI_PATTR_LIBRARY_DESCRIPTION;
-+        attrs[nattrs].value = values[nattrs];
-+        nattrs++;
-+    }
-+
-+    values[nattrs] = get_pkcs11_string(mem_ctx,
-+                                       (char *)module_info.manufacturerID,
-+                                       sizeof(module_info.manufacturerID));
-+    if (values[nattrs] != NULL && *values[nattrs] != '\0') {
-+        attrs[nattrs].name = PK11URI_PATTR_LIBRARY_MANUFACTURER;
-+        attrs[nattrs].value = values[nattrs];
-+        nattrs++;
-+    }
-+
-+    values[nattrs] = talloc_asprintf(mem_ctx, "%d.%d",
-+                                     module_info.libraryVersion.major,
-+                                     module_info.libraryVersion.minor);
-+    if (values[nattrs] != NULL && *values[nattrs] != '\0') {
-+        attrs[nattrs].name = PK11URI_PATTR_LIBRARY_VERSION;
-+        attrs[nattrs].value = values[nattrs];
-+        nattrs++;
-+    }
-+
-+    values[nattrs] = get_pkcs11_string(mem_ctx,
-+                                       (char *)slot_info.slotDescription,
-+                                       sizeof(slot_info.slotDescription));
-+    if (values[nattrs] != NULL && *values[nattrs] != '\0') {
-+        attrs[nattrs].name = PK11URI_PATTR_SLOT_DESCRIPTION;
-+        attrs[nattrs].value = values[nattrs];
-+        nattrs++;
-+    }
-+
-+    values[nattrs] = get_pkcs11_string(mem_ctx,
-+                                       (char *)slot_info.manufacturerID,
-+                                       sizeof(slot_info.manufacturerID));
-+    if (values[nattrs] != NULL && *values[nattrs] != '\0') {
-+        attrs[nattrs].name = PK11URI_PATTR_SLOT_MANUFACTURER;
-+        attrs[nattrs].value = values[nattrs];
-+        nattrs++;
-+    }
-+
-+    slot_id = PK11_GetSlotID(slot);
-+    values[nattrs] = talloc_asprintf(mem_ctx, "%d", (int) slot_id);
-+    if (values[nattrs] != NULL && *values[nattrs] != '\0') {
-+        attrs[nattrs].name = PK11URI_PATTR_SLOT_ID;
-+        attrs[nattrs].value = values[nattrs];
-+        nattrs++;
-+    }
-+
-+    values[nattrs] = get_pkcs11_string(mem_ctx, (char *)token_info.model,
-+                                       sizeof(token_info.model));
-+    if (values[nattrs] != NULL && *values[nattrs] != '\0') {
-+        attrs[nattrs].name = PK11URI_PATTR_MODEL;
-+        attrs[nattrs].value = values[nattrs];
-+        nattrs++;
-+    }
-+
-+    values[nattrs] = get_pkcs11_string(mem_ctx,
-+                                       (char *)token_info.manufacturerID,
-+                                       sizeof(token_info.manufacturerID));
-+    if (values[nattrs] != NULL && *values[nattrs] != '\0') {
-+        attrs[nattrs].name = PK11URI_PATTR_MANUFACTURER;
-+        attrs[nattrs].value = values[nattrs];
-+        nattrs++;
-+    }
-+
-+    values[nattrs] = get_pkcs11_string(mem_ctx,
-+                                       (char *)token_info.serialNumber,
-+                                       sizeof(token_info.serialNumber));
-+    if (values[nattrs] != NULL && *values[nattrs] != '\0') {
-+        attrs[nattrs].name = PK11URI_PATTR_SERIAL;
-+        attrs[nattrs].value = values[nattrs];
-+        nattrs++;
-+    }
-+
-+    values[nattrs] = get_pkcs11_string(mem_ctx, (char *)token_info.label,
-+                                       sizeof(token_info.label));
-+    if (values[nattrs] != NULL && *values[nattrs] != '\0') {
-+        attrs[nattrs].name = PK11URI_PATTR_TOKEN;
-+        attrs[nattrs].value = values[nattrs];
-+        nattrs++;
-+    }
-+
-+    if (label != NULL && *label != '\0') {
-+        attrs[nattrs].name = PK11URI_PATTR_OBJECT;
-+        attrs[nattrs].value = label;
-+        nattrs++;
-+    }
-+
-+    attrs[nattrs].name = PK11URI_PATTR_TYPE;
-+    attrs[nattrs].value = "cert";
-+    nattrs++;
-+
-+    uri = PK11URI_CreateURI(attrs, nattrs, NULL, 0);
-+    if (uri == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "PK11URI_CreateURI failed.\n");
-+        return NULL;
-+    }
-+
-+    tmp_str = PK11URI_FormatURI(NULL, uri);
-+    PK11URI_DestroyURI(uri);
-+    if (tmp_str == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "PK11URI_FormatURI failed.\n");
-+        return NULL;
-+    }
-+
-+    /* Currently I have no idea how to get the ID properly formatted with the
-+     * NSS  PK11 calls. Since all attribute values are treated as strings zeros
-+     * in the IDs cannot be handled. And the IDs cannot be set percent-encoded
-+     * since all attribute values will be escaped which means the '%' sign
-+     * will be escaped to '%25'. Hence for the time being the ID is added
-+     * manually to the end of the URI. */
-+    id_pct = get_key_id_pct(mem_ctx, slot, cert);
-+    if (id_pct == NULL || *id_pct == '\0') {
-+        DEBUG(SSSDBG_OP_FAILURE, "get_key_id_pct failed.\n");
-+        PORT_Free(tmp_str);
-+        return NULL;
-+    }
-+
-+    uri_str = talloc_asprintf(mem_ctx, "%s;%s=%s", tmp_str,
-+                                                   PK11URI_PATTR_ID, id_pct);
-+    talloc_free(id_pct);
-+    if (uri_str == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
-+        return NULL;
-+    }
-+
-+    return uri_str;
-+
-+}
-+
- static char *password_passthrough(PK11SlotInfo *slot, PRBool retry, void *arg)
- {
-   /* give up if 1) no password was supplied, or 2) the password has already
-@@ -465,6 +699,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-               cert_list_node->cert->nickname,
-               cert_list_node->cert->subjectName);
- 
-+        DEBUG(SSSDBG_TRACE_ALL, "module uri: %s.\n", PK11_GetModuleURI(module));
-+        DEBUG(SSSDBG_TRACE_ALL, "token uri: %s.\n", PK11_GetTokenURI(slot));
-+
-         if (p11_ctx->handle != NULL) {
-             if (!do_verification(p11_ctx, cert_list_node->cert)) {
-                 DEBUG(SSSDBG_OP_FAILURE,
-@@ -651,6 +888,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
- 
-         DEBUG(SSSDBG_TRACE_ALL, "Found certificate has key id [%s].\n",
-               key_id_str);
-+        DEBUG(SSSDBG_TRACE_ALL, "uri: %s.\n", get_pkcs11_uri(mem_ctx, module,
-+                                                             slot, label,
-+                                                             found_cert));
- 
-         multi = talloc_asprintf_append(multi, "%s\n%s\n%s\n%s\n%s\n",
-                                        token_name, module_name, key_id_str,
-diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
-index d4572d9..09edeef 100644
---- a/src/p11_child/p11_child_openssl.c
-+++ b/src/p11_child/p11_child_openssl.c
-@@ -29,6 +29,7 @@
- #include <openssl/err.h>
- #include <openssl/rand.h>
- #include <p11-kit/p11-kit.h>
-+#include <p11-kit/uri.h>
- 
- #include <popt.h>
- 
-@@ -43,6 +44,72 @@ struct p11_ctx {
-     bool wait_for_card;
- };
- 
-+
-+static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
-+                            CK_SLOT_INFO *slot_info, CK_SLOT_ID slot_id,
-+                            CK_TOKEN_INFO *token_info, CK_ATTRIBUTE *label,
-+                            CK_ATTRIBUTE *id)
-+{
-+    P11KitUri *uri;
-+    char *uri_str = NULL;
-+    char *tmp_str = NULL;
-+    int ret;
-+    CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
-+    CK_ATTRIBUTE class_attr = {CKA_CLASS, &cert_class, sizeof(CK_OBJECT_CLASS)};
-+
-+    uri = p11_kit_uri_new();
-+    if (uri == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_new failed.\n");
-+        return NULL;
-+    }
-+
-+    ret = p11_kit_uri_set_attribute(uri, label);
-+    if (ret != P11_KIT_URI_OK) {
-+        DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
-+        goto done;
-+    }
-+
-+    ret = p11_kit_uri_set_attribute(uri, id);
-+    if (ret != P11_KIT_URI_OK) {
-+        DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
-+        goto done;
-+    }
-+
-+    ret = p11_kit_uri_set_attribute(uri, &class_attr);
-+    if (ret != P11_KIT_URI_OK) {
-+        DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
-+        goto done;
-+    }
-+
-+
-+    memcpy(p11_kit_uri_get_token_info(uri), token_info, sizeof(CK_TOKEN_INFO));
-+
-+    memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
-+    ret = p11_kit_uri_set_slot_id(uri, slot_id);
-+
-+    memcpy(p11_kit_uri_get_module_info(uri), module_info, sizeof(CK_INFO));
-+
-+    ret = p11_kit_uri_format(uri, P11_KIT_URI_FOR_ANY, &tmp_str);
-+    if (ret != P11_KIT_URI_OK) {
-+        DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_format failed [%s].\n",
-+                                 p11_kit_uri_message(ret));
-+        goto done;
-+    }
-+
-+    if (tmp_str != NULL) {
-+        uri_str = talloc_strdup(mem_ctx, tmp_str);
-+        free(tmp_str);
-+        if (uri_str == NULL) {
-+            DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
-+        }
-+    }
-+
-+done:
-+    p11_kit_uri_free(uri);
-+
-+    return uri_str;
-+}
-+
- static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
- {
-     CRYPTO_cleanup_all_ex_data();
-@@ -234,6 +301,7 @@ struct cert_list {
-     X509 *cert;
-     char *subject_dn;
-     char *cert_b64;
-+    char *uri;
-     CK_KEY_TYPE key_type;
-     CK_OBJECT_HANDLE private_key;
- };
-@@ -608,6 +676,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-     CK_SLOT_ID slot_id;
-     CK_SLOT_INFO info;
-     CK_TOKEN_INFO token_info;
-+    CK_INFO module_info;
-     CK_RV rv;
-     size_t module_id;
-     char *module_file_name = NULL;
-@@ -821,6 +890,17 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-         }
-     }
- 
-+    memset(&module_info, 0, sizeof(CK_INFO));
-+    module->C_GetInfo(&module_info);
-+
-+    DLIST_FOR_EACH(item, cert_list) {
-+        item->uri = get_pkcs11_uri(mem_ctx, &module_info, &info, slot_id,
-+                                   &token_info,
-+                                   &item->attributes[1] /* label */,
-+                                   &item->attributes[0] /* id */);
-+        DEBUG(SSSDBG_TRACE_ALL, "uri: %s.\n", item->uri);
-+    }
-+
-     /* TODO: check module_name_in, token_name_in, key_id_in */
- 
-     if (cert_list == NULL) {
--- 
-2.9.5
-
diff --git a/0051-p11_child-add-PKCS-11-uri-to-restrict-selection.patch b/0051-p11_child-add-PKCS-11-uri-to-restrict-selection.patch
deleted file mode 100644
index f5fe1ab..0000000
--- a/0051-p11_child-add-PKCS-11-uri-to-restrict-selection.patch
+++ /dev/null
@@ -1,238 +0,0 @@
-From f7b2152a4c3c816a5bc4226a0e01791313accef3 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 8 Oct 2018 12:47:25 +0200
-Subject: [PATCH 66/83] p11_child: add PKCS#11 uri to restrict selection
-
-Related to https://pagure.io/SSSD/sssd/issue/3814
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/p11_child/p11_child.h         |  2 +-
- src/p11_child/p11_child_common.c  |  9 +++--
- src/p11_child/p11_child_nss.c     |  2 +-
- src/p11_child/p11_child_openssl.c | 81 +++++++++++++++++++++++++++++++++++++--
- 4 files changed, 86 insertions(+), 8 deletions(-)
-
-diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
-index dd8fdea..92ecf74 100644
---- a/src/p11_child/p11_child.h
-+++ b/src/p11_child/p11_child.h
-@@ -54,5 +54,5 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64);
- errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-                 enum op_mode mode, const char *pin,
-                 const char *module_name_in, const char *token_name_in,
--                const char *key_id_in, char **_multi);
-+                const char *key_id_in, const char *uri, char **_multi);
- #endif /* __P11_CHILD_H__ */
-diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
-index bc5f6b0..097e7fa 100644
---- a/src/p11_child/p11_child_common.c
-+++ b/src/p11_child/p11_child_common.c
-@@ -60,7 +60,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
-                    bool wait_for_card,
-                    const char *cert_b64, const char *pin,
-                    const char *module_name, const char *token_name,
--                   const char *key_id, char **multi)
-+                   const char *key_id, const char *uri, char **multi)
- {
-     int ret;
-     struct p11_ctx *p11_ctx;
-@@ -90,7 +90,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
-         }
-     } else {
-         ret = do_card(mem_ctx, p11_ctx, mode, pin,
--                      module_name, token_name, key_id, multi);
-+                      module_name, token_name, key_id, uri, multi);
-     }
- 
- done:
-@@ -159,6 +159,7 @@ int main(int argc, const char *argv[])
-     char *key_id = NULL;
-     char *cert_b64 = NULL;
-     bool wait_for_card = false;
-+    char *uri = NULL;
- 
-     struct poptOption long_options[] = {
-         POPT_AUTOHELP
-@@ -194,6 +195,8 @@ int main(int argc, const char *argv[])
-          _("Key ID for authentication"), NULL},
-         {"certificate", 0, POPT_ARG_STRING, &cert_b64, 0,
-          _("certificate to verify, base64 encoded"), NULL},
-+        {"uri", 0, POPT_ARG_STRING, &uri, 0,
-+         _("PKCS#11 URI to restrict selection"), NULL},
-         POPT_TABLEEND
-     };
- 
-@@ -367,7 +370,7 @@ int main(int argc, const char *argv[])
-     }
- 
-     ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, wait_for_card,
--                  cert_b64, pin, module_name, token_name, key_id, &multi);
-+                  cert_b64, pin, module_name, token_name, key_id, uri, &multi);
-     if (ret != 0) {
-         DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
-         goto fail;
-diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
-index fff1f25..f9cbf3f 100644
---- a/src/p11_child/p11_child_nss.c
-+++ b/src/p11_child/p11_child_nss.c
-@@ -480,7 +480,7 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64)
- errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-                 enum op_mode mode, const char *pin,
-                 const char *module_name_in, const char *token_name_in,
--                const char *key_id_in, char **_multi)
-+                const char *key_id_in, const char *uri, char **_multi)
- {
-     int ret;
-     SECStatus rv;
-diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
-index 09edeef..000e1c9 100644
---- a/src/p11_child/p11_child_openssl.c
-+++ b/src/p11_child/p11_child_openssl.c
-@@ -85,7 +85,7 @@ static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
-     memcpy(p11_kit_uri_get_token_info(uri), token_info, sizeof(CK_TOKEN_INFO));
- 
-     memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
--    ret = p11_kit_uri_set_slot_id(uri, slot_id);
-+    p11_kit_uri_set_slot_id(uri, slot_id);
- 
-     memcpy(p11_kit_uri_get_module_info(uri), module_info, sizeof(CK_INFO));
- 
-@@ -662,7 +662,7 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
- errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-                 enum op_mode mode, const char *pin,
-                 const char *module_name_in, const char *token_name_in,
--                const char *key_id_in, char **_multi)
-+                const char *key_id_in, const char *uri_str, char **_multi)
- {
-     int ret;
-     size_t c;
-@@ -674,6 +674,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-     CK_ULONG num_slots;
-     CK_SLOT_ID slots[MAX_SLOTS];
-     CK_SLOT_ID slot_id;
-+    CK_SLOT_ID uri_slot_id;
-     CK_SLOT_INFO info;
-     CK_TOKEN_INFO token_info;
-     CK_INFO module_info;
-@@ -690,6 +691,19 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-     char *multi = NULL;
-     bool pkcs11_session = false;
-     bool pkcs11_login = false;
-+    P11KitUri *uri = NULL;
-+
-+    if (uri_str != NULL) {
-+        uri = p11_kit_uri_new();
-+        ret = p11_kit_uri_parse(uri_str, P11_KIT_URI_FOR_ANY, uri);
-+        if (ret != P11_KIT_URI_OK) {
-+            DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_parse failed [%d][%s].\n",
-+                                     ret, p11_kit_uri_message(ret));
-+            ret = EINVAL;
-+            goto done;
-+        }
-+    }
-+
- 
-     /* Maybe use P11_KIT_MODULE_TRUSTED ? */
-     modules = p11_kit_modules_load_and_initialize(0);
-@@ -709,6 +723,23 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-             free(mod_name);
-             free(mod_file_name);
- 
-+            if (uri != NULL) {
-+                memset(&module_info, 0, sizeof(CK_INFO));
-+                rv = modules[c]->C_GetInfo(&module_info);
-+                if (rv != CKR_OK) {
-+                    DEBUG(SSSDBG_OP_FAILURE, "C_GetInfo failed.\n");
-+                    ret = EIO;
-+                    goto done;
-+                }
-+
-+                /* Skip modules which do not match the PKCS#11 URI */
-+                if (p11_kit_uri_match_module_info(uri, &module_info) != 1) {
-+                    DEBUG(SSSDBG_TRACE_ALL,
-+                          "Not matching URI [%s], skipping.\n", uri_str);
-+                    continue;
-+                }
-+            }
-+
-             num_slots = MAX_SLOTS;
-             rv = modules[c]->C_GetSlotList(CK_FALSE, slots, &num_slots);
-             if (rv != CKR_OK) {
-@@ -730,6 +761,37 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-                       info.slotDescription, info.manufacturerID, info.flags,
-                       (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
-                       (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
-+
-+                /* Skip slots which do not match the PKCS#11 URI */
-+                if (uri != NULL) {
-+                    uri_slot_id = p11_kit_uri_get_slot_id(uri);
-+                    if ((uri_slot_id != (CK_SLOT_ID)-1
-+                                && uri_slot_id != slots[s])
-+                            || p11_kit_uri_match_slot_info(uri, &info) != 1) {
-+                        DEBUG(SSSDBG_TRACE_ALL,
-+                              "Not matching URI [%s], skipping.\n", uri_str);
-+                        continue;
-+                    }
-+                }
-+
-+                if ((info.flags & CKF_TOKEN_PRESENT) && uri != NULL) {
-+                    rv = modules[c]->C_GetTokenInfo(slots[s], &token_info);
-+                    if (rv != CKR_OK) {
-+                        DEBUG(SSSDBG_OP_FAILURE, "C_GetTokenInfo failed.\n");
-+                        ret = EIO;
-+                        goto done;
-+                    }
-+                    DEBUG(SSSDBG_TRACE_ALL, "Token label [%s].\n",
-+                          token_info.label);
-+
-+                    if (p11_kit_uri_match_token_info(uri, &token_info) != 1) {
-+                        DEBUG(SSSDBG_CONF_SETTINGS,
-+                              "No matching uri [%s], skipping.\n", uri_str);
-+                        continue;
-+                    }
-+
-+                }
-+
-                 if ((info.flags & CKF_REMOVABLE_DEVICE)) {
-                     break;
-                 }
-@@ -788,6 +850,13 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-         goto done;
-     }
- 
-+    if (uri != NULL && p11_kit_uri_match_token_info(uri, &token_info) != 1) {
-+        DEBUG(SSSDBG_CONF_SETTINGS, "No token matching uri [%s] found.",
-+                                    uri_str);
-+        ret = ENOENT;
-+        goto done;
-+    }
-+
-     module_id = c;
-     slot_name = p11_kit_space_strdup(info.slotDescription,
-                                      sizeof(info.slotDescription));
-@@ -891,7 +960,12 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
-     }
- 
-     memset(&module_info, 0, sizeof(CK_INFO));
--    module->C_GetInfo(&module_info);
-+    rv = module->C_GetInfo(&module_info);
-+    if (rv != CKR_OK) {
-+        DEBUG(SSSDBG_OP_FAILURE, "C_GetInfo failed.\n");
-+        ret = EIO;
-+        goto done;
-+    }
- 
-     DLIST_FOR_EACH(item, cert_list) {
-         item->uri = get_pkcs11_uri(mem_ctx, &module_info, &info, slot_id,
-@@ -970,6 +1044,7 @@ done:
-     free(token_name);
-     free(module_file_name);
-     p11_kit_modules_finalize_and_release(modules);
-+    p11_kit_uri_free(uri);
- 
-     return ret;
- }
--- 
-2.9.5
-
diff --git a/0052-PAM-add-p11_uri-option.patch b/0052-PAM-add-p11_uri-option.patch
deleted file mode 100644
index 4e9a49c..0000000
--- a/0052-PAM-add-p11_uri-option.patch
+++ /dev/null
@@ -1,193 +0,0 @@
-From 725b65081d19da658b16338686c53dcf16d49de0 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 9 Oct 2018 10:47:04 +0200
-Subject: [PATCH 67/83] PAM: add p11_uri option
-
-Related to https://pagure.io/SSSD/sssd/issue/3814
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/confdb/confdb.h                  |  1 +
- src/config/SSSDConfig/__init__.py.in |  1 +
- src/config/cfg_rules.ini             |  1 +
- src/config/etc/sssd.api.conf         |  1 +
- src/man/sssd.conf.5.xml              | 33 +++++++++++++++++++++++++++++++++
- src/responder/pam/pamsrv.h           |  1 +
- src/responder/pam/pamsrv_cmd.c       | 12 +++++++++++-
- src/responder/pam/pamsrv_p11.c       |  9 ++++++++-
- 8 files changed, 57 insertions(+), 2 deletions(-)
-
-diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
-index 87904c2..741d4bc 100644
---- a/src/confdb/confdb.h
-+++ b/src/confdb/confdb.h
-@@ -133,6 +133,7 @@
- #define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
- #define CONFDB_PAM_APP_SERVICES "pam_app_services"
- #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
-+#define CONFDB_PAM_P11_URI "p11_uri"
- 
- /* SUDO */
- #define CONFDB_SUDO_CONF_ENTRY "config/sudo"
-diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
-index 4d1dba2..a20157c 100644
---- a/src/config/SSSDConfig/__init__.py.in
-+++ b/src/config/SSSDConfig/__init__.py.in
-@@ -105,6 +105,7 @@ option_strings = {
-     'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
-     'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
-     'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
-+    'p11_uri' : _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
- 
-     # [sudo]
-     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
-diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
-index 50a8f1d..09a52df 100644
---- a/src/config/cfg_rules.ini
-+++ b/src/config/cfg_rules.ini
-@@ -128,6 +128,7 @@ option = p11_child_timeout
- option = pam_app_services
- option = pam_p11_allowed_services
- option = p11_wait_for_card_timeout
-+option = p11_uri
- 
- [rule/allowed_sudo_options]
- validator = ini_allowed_options
-diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
-index bb686c3..c6d6690 100644
---- a/src/config/etc/sssd.api.conf
-+++ b/src/config/etc/sssd.api.conf
-@@ -77,6 +77,7 @@ p11_child_timeout = int, None, false
- pam_app_services = str, None, false
- pam_p11_allowed_services = str, None, false
- p11_wait_for_card_timeout = int, None, false
-+p11_uri = str, None, false
- 
- [sudo]
- # sudo service
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index 4df0163..c8d53f0 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -1478,6 +1478,39 @@ pam_p11_allowed_services = +my_pam_service, -login
-                         </para>
-                     </listitem>
-                 </varlistentry>
-+                <varlistentry>
-+                    <term>p11_uri (string)</term>
-+                    <listitem>
-+                        <para>
-+                            PKCS#11 URI (see RFC-7512 for details) which can be
-+                            used to restrict the selection of devices used for
-+                            Smartcard authentication. By default SSSD's
-+                            p11_child will search for a PKCS#11 slot (reader)
-+                            where the 'removable' flags is set and read the
-+                            certificates from the inserted token from the first
-+                            slot found. If multiple readers are connected
-+                            p11_uri can be use to tell p11_child to use a
-+                            specific reader.
-+                        </para>
-+                        <para>
-+                            Example:
-+                            <programlisting>
-+p11_uri = slot-description=My%20Smartcar%20Reader
-+                            </programlisting>
-+                            or
-+                            <programlisting>
-+p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
-+                            </programlisting>
-+                            To find suitable URI please check the debug output
-+                            of p11_child. As an alternative the GnuTLS utility
-+                            'p11tool' with e.g. the '--list-all' will show
-+                            PKCS#11 URIs as well.
-+                        </para>
-+                        <para>
-+                            Default: none
-+                        </para>
-+                    </listitem>
-+                </varlistentry>
-             </variablelist>
-         </refsect2>
- 
-diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
-index 5d87756..60aa979 100644
---- a/src/responder/pam/pamsrv.h
-+++ b/src/responder/pam/pamsrv.h
-@@ -103,6 +103,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
-                                        time_t timeout,
-                                        const char *verify_opts,
-                                        struct sss_certmap_ctx *sss_certmap_ctx,
-+                                       const char *uri,
-                                        struct pam_data *pd);
- errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
-                             struct cert_auth_info **cert_list);
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index 6e37f83..a22afd2 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -1306,6 +1306,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
-     char *cert_verification_opts;
-     errno_t ret;
-     struct tevent_req *req;
-+    char *uri = NULL;
- 
-     ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
-                          CONFDB_PAM_P11_CHILD_TIMEOUT,
-@@ -1342,10 +1343,19 @@ static errno_t check_cert(TALLOC_CTX *mctx,
-         return ret;
-     }
- 
-+    ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_PAM_CONF_ENTRY,
-+                            CONFDB_PAM_P11_URI, NULL, &uri);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              "Failed to read certificate_verification from confdb: [%d]: %s\n",
-+              ret, sss_strerror(ret));
-+        return ret;
-+    }
-+
-     req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
-                               pctx->nss_db, p11_child_timeout,
-                               cert_verification_opts, pctx->sss_certmap_ctx,
--                              pd);
-+                              uri, pd);
-     if (req == NULL) {
-         DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
-         return ENOMEM;
-diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
-index 8b8859d..491bd2b 100644
---- a/src/responder/pam/pamsrv_p11.c
-+++ b/src/responder/pam/pamsrv_p11.c
-@@ -711,6 +711,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
-                                        time_t timeout,
-                                        const char *verify_opts,
-                                        struct sss_certmap_ctx *sss_certmap_ctx,
-+                                       const char *uri,
-                                        struct pam_data *pd)
- {
-     errno_t ret;
-@@ -721,7 +722,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
-     struct timeval tv;
-     int pipefd_to_child[2] = PIPE_INIT;
-     int pipefd_from_child[2] = PIPE_INIT;
--    const char *extra_args[14] = { NULL };
-+    const char *extra_args[16] = { NULL };
-     uint8_t *write_buf = NULL;
-     size_t write_buf_len = 0;
-     size_t arg_c;
-@@ -748,6 +749,12 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
- 
-     /* extra_args are added in revers order */
-     arg_c = 0;
-+    if (uri != NULL) {
-+        DEBUG(SSSDBG_TRACE_ALL, "Adding PKCS#11 URI [%s].\n", uri);
-+        extra_args[arg_c++] = uri;
-+        extra_args[arg_c++] = "--uri";
-+    }
-+
-     if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
-         extra_args[arg_c++] = "--wait_for_card";
-     }
--- 
-2.9.5
-
diff --git a/0053-tests-add-PKCS-11-URI-tests.patch b/0053-tests-add-PKCS-11-URI-tests.patch
deleted file mode 100644
index 0a888a7..0000000
--- a/0053-tests-add-PKCS-11-URI-tests.patch
+++ /dev/null
@@ -1,209 +0,0 @@
-From 4a22fb6bba6662ad628f6e17203e8ccf20eb9666 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 9 Oct 2018 10:46:43 +0200
-Subject: [PATCH 68/83] tests: add PKCS#11 URI tests
-
-Related to https://pagure.io/SSSD/sssd/issue/3814
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tests/cmocka/test_pam_srv.c | 120 ++++++++++++++++++++++++++++++++++++++++
- src/tests/test_CA/Makefile.am   |  16 +++++-
- 2 files changed, 135 insertions(+), 1 deletion(-)
-
-diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
-index 2b02ac2..7fc9224 100644
---- a/src/tests/cmocka/test_pam_srv.c
-+++ b/src/tests/cmocka/test_pam_srv.c
-@@ -65,6 +65,7 @@
- #endif
- 
- #define TEST_TOKEN_NAME "SSSD Test Token"
-+#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"
- #define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
- #ifdef HAVE_NSS
- #define TEST_MODULE_NAME "NSS-Internal"
-@@ -961,6 +962,54 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
-     return EOK;
- }
- 
-+static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
-+                                          size_t blen, enum response_type type,
-+                                          const char *name)
-+{
-+    size_t rp = 0;
-+    uint32_t val;
-+    size_t check2_len = 0;
-+    char const *check2_strings[] = { NULL,
-+                                     TEST_TOKEN2_NAME,
-+                                     TEST_MODULE_NAME,
-+                                     TEST2_KEY_ID,
-+                                     TEST2_PROMPT,
-+                                     NULL };
-+
-+    assert_int_equal(status, 0);
-+
-+    check2_strings[0] = name;
-+    check2_len = check_string_array_len(check2_strings);
-+
-+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
-+    assert_int_equal(val, pam_test_ctx->exp_pam_status);
-+
-+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
-+    assert_int_equal(val, 2);
-+
-+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
-+    assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
-+
-+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
-+    assert_int_equal(val, 9);
-+
-+    assert_int_equal(*(body + rp + val - 1), 0);
-+    assert_string_equal(body + rp, TEST_DOM_NAME);
-+    rp += val;
-+
-+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
-+    assert_int_equal(val, type);
-+
-+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
-+    assert_int_equal(val, check2_len);
-+
-+    check_string_array(check2_strings, body, &rp);
-+
-+    assert_int_equal(rp, blen);
-+
-+    return EOK;
-+}
-+
- static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
- {
-     return test_pam_cert_check_ex(status, body, blen,
-@@ -968,6 +1017,12 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
-                                   NULL);
- }
- 
-+static int test_pam_cert2_check(uint32_t status, uint8_t *body, size_t blen)
-+{
-+    return test_pam_cert2_token2_check_ex(status, body, blen, SSS_PAM_CERT_INFO,
-+                                          "pamuser@"TEST_DOM_NAME);
-+}
-+
- static int test_pam_cert_check_auth_success(uint32_t status, uint8_t *body,
-                                             size_t blen)
- {
-@@ -2476,6 +2531,65 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)
-     assert_int_equal(ret, EOK);
- }
- 
-+void test_pam_cert_preauth_uri_token1(void **state)
-+{
-+    int ret;
-+
-+    struct sss_test_conf_param pam_params[] = {
-+        { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token" },
-+        { NULL, NULL },             /* Sentinel */
-+    };
-+
-+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
-+    assert_int_equal(ret, EOK);
-+    set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
-+    putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
-+
-+    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
-+                        test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
-+
-+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
-+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-+
-+    set_cmd_cb(test_pam_cert_check);
-+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
-+                          pam_test_ctx->pam_cmds);
-+    assert_int_equal(ret, EOK);
-+
-+    /* Wait until the test finishes with EOK */
-+    ret = test_ev_loop(pam_test_ctx->tctx);
-+    assert_int_equal(ret, EOK);
-+}
-+
-+void test_pam_cert_preauth_uri_token2(void **state)
-+{
-+    int ret;
-+
-+    struct sss_test_conf_param pam_params[] = {
-+        { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token%20Number%202" },
-+        { NULL, NULL },             /* Sentinel */
-+    };
-+
-+    ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
-+    assert_int_equal(ret, EOK);
-+    set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
-+    putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
-+
-+    mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
-+                        test_lookup_by_cert_cb, SSSD_TEST_CERT_0002, false);
-+
-+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
-+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-+
-+    set_cmd_cb(test_pam_cert2_check);
-+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
-+                          pam_test_ctx->pam_cmds);
-+    assert_int_equal(ret, EOK);
-+
-+    /* Wait until the test finishes with EOK */
-+    ret = test_ev_loop(pam_test_ctx->tctx);
-+    assert_int_equal(ret, EOK);
-+}
- 
- void test_filter_response(void **state)
- {
-@@ -2915,6 +3029,12 @@ int main(int argc, const char *argv[])
-                                         pam_test_setup, pam_test_teardown),
-         cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
-                                         pam_test_setup, pam_test_teardown),
-+#ifndef HAVE_NSS
-+        cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token1,
-+                                        pam_test_setup, pam_test_teardown),
-+        cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token2,
-+                                        pam_test_setup, pam_test_teardown),
-+#endif /* ! HAVE_NSS */
- #endif /* HAVE_TEST_CA */
- 
-         cmocka_unit_test_setup_teardown(test_filter_response,
-diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
-index 1bce2c3..b574c76 100644
---- a/src/tests/test_CA/Makefile.am
-+++ b/src/tests/test_CA/Makefile.am
-@@ -24,7 +24,7 @@ pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
- if HAVE_NSS
- extra = p11_nssdb p11_nssdb_2certs
- else
--extra = softhsm2_none softhsm2_one softhsm2_two
-+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens
- endif
- 
- # If openssl is run in parallel there might be conflicts with the serial
-@@ -114,6 +114,20 @@ softhsm2_two.conf:
- 	@echo "objectstore.backend = file" >> $@
- 	@echo "slots.removable = true" >> $@
- 
-+softhsm2_2tokens: softhsm2_2tokens.conf
-+	mkdir $@
-+	SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token  --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
-+	GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login  --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
-+	GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login  --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
-+	SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token  --label "SSSD Test Token Number 2" --pin 654321 --so-pin 654321 --free
-+	GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0002.pem --login  --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
-+	GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0002.pem --login  --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
-+
-+softhsm2_2tokens.conf:
-+	@echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2tokens" > $@
-+	@echo "objectstore.backend = file" >> $@
-+	@echo "slots.removable = true" >> $@
-+
- CLEANFILES = \
-     index.txt  index.txt.attr \
-     index.txt.attr.old  index.txt.old \
--- 
-2.9.5
-
diff --git a/0054-test_config-Test-for-invalid-characker-in-domain.patch b/0054-test_config-Test-for-invalid-characker-in-domain.patch
deleted file mode 100644
index 24b8293..0000000
--- a/0054-test_config-Test-for-invalid-characker-in-domain.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 7a2e56d061085c155a51253bd612255a4d24cb57 Mon Sep 17 00:00:00 2001
-From: Tomas Halman <thalman@redhat.com>
-Date: Mon, 8 Oct 2018 12:47:40 +0200
-Subject: [PATCH 69/83] test_config: Test for invalid characker in domain
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There was bug allowing forbidden characters in config file section name.
-Bug has been fixed meantime but we decided to write the test to avoid
-regeression.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3334
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
----
- src/tests/cmocka/test_config_check.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/src/tests/cmocka/test_config_check.c b/src/tests/cmocka/test_config_check.c
-index a2958de..61c7886 100644
---- a/src/tests/cmocka/test_config_check.c
-+++ b/src/tests/cmocka/test_config_check.c
-@@ -106,6 +106,17 @@ void config_check_test_bad_section_name(void **state)
-     config_check_test_common(cfg_str, 1, expected_errors);
- }
- 
-+void config_check_test_bad_chars_in_section_name(void **state)
-+{
-+    char cfg_str[] = "[domain/LD@P]";
-+    const char *expected_errors[] = {
-+        "[rule/allowed_sections]: Section [domain/LD@P] is not allowed. "
-+        "Check for typos.",
-+    };
-+
-+    config_check_test_common(cfg_str, 1, expected_errors);
-+}
-+
- void config_check_test_too_many_subdomains(void **state)
- {
-     char cfg_str[] = "[domain/ad.test/b.test/c.test]";
-@@ -264,6 +275,7 @@ int main(int argc, const char *argv[])
- 
-     const struct CMUnitTest tests[] = {
-         cmocka_unit_test(config_check_test_bad_section_name),
-+        cmocka_unit_test(config_check_test_bad_chars_in_section_name),
-         cmocka_unit_test(config_check_test_too_many_subdomains),
-         cmocka_unit_test(config_check_test_bad_sssd_option_name),
-         cmocka_unit_test(config_check_test_bad_pam_option_name),
--- 
-2.9.5
-
diff --git a/0055-PAM-return-short-name-for-files-provider-users.patch b/0055-PAM-return-short-name-for-files-provider-users.patch
deleted file mode 100644
index 1916278..0000000
--- a/0055-PAM-return-short-name-for-files-provider-users.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From dbd717fe5b7d8dd640b6ade435b49edb3db5280a Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 9 Oct 2018 13:25:35 +0200
-Subject: [PATCH 70/83] PAM: return short name for files provider users
-
-If the 'allow_missing_name' option is used with pam_sss and the user
-name will be determined based on the certificate content and the mapping
-rules the PAM responder will by default return the fully-qualified name
-of the user which is then later used by other PAM modules as well.
-
-For local users which are configured to use SSSD for Smartcard
-authentication this might cause issues in other PAM modules because they
-are not aware of the fully-qualified name and will treat the user as
-unknown.
-
-With this patch the PAM responder will return the short name for all
-users handled by the files provider.
-
-Related to https://pagure.io/SSSD/sssd/issue/3848
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/pam/pamsrv.h     |  3 ++-
- src/responder/pam/pamsrv_cmd.c | 13 +++++++++----
- src/responder/pam/pamsrv_p11.c | 32 +++++++++++++++++++++++++++++---
- 3 files changed, 40 insertions(+), 8 deletions(-)
-
-diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
-index 60aa979..3a927bb 100644
---- a/src/responder/pam/pamsrv.h
-+++ b/src/responder/pam/pamsrv.h
-@@ -108,7 +108,8 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
- errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
-                             struct cert_auth_info **cert_list);
- 
--errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
-+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
-+                              const char *sysdb_username,
-                               struct cert_auth_info *cert_info,
-                               enum response_type type);
- 
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index a22afd2..553bf8f 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -1645,7 +1645,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
-                      preq->current_cert != NULL;
-                      preq->current_cert = sss_cai_get_next(preq->current_cert)) {
- 
--                    ret = add_pam_cert_response(preq->pd, "",
-+                    ret = add_pam_cert_response(preq->pd,
-+                                       preq->cctx->rctx->domains, "",
-                                        preq->current_cert,
-                                        preq->cctx->rctx->domains->user_name_hint
-                                             ? SSS_PAM_CERT_INFO_WITH_HINT
-@@ -1699,7 +1700,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
- 
-             if (preq->cctx->rctx->domains->user_name_hint
-                     && preq->pd->cmd == SSS_PAM_PREAUTH) {
--                ret = add_pam_cert_response(preq->pd, cert_user,
-+                ret = add_pam_cert_response(preq->pd,
-+                                            preq->cctx->rctx->domains, cert_user,
-                                             preq->cert_list,
-                                             SSS_PAM_CERT_INFO_WITH_HINT);
-                 preq->pd->pam_status = PAM_SUCCESS;
-@@ -1725,7 +1727,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
-              * SSS_PAM_CERT_INFO message to send the name to the caller. */
-             if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
-                     && preq->pd->logon_name == NULL) {
--                ret = add_pam_cert_response(preq->pd, cert_user,
-+                ret = add_pam_cert_response(preq->pd,
-+                                            preq->cctx->rctx->domains, cert_user,
-                                             preq->cert_list,
-                                             SSS_PAM_CERT_INFO);
-                 if (ret != EOK) {
-@@ -2117,7 +2120,9 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
-                                   "the backend.\n");
-                         }
- 
--                        ret = add_pam_cert_response(preq->pd, cert_user,
-+                        ret = add_pam_cert_response(preq->pd,
-+                                                    preq->cctx->rctx->domains,
-+                                                    cert_user,
-                                                     preq->current_cert,
-                                                     SSS_PAM_CERT_INFO);
-                         if (ret != EOK) {
-diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
-index 491bd2b..785b29c 100644
---- a/src/responder/pam/pamsrv_p11.c
-+++ b/src/responder/pam/pamsrv_p11.c
-@@ -1145,7 +1145,8 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
-  * used when running gdm-password. */
- #define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
- 
--errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
-+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
-+                              const char *sysdb_username,
-                               struct cert_auth_info *cert_info,
-                               enum response_type type)
- {
-@@ -1153,6 +1154,10 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
-     char *env = NULL;
-     size_t msg_len;
-     int ret;
-+    char *short_name = NULL;
-+    char *domain_name = NULL;
-+    const char *cert_info_name = sysdb_username;
-+
- 
-     if (type != SSS_PAM_CERT_INFO && type != SSS_PAM_CERT_INFO_WITH_HINT) {
-         DEBUG(SSSDBG_CRIT_FAILURE, "Invalid response type [%d].\n", type);
-@@ -1174,9 +1179,30 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
-      * Smartcard. If this type of name is irritating at the PIN prompt or the
-      * re_expression config option was set in a way that user@domain cannot be
-      * handled anymore some more logic has to be added here. But for the time
--     * being I think using sysdb_username is fine. */
-+     * being I think using sysdb_username is fine.
-+     * As special case is the files provider which handles local users which
-+     * by definition only have a short name. To avoid confusion by other
-+     * modules on the PAM stack the short name is returned in this case. */
-+
-+    if (sysdb_username != NULL) {
-+        ret = sss_parse_internal_fqname(pd, sysdb_username,
-+                                        &short_name, &domain_name);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s, "
-+                                       "using full name.\n",
-+                                        sysdb_username, ret, sss_strerror(ret));
-+        } else {
-+            if (domain_name != NULL
-+                    &&  is_files_provider(find_domain_by_name(dom, domain_name,
-+                                                              false))) {
-+                cert_info_name = short_name;
-+            }
-+        }
-+    }
- 
--    ret = pack_cert_data(pd, sysdb_username, cert_info, &msg, &msg_len);
-+    ret = pack_cert_data(pd, cert_info_name, cert_info, &msg, &msg_len);
-+    talloc_free(short_name);
-+    talloc_free(domain_name);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_OP_FAILURE, "pack_cert_data failed.\n");
-         return ret;
--- 
-2.9.5
-
diff --git a/0056-TESTS-Add-a-test-for-whitespace-trimming-in-netgroup.patch b/0056-TESTS-Add-a-test-for-whitespace-trimming-in-netgroup.patch
deleted file mode 100644
index 92d51a6..0000000
--- a/0056-TESTS-Add-a-test-for-whitespace-trimming-in-netgroup.patch
+++ /dev/null
@@ -1,181 +0,0 @@
-From 941e67b0bbb780aadb6461b60b4e3554dfb893db Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Wed, 16 May 2018 10:23:49 +0200
-Subject: [PATCH 71/83] TESTS: Add a test for whitespace trimming in netgroup
- entries
-
-This is a unit test for commit dbb1abae6eaa9df24f61e3a9f855e2461a66a197
-
-Reviewed-by: Tomas Halman <thalman@redhat.com>
----
- src/tests/sysdb-tests.c | 132 +++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 130 insertions(+), 2 deletions(-)
-
-diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
-index 933a07e..d3117cd 100644
---- a/src/tests/sysdb-tests.c
-+++ b/src/tests/sysdb-tests.c
-@@ -4388,6 +4388,125 @@ START_TEST (test_netgroup_base_dn)
- }
- END_TEST
- 
-+static errno_t netgr_triple_to_attrs(struct sysdb_attrs *attrs,
-+                                     struct sysdb_netgroup_ctx *netgrent)
-+{
-+    int ret;
-+    char *dummy;
-+
-+    dummy = talloc_asprintf(attrs, "(%s,%s,%s)",
-+                            netgrent->value.triple.hostname,
-+                            netgrent->value.triple.username,
-+                            netgrent->value.triple.domainname);
-+    if (dummy == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
-+        return ENOMEM;
-+    }
-+
-+    ret = sysdb_attrs_add_string(attrs, SYSDB_NETGROUP_TRIPLE, dummy);
-+    talloc_zfree(dummy);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_add_string failed.\n");
-+        return ret;
-+    }
-+
-+    return EOK;
-+}
-+
-+static errno_t store_netgr(struct sysdb_test_ctx *test_ctx,
-+                           const char *name,
-+                           struct sysdb_netgroup_ctx *netgrent)
-+{
-+    struct sysdb_attrs *attrs;
-+    errno_t ret;
-+
-+    attrs = sysdb_new_attrs(test_ctx);
-+    if (attrs == NULL) {
-+        return ENOMEM;
-+    }
-+
-+    ret = netgr_triple_to_attrs(attrs, netgrent);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_netgroup failed.\n");
-+        return ret;
-+    }
-+
-+    ret = sysdb_add_netgroup(test_ctx->domain, name, NULL, attrs, NULL,
-+                             0, 0);
-+    talloc_zfree(attrs);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_netgroup failed.\n");
-+        return ret;
-+    }
-+
-+    return EOK;
-+}
-+
-+static bool sysdb_netgr_ctx_cmp(struct sysdb_netgroup_ctx *a,
-+                                struct sysdb_netgroup_ctx *b)
-+{
-+    return a->type == b->type &&
-+           strcmp(a->value.triple.username, b->value.triple.username) == 0 &&
-+           strcmp(a->value.triple.hostname, b->value.triple.hostname) == 0 &&
-+           strcmp(a->value.triple.domainname, b->value.triple.domainname) == 0;
-+}
-+
-+START_TEST (test_sysdb_netgr_to_entries)
-+{
-+    errno_t ret;
-+    bool bret;
-+    struct sysdb_test_ctx *test_ctx;
-+    struct sysdb_netgroup_ctx simple_netgroup = {
-+        .type = SYSDB_NETGROUP_TRIPLE_VAL,
-+        .value.triple.hostname = discard_const("host"),
-+        .value.triple.username = discard_const("user"),
-+        .value.triple.domainname = discard_const("domain"),
-+    };
-+    struct sysdb_netgroup_ctx ws_netgroup = {
-+        .type = SYSDB_NETGROUP_TRIPLE_VAL,
-+        .value.triple.hostname = discard_const(" host "),
-+        .value.triple.username = discard_const(" user "),
-+        .value.triple.domainname = discard_const(" domain "),
-+    };
-+    struct ldb_result *res;
-+    struct sysdb_netgroup_ctx **entries;
-+    size_t netgroup_count;
-+
-+    ret = setup_sysdb_tests(&test_ctx);
-+    fail_if(ret != EOK, "Could not set up the test");
-+
-+    ret = store_netgr(test_ctx, "simple_netgroup", &simple_netgroup);
-+    fail_if(ret != EOK, "Could not store the netgr");
-+
-+    ret = sysdb_getnetgr(test_ctx, test_ctx->domain, "simple_netgroup", &res);
-+    fail_unless(ret == EOK, "sysdb_getnetgr error [%d][%s]",
-+                            ret, strerror(ret));
-+    fail_unless(res->count == 1, "Received [%d] responses",
-+                                 res->count);
-+    ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
-+    fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
-+                            ret, strerror(ret));
-+    fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count);
-+    bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup);
-+    fail_unless(bret == true, "Netgroup triples do not match");
-+
-+    ret = store_netgr(test_ctx, "ws_netgroup", &ws_netgroup);
-+    fail_if(ret != EOK, "Could not store the netgr");
-+
-+    ret = sysdb_getnetgr(test_ctx, test_ctx->domain, "ws_netgroup", &res);
-+    fail_unless(ret == EOK, "sysdb_getnetgr error [%d][%s]",
-+                            ret, strerror(ret));
-+    fail_unless(res->count == 1, "Received [%d] responses",
-+                                 res->count);
-+    ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
-+    fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
-+                            ret, strerror(ret));
-+    fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count);
-+    bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup);
-+    fail_unless(bret == true, "Netgroup triples do not match");
-+}
-+END_TEST
-+
- START_TEST(test_odd_characters)
- {
-     errno_t ret;
-@@ -4404,6 +4523,8 @@ START_TEST(test_odd_characters)
-     const char *received_group;
-     static const char *user_attrs[] = SYSDB_PW_ATTRS;
-     static const char *netgr_attrs[] = SYSDB_NETGR_ATTRS;
-+    struct sysdb_netgroup_ctx **entries;
-+    size_t netgroup_count;
- 
-     /* Setup */
-     ret = setup_sysdb_tests(&test_ctx);
-@@ -4546,9 +4667,13 @@ START_TEST(test_odd_characters)
-                             ret, strerror(ret));
-     fail_unless(res->count == 1, "Received [%d] responses",
-                                  res->count);
--    talloc_zfree(res);
- 
--    /* ===== Arbitrary Entries ===== */
-+    /* Parse */
-+    ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
-+    fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
-+                            ret, strerror(ret));
-+
-+    talloc_zfree(res);
- 
-     talloc_free(test_ctx);
- }
-@@ -7418,6 +7543,9 @@ Suite *create_sysdb_suite(void)
- 
-     tcase_add_test(tc_sysdb, test_netgroup_base_dn);
- 
-+    /* Test splitting the netgroup triple */
-+    tcase_add_test(tc_sysdb, test_sysdb_netgr_to_entries);
-+
- /* ===== SERVICE TESTS ===== */
- 
-     /* Create a new service */
--- 
-2.9.5
-
diff --git a/0057-FILES-The-files-provider-should-not-enumerate.patch b/0057-FILES-The-files-provider-should-not-enumerate.patch
deleted file mode 100644
index a728cde..0000000
--- a/0057-FILES-The-files-provider-should-not-enumerate.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 7b3794fbe5e4f0888d4faeba12e6c5268f8cca42 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Tue, 9 Oct 2018 12:12:44 +0200
-Subject: [PATCH 73/83] FILES: The files provider should not enumerate
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3849
-
-For reason I cannot explain now, the files provider always enumerates.
-There is commit a60e6ec which implements this, but it's clearly wrong,
-because then the plain getent passwd output contains duplicates from
-nss_files and nss_sss:
-
-$ getent passwd | sort
-adm:x:3:4:adm:/var/adm:/sbin/nologin
-adm:x:3:4:adm:/var/adm:/sbin/nologin
-bin:x:1:1:bin:/bin:/sbin/nologin
-bin:x:1:1:bin:/bin:/sbin/nologin
-certuser:x:10329:10330::/home/certuser:/bin/bash
-certuser:x:10329:10330::/home/certuser:/bin/bash
-chrony:x:997:994::/var/lib/chrony:/sbin/nologin
-chrony:x:997:994::/var/lib/chrony:/sbin/nologin
-daemon:x:2:2:daemon:/sbin:/sbin/nologin
-daemon:x:2:2:daemon:/sbin:/sbin/nologin
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
----
- src/confdb/confdb.c                     |  5 +----
- 1 files changed, 1 insertions(+), 4 deletions(-)
-
-diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
-index 2f3d900..fdc6122 100644
---- a/src/confdb/confdb.c
-+++ b/src/confdb/confdb.c
-@@ -875,7 +875,6 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
-     char *default_domain;
-     bool fqnames_default = false;
-     int memcache_timeout;
--    bool enum_default;
- 
-     tmp_ctx = talloc_new(mem_ctx);
-     if (!tmp_ctx) return ENOMEM;
-@@ -1009,10 +1008,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
-                   "Interpreting as true\n", domain->name);
-         domain->enumerate = true;
-     } else { /* assume the new format */
--        enum_default = is_files_provider(domain);
--
-         ret = get_entry_as_bool(res->msgs[0], &domain->enumerate,
--                                CONFDB_DOMAIN_ENUMERATE, enum_default);
-+                                CONFDB_DOMAIN_ENUMERATE, 0);
-         if(ret != EOK) {
-             DEBUG(SSSDBG_FATAL_FAILURE,
-                   "Invalid value for %s\n", CONFDB_DOMAIN_ENUMERATE);
diff --git a/0058-p11_child-add-OCSP-check-ot-the-OpenSSL-version.patch b/0058-p11_child-add-OCSP-check-ot-the-OpenSSL-version.patch
deleted file mode 100644
index 3efdcff..0000000
--- a/0058-p11_child-add-OCSP-check-ot-the-OpenSSL-version.patch
+++ /dev/null
@@ -1,489 +0,0 @@
-From 91c608d0eb48435b5b5d2f3631a4bb2a40b8d519 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 10 Oct 2018 15:37:16 +0200
-Subject: [PATCH 74/83] p11_child: add OCSP check ot the OpenSSL version
-
-Related to https://pagure.io/SSSD/sssd/issue/3489
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/man/sssd.conf.5.xml           |  26 ++-
- src/p11_child/p11_child_openssl.c | 346 ++++++++++++++++++++++++++++++++++++++
- src/tests/cmocka/test_utils.c     |   3 +
- src/util/util.c                   |   2 +
- 4 files changed, 370 insertions(+), 7 deletions(-)
-
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index c8d53f0..5e3ae48 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -479,8 +479,8 @@
-                                         be replaced with the URL of the OCSP
-                                         default responder e.g.
-                                         http://example.com:80/ocsp.</para>
--                                        <para>This option must be used together
--                                        with
-+                                        <para>(NSS Version) This option must be
-+                                        used together with
-                                         ocsp_default_responder_signing_cert.
-                                         </para>
-                                     </listitem>
-@@ -489,17 +489,29 @@
-                                     <term>
-                                     ocsp_default_responder_signing_cert=NAME</term>
-                                     <listitem>
--                                        <para>The nickname of the cert to trust
--                                        (expected) to sign the OCSP responses.
--                                        The certificate with the given nickname
--                                        must be available in the systems NSS
--                                        database.</para>
-+                                        <para>(NSS Version) The nickname of the
-+                                        cert to trust (expected) to sign the
-+                                        OCSP responses.  The certificate with
-+                                        the given nickname must be available in
-+                                        the systems NSS database.</para>
-                                         <para>This option must be used together
-                                         with ocsp_default_responder.</para>
-+                                        <para>(OpenSSL version) This option is
-+                                        currently ignored. All needed
-+                                        certificates must be available in the
-+                                        PEM file given by
-+                                        pam_cert_db_path.</para>
-                                     </listitem>
-                                 </varlistentry>
-                                 </variablelist>
-                             </para>
-+                            <para condition="with_nss">
-+                                This man page was generated for the NSS version.
-+                            </para>
-+                            <para condition="with_openssl">
-+                                This man page was generated for the OpenSSL
-+                                version.
-+                            </para>
-                             <para>
-                                 Unknown options are reported but ignored.
-                             </para>
-diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
-index 000e1c9..d66a2f8 100644
---- a/src/p11_child/p11_child_openssl.c
-+++ b/src/p11_child/p11_child_openssl.c
-@@ -28,6 +28,7 @@
- #include <openssl/x509.h>
- #include <openssl/err.h>
- #include <openssl/rand.h>
-+#include <openssl/ocsp.h>
- #include <p11-kit/p11-kit.h>
- #include <p11-kit/uri.h>
- 
-@@ -42,8 +43,344 @@ struct p11_ctx {
-     X509_STORE *x509_store;
-     const char *ca_db;
-     bool wait_for_card;
-+    struct cert_verify_opts *cert_verify_opts;
- };
- 
-+static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
-+                                      const char *path,
-+                                      OCSP_REQUEST *req, int req_timeout)
-+{
-+    int fd;
-+    int rv;
-+    OCSP_REQ_CTX *ctx = NULL;
-+    OCSP_RESPONSE *rsp = NULL;
-+    fd_set confds;
-+    struct timeval tv;
-+
-+    if (req_timeout != -1) {
-+        BIO_set_nbio(cbio, 1);
-+    }
-+
-+    rv = BIO_do_connect(cbio);
-+
-+    if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) {
-+        DEBUG(SSSDBG_OP_FAILURE, "Error connecting BIO\n");
-+        return NULL;
-+    }
-+
-+    if (BIO_get_fd(cbio, &fd) < 0) {
-+        DEBUG(SSSDBG_OP_FAILURE, "Can't get connection fd\n");
-+        goto err;
-+    }
-+
-+    if (req_timeout != -1 && rv <= 0) {
-+        FD_ZERO(&confds);
-+        FD_SET(fd, &confds);
-+        tv.tv_usec = 0;
-+        tv.tv_sec = req_timeout;
-+        rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
-+        if (rv == 0) {
-+            DEBUG(SSSDBG_OP_FAILURE, "Timeout on connect\n");
-+            return NULL;
-+        }
-+    }
-+
-+    ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
-+    if (ctx == NULL) {
-+        return NULL;
-+    }
-+
-+    if (OCSP_REQ_CTX_add1_header(ctx, "Host", host) == 0) {
-+        goto err;
-+    }
-+
-+    if (!OCSP_REQ_CTX_set1_req(ctx, req)) {
-+        goto err;
-+    }
-+
-+    for (;;) {
-+        rv = OCSP_sendreq_nbio(&rsp, ctx);
-+        if (rv != -1)
-+            break;
-+        if (req_timeout == -1)
-+            continue;
-+        FD_ZERO(&confds);
-+        FD_SET(fd, &confds);
-+        tv.tv_usec = 0;
-+        tv.tv_sec = req_timeout;
-+        if (BIO_should_read(cbio)) {
-+            rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
-+        } else if (BIO_should_write(cbio)) {
-+            rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
-+        } else {
-+            DEBUG(SSSDBG_OP_FAILURE, "Unexpected retry condition\n");
-+            goto err;
-+        }
-+        if (rv == 0) {
-+            DEBUG(SSSDBG_OP_FAILURE, "Timeout on request\n");
-+            break;
-+        }
-+        if (rv == -1) {
-+            DEBUG(SSSDBG_OP_FAILURE, "Select error\n");
-+            break;
-+        }
-+
-+    }
-+ err:
-+    OCSP_REQ_CTX_free(ctx);
-+
-+    return rsp;
-+}
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define TLS_client_method SSLv23_client_method
-+#define X509_STORE_get0_objects(store) (store->objs)
-+#define X509_OBJECT_get_type(object) (object->type)
-+#define X509_OBJECT_get0_X509(object) (object->data.x509)
-+#endif
-+
-+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
-+                                 const char *host, const char *path,
-+                                 const char *port, int use_ssl,
-+                                 int req_timeout)
-+{
-+    BIO *cbio = NULL;
-+    SSL_CTX *ctx = NULL;
-+    OCSP_RESPONSE *resp = NULL;
-+
-+    cbio = BIO_new_connect(host);
-+    if (cbio == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "Error creating connect BIO\n");
-+        goto end;
-+    }
-+    if (port != NULL)
-+        BIO_set_conn_port(cbio, port);
-+    if (use_ssl == 1) {
-+        BIO *sbio;
-+        ctx = SSL_CTX_new(TLS_client_method());
-+        if (ctx == NULL) {
-+            DEBUG(SSSDBG_OP_FAILURE, "Error creating SSL context.\n");
-+            goto end;
-+        }
-+        SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
-+        sbio = BIO_new_ssl(ctx, 1);
-+        cbio = BIO_push(sbio, cbio);
-+    }
-+
-+    resp = query_responder(cbio, host, path, req, req_timeout);
-+    if (resp == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "Error querying OCSP responder\n");
-+    }
-+
-+ end:
-+    BIO_free_all(cbio);
-+    SSL_CTX_free(ctx);
-+    return resp;
-+}
-+
-+static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
-+{
-+    OCSP_REQUEST *ocsp_req = NULL;
-+    OCSP_RESPONSE *ocsp_resp = NULL;
-+    OCSP_BASICRESP *ocsp_basic = NULL;
-+    OCSP_CERTID *cid = NULL;
-+    STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
-+    char *url_str;
-+    X509 *issuer = NULL;
-+    int req_timeout = -1;
-+    int status;
-+    int ret = EIO;
-+    int reason;
-+    ASN1_GENERALIZEDTIME *revtime;
-+    ASN1_GENERALIZEDTIME *thisupd;
-+    ASN1_GENERALIZEDTIME *nextupd;
-+    long grace_time = (5 * 60); /* Allow 5 minutes time difference when
-+                                 * checking the validity of the OCSP response */
-+    char *host = NULL;
-+    char *path = NULL;
-+    char *port = NULL;
-+    int use_ssl;
-+    X509_NAME *issuer_name = NULL;
-+    X509_OBJECT *x509_obj;
-+    STACK_OF(X509_OBJECT) *store_objects;
-+
-+    ocsp_urls = X509_get1_ocsp(cert);
-+    if (ocsp_urls == NULL
-+            && p11_ctx->cert_verify_opts->ocsp_default_responder == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              "No OCSP URL in certificate and no default responder defined, "
-+              "skipping OCSP check.\n");
-+        return EOK;
-+    }
-+
-+    if (p11_ctx->cert_verify_opts->ocsp_default_responder != NULL) {
-+        url_str = p11_ctx->cert_verify_opts->ocsp_default_responder;
-+    } else {
-+        if (sk_OPENSSL_STRING_num(ocsp_urls) > 1) {
-+            DEBUG(SSSDBG_CONF_SETTINGS,
-+                  "Found more than 1 OCSP URLs, just using the first.\n");
-+        }
-+
-+        url_str = sk_OPENSSL_STRING_value(ocsp_urls, 0);
-+    }
-+
-+    DEBUG(SSSDBG_TRACE_ALL, "Using OCSP URL [%s].\n", url_str);
-+
-+    ret = OCSP_parse_url(url_str, &host, &port, &path, &use_ssl);
-+    if (ret != 1) {
-+        DEBUG(SSSDBG_OP_FAILURE, "OCSP_parse_url failed to parse [%s].\n",
-+                                 url_str);
-+        ret = EIO;
-+        goto done;
-+    }
-+
-+    issuer_name = X509_get_issuer_name(cert);
-+    if (issuer_name == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Certificate has no issuer, "
-+                                   "cannot run OCSP check.\n");
-+        ret = EINVAL;
-+        goto done;
-+    }
-+
-+    store_objects = X509_STORE_get0_objects(p11_ctx->x509_store);
-+    if (store_objects == NULL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              "No objects found in certificate store, OCSP failed.\n");
-+        ret = EINVAL;
-+        goto done;
-+    }
-+
-+    x509_obj = X509_OBJECT_retrieve_by_subject(store_objects, X509_LU_X509,
-+                                               issuer_name);
-+    if (x509_obj == NULL || X509_OBJECT_get_type(x509_obj) != X509_LU_X509) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Issuer not found.\n");
-+        ret = EIO;
-+        goto done;
-+    }
-+
-+    issuer = X509_OBJECT_get0_X509(x509_obj);
-+
-+    ocsp_req = OCSP_REQUEST_new();
-+    if (ocsp_req == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "OCSP_REQUEST_new failed.\n");
-+        ret = ENOMEM;
-+        goto done;
-+    }
-+
-+    cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
-+    if (cid == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "OCSP_cert_to_id failed.\n");
-+        ret = EIO;
-+        goto done;
-+    }
-+
-+    if (OCSP_request_add0_id(ocsp_req, cid) == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "OCSP_request_add0_id failed.\n");
-+        ret = EIO;
-+        goto done;
-+    }
-+
-+    OCSP_request_add1_nonce(ocsp_req, NULL, -1);
-+
-+    ocsp_resp = process_responder(ocsp_req, host, path, port, use_ssl,
-+                                  req_timeout);
-+    if (ocsp_resp == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "process_responder failed.\n");
-+        ret = EIO;
-+        goto done;
-+    }
-+
-+    status = OCSP_response_status(ocsp_resp);
-+    if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response error: [%d][%s].\n",
-+                                   status, OCSP_response_status_str(status));
-+        ret = EIO;
-+        goto done;
-+    }
-+
-+    ocsp_basic = OCSP_response_get1_basic(ocsp_resp);
-+    if (ocsp_resp == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "OCSP_response_get1_basic failed.\n");
-+        ret = EIO;
-+        goto done;
-+    }
-+
-+    switch (OCSP_check_nonce(ocsp_req, ocsp_basic)) {
-+    case -1:
-+        DEBUG(SSSDBG_CRIT_FAILURE, "No nonce in OCSP response. This might "
-+              "indicate a replay attack or an OCSP responder which does not "
-+              "support nonces.  Accepting response.\n");
-+        break;
-+    case 0:
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Nonce in OCSP response does not match the "
-+                                   "one used in the request.\n");
-+        ret = EIO;
-+        goto done;
-+        break;
-+    case 1:
-+        DEBUG(SSSDBG_TRACE_ALL, "Nonce in OCSP response is the same as the one "
-+                                "used in the request.\n");
-+        break;
-+    case 2:
-+    case 3:
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Missing nonce in OCSP request, this should"
-+                                   "never happen.\n");
-+        ret = EIO;
-+        goto done;
-+        break;
-+    default:
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected result of OCSP_check_nonce.\n");
-+    }
-+
-+    status = OCSP_basic_verify(ocsp_basic, NULL, p11_ctx->x509_store, 0);
-+    if (status != 1) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "OCSP_base_verify failed to verify OCSP "
-+                                   "response.\n");
-+        ret = EIO;
-+        goto done;
-+    }
-+
-+    ret = OCSP_resp_find_status(ocsp_basic, cid, &status, &reason,
-+                                &revtime, &thisupd, &nextupd);
-+    if (ret != 1) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response does not contain status of "
-+                                   "our certificate.\n");
-+        ret = EIO;
-+        goto done;
-+    }
-+
-+    if (status != V_OCSP_CERTSTATUS_GOOD) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "OCSP check failed with [%d][%s].\n",
-+                                   status, OCSP_cert_status_str(status));
-+        if (status == V_OCSP_CERTSTATUS_REVOKED) {
-+            DEBUG(SSSDBG_CRIT_FAILURE, "Certificate is revoked [%d][%s].\n",
-+                                       reason, OCSP_crl_reason_str(reason));
-+        }
-+        ret = EIO;
-+        goto done;
-+    }
-+
-+    if (OCSP_check_validity(thisupd, nextupd, grace_time, -1) != 1) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response is not valid anymore.\n");
-+        ret = EIO;
-+        goto done;
-+    }
-+
-+    DEBUG(SSSDBG_TRACE_ALL, "OCSP check was successful.\n");
-+    ret = EOK;
-+
-+done:
-+    OCSP_BASICRESP_free(ocsp_basic);
-+    OCSP_RESPONSE_free(ocsp_resp);
-+    OCSP_REQUEST_free(ocsp_req);
-+
-+    OPENSSL_free(host);
-+    OPENSSL_free(port);
-+    OPENSSL_free(path);
-+    X509_email_free(ocsp_urls);
-+
-+    return ret;
-+}
- 
- static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
-                             CK_SLOT_INFO *slot_info, CK_SLOT_ID slot_id,
-@@ -191,6 +528,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
-     }
- 
-     p11_ctx->x509_store = store;
-+    p11_ctx->cert_verify_opts = cert_verify_opts;
-     talloc_set_destructor(p11_ctx, talloc_free_x509_store);
- 
-     ret = EOK;
-@@ -262,6 +600,14 @@ bool do_verification(struct p11_ctx *p11_ctx, X509 *cert)
-         goto done;
-     }
- 
-+    if (p11_ctx->cert_verify_opts->do_ocsp) {
-+        ret = do_ocsp(p11_ctx, cert);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_OP_FAILURE, "do_ocsp failed.\n");
-+            goto done;
-+        }
-+    }
-+
-     res = true;
- 
- done:
-diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
-index 1a8699a..c86e526 100644
---- a/src/tests/cmocka/test_utils.c
-+++ b/src/tests/cmocka/test_utils.c
-@@ -1612,6 +1612,8 @@ static void test_parse_cert_verify_opts(void **state)
-                                  &cv_opts);
-     assert_int_equal(ret, EINVAL);
- 
-+/* Only NSS requires that both are set */
-+#ifdef HAVE_NSS
-     ret = parse_cert_verify_opts(global_talloc_context,
-                                  "ocsp_default_responder=abc", &cv_opts);
-     assert_int_equal(ret, EINVAL);
-@@ -1620,6 +1622,7 @@ static void test_parse_cert_verify_opts(void **state)
-                                  "ocsp_default_responder_signing_cert=def",
-                                  &cv_opts);
-     assert_int_equal(ret, EINVAL);
-+#endif
- 
-     ret = parse_cert_verify_opts(global_talloc_context,
-                                  "ocsp_default_responder=abc,"
-diff --git a/src/util/util.c b/src/util/util.c
-index 53dd9a1..7f475fa 100644
---- a/src/util/util.c
-+++ b/src/util/util.c
-@@ -1123,6 +1123,7 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
-         }
-     }
- 
-+#ifdef HAVE_NSS
-     if ((cert_verify_opts->ocsp_default_responder == NULL
-             && cert_verify_opts->ocsp_default_responder_signing_cert != NULL)
-         || (cert_verify_opts->ocsp_default_responder != NULL
-@@ -1135,6 +1136,7 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
-         ret = EINVAL;
-         goto done;
-     }
-+#endif
- 
-     ret = EOK;
- 
--- 
-2.9.5
-
diff --git a/0059-p11_child-add-crl_file-option-for-the-OpenSSL-build.patch b/0059-p11_child-add-crl_file-option-for-the-OpenSSL-build.patch
deleted file mode 100644
index 4349a33..0000000
--- a/0059-p11_child-add-crl_file-option-for-the-OpenSSL-build.patch
+++ /dev/null
@@ -1,279 +0,0 @@
-From 3c096c9ad6dad911d035cfdd802b5dda4710fc68 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 11 Oct 2018 17:35:24 +0200
-Subject: [PATCH 75/83] p11_child: add crl_file option for the OpenSSL build
-
-In the NSS build a Certificate Revocation List (CRL) can just be added
-to the NSS database. For OpenSSL a separate file is needed.
-
-Related to https://pagure.io/SSSD/sssd/issue/3489
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/man/sssd.conf.5.xml           | 24 ++++++++++++++++++++++++
- src/p11_child/p11_child_common.c  | 12 ++++++------
- src/p11_child/p11_child_openssl.c | 26 +++++++++++++++++++++++++-
- src/tests/cmocka/test_utils.c     | 16 ++++++++++++++++
- src/util/util.c                   | 13 +++++++++++++
- src/util/util.h                   |  1 +
- 6 files changed, 85 insertions(+), 7 deletions(-)
-
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index 5e3ae48..bea25c6 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -503,6 +503,30 @@
-                                         pam_cert_db_path.</para>
-                                     </listitem>
-                                 </varlistentry>
-+                                <varlistentry>
-+                                    <term>crl_file=/PATH/TO/CRL/FILE</term>
-+                                    <listitem>
-+                                        <para>(NSS Version) This option is
-+                                        ignored, please see
-+                                            <citerefentry>
-+                                                <refentrytitle>crlutil</refentrytitle>
-+                                                <manvolnum>1</manvolnum>
-+                                            </citerefentry>
-+                                        how to import a Certificate Revocation
-+                                        List (CRL) into a NSS database.</para>
-+
-+                                        <para>(OpenSSL Version) Use the
-+                                        Certificate Revocation List (CRL) from
-+                                        the given file during the verification
-+                                        of the certificate. The CRL must be
-+                                        given in PEM format, see
-+                                            <citerefentry>
-+                                                <refentrytitle>crl</refentrytitle>
-+                                                <manvolnum>1ssl</manvolnum>
-+                                            </citerefentry>
-+                                        for details.</para>
-+                                    </listitem>
-+                                </varlistentry>
-                                 </variablelist>
-                             </para>
-                             <para condition="with_nss">
-diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
-index 097e7fa..b992aeb 100644
---- a/src/p11_child/p11_child_common.c
-+++ b/src/p11_child/p11_child_common.c
-@@ -48,7 +48,7 @@ static const char *op_mode_str(enum op_mode mode)
-         return "pre-auth";
-         break;
-     case OP_VERIFIY:
--        return "verifiy";
-+        return "verify";
-         break;
-     default:
-         return "unknown";
-@@ -219,7 +219,7 @@ int main(int argc, const char *argv[])
-         case 'a':
-             if (mode != OP_NONE) {
-                 fprintf(stderr,
--                        "\n--verifiy, --auth and --pre are mutually " \
-+                        "\n--verify, --auth and --pre are mutually " \
-                         "exclusive and should be only used once.\n\n");
-                 poptPrintUsage(pc, stderr, 0);
-                 _exit(-1);
-@@ -229,7 +229,7 @@ int main(int argc, const char *argv[])
-         case 'p':
-             if (mode != OP_NONE) {
-                 fprintf(stderr,
--                        "\n--verifiy, --auth and --pre are mutually " \
-+                        "\n--verify, --auth and --pre are mutually " \
-                         "exclusive and should be only used once.\n\n");
-                 poptPrintUsage(pc, stderr, 0);
-                 _exit(-1);
-@@ -239,7 +239,7 @@ int main(int argc, const char *argv[])
-         case 'v':
-             if (mode != OP_NONE) {
-                 fprintf(stderr,
--                        "\n--verifiy, --auth and --pre are mutually " \
-+                        "\n--verify, --auth and --pre are mutually " \
-                         "exclusive and should be only used once.\n\n");
-                 poptPrintUsage(pc, stderr, 0);
-                 _exit(-1);
-@@ -283,7 +283,7 @@ int main(int argc, const char *argv[])
- 
-     if (mode == OP_NONE) {
-         fprintf(stderr, "\nMissing operation mode, either " \
--                        "--verifiy, --auth or --pre must be specified.\n\n");
-+                        "--verify, --auth or --pre must be specified.\n\n");
-         poptPrintUsage(pc, stderr, 0);
-         _exit(-1);
-     } else if (mode == OP_AUTH && pin_mode == PIN_NONE) {
-@@ -350,7 +350,7 @@ int main(int argc, const char *argv[])
- 
-     ret = parse_cert_verify_opts(main_ctx, verify_opts, &cert_verify_opts);
-     if (ret != EOK) {
--        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verifiy option.\n");
-+        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verify option.\n");
-         goto fail;
-     }
- 
-diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
-index d66a2f8..9defdfc 100644
---- a/src/p11_child/p11_child_openssl.c
-+++ b/src/p11_child/p11_child_openssl.c
-@@ -501,6 +501,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
-     X509_STORE *store = NULL;
-     unsigned long err;
-     X509_LOOKUP *lookup = NULL;
-+    X509_VERIFY_PARAM *verify_param = NULL;
- 
-     store = X509_STORE_new();
-     if (store == NULL) {
-@@ -527,6 +528,30 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
-         goto done;
-     }
- 
-+    if (cert_verify_opts->crl_file != NULL) {
-+        verify_param = X509_VERIFY_PARAM_new();
-+        if (verify_param == NULL) {
-+            DEBUG(SSSDBG_OP_FAILURE, "X509_VERIFY_PARAM_new failed.\n");
-+            ret = ENOMEM;
-+            goto done;
-+        }
-+
-+        X509_VERIFY_PARAM_set_flags(verify_param, (X509_V_FLAG_CRL_CHECK
-+                                                  | X509_V_FLAG_CRL_CHECK_ALL));
-+
-+        X509_STORE_set1_param(store, verify_param);
-+
-+        ret = X509_load_crl_file(lookup, cert_verify_opts->crl_file,
-+                                 X509_FILETYPE_PEM);
-+        if (ret == 0) {
-+            err = ERR_get_error();
-+            DEBUG(SSSDBG_OP_FAILURE, "X509_load_crl_file failed [%lu][%s].\n",
-+                                     err, ERR_error_string(err, NULL));
-+            ret = EIO;
-+            goto done;
-+        }
-+    }
-+
-     p11_ctx->x509_store = store;
-     p11_ctx->cert_verify_opts = cert_verify_opts;
-     talloc_set_destructor(p11_ctx, talloc_free_x509_store);
-@@ -536,7 +561,6 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
- done:
-     if (ret != EOK) {
-         X509_STORE_free(store);
--        X509_LOOKUP_free(lookup);
-     }
- 
-     return ret;
-diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
-index c86e526..cf1c2ae 100644
---- a/src/tests/cmocka/test_utils.c
-+++ b/src/tests/cmocka/test_utils.c
-@@ -1567,6 +1567,7 @@ static void test_parse_cert_verify_opts(void **state)
-     assert_true(cv_opts->do_ocsp);
-     assert_null(cv_opts->ocsp_default_responder);
-     assert_null(cv_opts->ocsp_default_responder_signing_cert);
-+    assert_null(cv_opts->crl_file);
-     talloc_free(cv_opts);
- 
-     ret = parse_cert_verify_opts(global_talloc_context, "wedfkwefjk", &cv_opts);
-@@ -1575,6 +1576,7 @@ static void test_parse_cert_verify_opts(void **state)
-     assert_true(cv_opts->do_ocsp);
-     assert_null(cv_opts->ocsp_default_responder);
-     assert_null(cv_opts->ocsp_default_responder_signing_cert);
-+    assert_null(cv_opts->crl_file);
-     talloc_free(cv_opts);
- 
-     ret = parse_cert_verify_opts(global_talloc_context, "no_ocsp", &cv_opts);
-@@ -1583,6 +1585,7 @@ static void test_parse_cert_verify_opts(void **state)
-     assert_false(cv_opts->do_ocsp);
-     assert_null(cv_opts->ocsp_default_responder);
-     assert_null(cv_opts->ocsp_default_responder_signing_cert);
-+    assert_null(cv_opts->crl_file);
-     talloc_free(cv_opts);
- 
-     ret = parse_cert_verify_opts(global_talloc_context, "no_verification",
-@@ -1592,6 +1595,7 @@ static void test_parse_cert_verify_opts(void **state)
-     assert_true(cv_opts->do_ocsp);
-     assert_null(cv_opts->ocsp_default_responder);
-     assert_null(cv_opts->ocsp_default_responder_signing_cert);
-+    assert_null(cv_opts->crl_file);
-     talloc_free(cv_opts);
- 
-     ret = parse_cert_verify_opts(global_talloc_context,
-@@ -1601,6 +1605,7 @@ static void test_parse_cert_verify_opts(void **state)
-     assert_false(cv_opts->do_ocsp);
-     assert_null(cv_opts->ocsp_default_responder);
-     assert_null(cv_opts->ocsp_default_responder_signing_cert);
-+    assert_null(cv_opts->crl_file);
-     talloc_free(cv_opts);
- 
-     ret = parse_cert_verify_opts(global_talloc_context,
-@@ -1633,6 +1638,17 @@ static void test_parse_cert_verify_opts(void **state)
-     assert_true(cv_opts->do_ocsp);
-     assert_string_equal(cv_opts->ocsp_default_responder, "abc");
-     assert_string_equal(cv_opts->ocsp_default_responder_signing_cert, "def");
-+    assert_null(cv_opts->crl_file);
-+    talloc_free(cv_opts);
-+
-+    ret = parse_cert_verify_opts(global_talloc_context, "crl_file=hij",
-+                                 &cv_opts);
-+    assert_int_equal(ret, EOK);
-+    assert_true(cv_opts->do_verification);
-+    assert_true(cv_opts->do_ocsp);
-+    assert_null(cv_opts->ocsp_default_responder);
-+    assert_null(cv_opts->ocsp_default_responder_signing_cert);
-+    assert_string_equal(cv_opts->crl_file, "hij");
-     talloc_free(cv_opts);
- }
- 
-diff --git a/src/util/util.c b/src/util/util.c
-index 7f475fa..cbe6a28 100644
---- a/src/util/util.c
-+++ b/src/util/util.c
-@@ -1024,6 +1024,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
-     cert_verify_opts->do_verification = true;
-     cert_verify_opts->ocsp_default_responder = NULL;
-     cert_verify_opts->ocsp_default_responder_signing_cert = NULL;
-+    cert_verify_opts->crl_file = NULL;
- 
-     return cert_verify_opts;
- }
-@@ -1035,6 +1036,8 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
-                                           "ocsp_default_responder_signing_cert="
- #define OCSP_DEFAUL_RESPONDER_SIGNING_CERT_LEN \
-                                 (sizeof(OCSP_DEFAUL_RESPONDER_SIGNING_CERT) - 1)
-+#define CRL_FILE "crl_file="
-+#define CRL_FILE_LEN (sizeof(CRL_FILE) -1)
- 
- errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
-                                struct cert_verify_opts **_cert_verify_opts)
-@@ -1116,6 +1119,16 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
-             DEBUG(SSSDBG_TRACE_ALL,
-                   "Using OCSP default responder signing cert nickname [%s]\n",
-                   cert_verify_opts->ocsp_default_responder_signing_cert);
-+        } else if (strncasecmp(opts[c], CRL_FILE, CRL_FILE_LEN) == 0) {
-+            cert_verify_opts->crl_file = talloc_strdup(cert_verify_opts,
-+                                                       &opts[c][CRL_FILE_LEN]);
-+            if (cert_verify_opts->crl_file == NULL
-+                    || *cert_verify_opts->crl_file == '\0') {
-+                DEBUG(SSSDBG_CRIT_FAILURE,
-+                      "Failed to parse crl_file option [%s].\n", opts[c]);
-+                ret = EINVAL;
-+                goto done;
-+            }
-         } else {
-             DEBUG(SSSDBG_CRIT_FAILURE,
-                   "Unsupported certificate verification option [%s], " \
-diff --git a/src/util/util.h b/src/util/util.h
-index e3e9100..7e9b3d6 100644
---- a/src/util/util.h
-+++ b/src/util/util.h
-@@ -371,6 +371,7 @@ struct cert_verify_opts {
-     bool do_verification;
-     char *ocsp_default_responder;
-     char *ocsp_default_responder_signing_cert;
-+    char *crl_file;
- };
- 
- errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
--- 
-2.9.5
-
diff --git a/0060-p11-Fix-two-instances-of-Wmaybe-uninitialized-in-p11.patch b/0060-p11-Fix-two-instances-of-Wmaybe-uninitialized-in-p11.patch
deleted file mode 100644
index c882c52..0000000
--- a/0060-p11-Fix-two-instances-of-Wmaybe-uninitialized-in-p11.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 7794caec36e7142423491d90aaade7e49b9df1c1 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Fri, 12 Oct 2018 09:32:11 +0200
-Subject: [PATCH 76/83] p11: Fix two instances of -Wmaybe-uninitialized in
- p11_child_openssl.c
-
-If uri_str was passed to the p11_child and parsing the URI failed, then
-modules would be uninitialized, but freed in the done handler with
-p11_kit_modules_finalize_and_release()
-
-Also, another warning is suppressed by setting the 's' variable to zero.
-While it cannot happen that the variable will be uninitialized, we
-should help the compiler by setting a value explicitly.
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/p11_child/p11_child_openssl.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
-index 9defdfc..adfe272 100644
---- a/src/p11_child/p11_child_openssl.c
-+++ b/src/p11_child/p11_child_openssl.c
-@@ -1036,8 +1036,8 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
- {
-     int ret;
-     size_t c;
--    size_t s;
--    CK_FUNCTION_LIST **modules;
-+    size_t s = 0;
-+    CK_FUNCTION_LIST **modules = NULL;
-     CK_FUNCTION_LIST *module = NULL;
-     char *mod_name;
-     char *mod_file_name;
--- 
-2.9.5
-
diff --git a/0061-sudo-use-correct-sbus-interface.patch b/0061-sudo-use-correct-sbus-interface.patch
deleted file mode 100644
index 0bb5b1b..0000000
--- a/0061-sudo-use-correct-sbus-interface.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 250e82252b53991e2902b292cfa6029ab28a10fb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Mon, 15 Oct 2018 12:46:35 +0200
-Subject: [PATCH 77/83] sudo: use correct sbus interface
-
-Internal dbus interfaces were renamed to shorter names in sbus2.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3854
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/sudo/sudosrv_dp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/responder/sudo/sudosrv_dp.c b/src/responder/sudo/sudosrv_dp.c
-index 2c6b26e..78dd296 100644
---- a/src/responder/sudo/sudosrv_dp.c
-+++ b/src/responder/sudo/sudosrv_dp.c
-@@ -66,7 +66,7 @@ sss_dp_get_sudoers_msg(TALLOC_CTX *mem_ctx,
- 
-     msg = dbus_message_new_method_call(bus_name,
-                                        SSS_BUS_PATH,
--                                       "org.freedesktop.sssd.dataprovider",
-+                                       "sssd.dataprovider",
-                                        "sudoHandler");
-     if (msg == NULL) {
-         DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
--- 
-2.9.5
-
diff --git a/0062-sudo-fix-error-handling-in-sudosrv_refresh_rules_don.patch b/0062-sudo-fix-error-handling-in-sudosrv_refresh_rules_don.patch
deleted file mode 100644
index 36e49eb..0000000
--- a/0062-sudo-fix-error-handling-in-sudosrv_refresh_rules_don.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 8fbaf224193b9ca8b82a290bd52265c2f9b40315 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Mon, 15 Oct 2018 13:01:34 +0200
-Subject: [PATCH 78/83] sudo: fix error handling in sudosrv_refresh_rules_done
-
-If sbus returns non-zero code then the output variables are not set and
-therefore we access uninitialized memory.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3854
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/sudo/sudosrv_get_sudorules.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
-index 14bd824..76faef0 100644
---- a/src/responder/sudo/sudosrv_get_sudorules.c
-+++ b/src/responder/sudo/sudosrv_get_sudorules.c
-@@ -576,10 +576,15 @@ static void sudosrv_refresh_rules_done(struct tevent_req *subreq)
-     ret = sss_dp_get_sudoers_recv(state, subreq, &err_maj, &err_min, &err_msg);
-     talloc_zfree(subreq);
-     if (ret != EOK) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to refresh rules [%d]: %s\n",
-+              ret, sss_strerror(ret));
-+        goto done;
-+    } else if (err_maj != 0 || err_min != 0) {
-         DEBUG(SSSDBG_CRIT_FAILURE,
-               "Unable to get information from Data Provider, "
-               "Error: %u, %u, %s\n",
--              (unsigned int)err_maj, (unsigned int)err_min, err_msg);
-+              (unsigned int)err_maj, (unsigned int)err_min,
-+              (err_msg == NULL ? "(null)" : err_msg));
-         goto done;
-     }
- 
--- 
-2.9.5
-
diff --git a/0063-sbus-remove-leftovers-from-previous-implementation.patch b/0063-sbus-remove-leftovers-from-previous-implementation.patch
deleted file mode 100644
index ff24669..0000000
--- a/0063-sbus-remove-leftovers-from-previous-implementation.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From c74b430ba95d99b245b6347328024e4b4815b35e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Mon, 15 Oct 2018 12:48:41 +0200
-Subject: [PATCH 79/83] sbus: remove leftovers from previous implementation
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/providers/data_provider/dp_iface.h   |  8 +--
- src/providers/data_provider_be.c         |  2 +-
- 5 files changed, 5 insertions(+), 26 deletions(-)
-
-diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h
-index 0b0855d..d1382cd 100644
---- a/src/providers/data_provider/dp_iface.h
-+++ b/src/providers/data_provider/dp_iface.h
-@@ -141,21 +141,21 @@ dp_get_account_domain_recv(TALLOC_CTX *mem_ctx,
-                            uint32_t *_error,
-                            const char **_err_msg);
- 
--/* org.freedesktop.sssd.DataProvider.Client */
-+/* sssd.DataProvider.Client */
- errno_t
- dp_client_register(TALLOC_CTX *mem_ctx,
-                    struct sbus_request *sbus_req,
-                    struct data_provider *provider,
-                    const char *name);
- 
--/* org.freedesktop.sssd.DataProvider.Backend */
-+/* sssd.DataProvider.Backend */
- errno_t dp_backend_is_online(TALLOC_CTX *mem_ctx,
-                              struct sbus_request *sbus_req,
-                              struct be_ctx *be_ctx,
-                              const char *domname,
-                              bool *_is_online);
- 
--/* org.freedesktop.sssd.DataProvider.Failover */
-+/* sssd.DataProvider.Failover */
- errno_t
- dp_failover_list_services(TALLOC_CTX *mem_ctx,
-                           struct sbus_request *sbus_req,
-@@ -177,7 +177,7 @@ dp_failover_list_servers(TALLOC_CTX *mem_ctx,
-                          const char *service_name,
-                          const char ***_servers);
- 
--/* org.freedesktop.sssd.DataProvider.AccessControl */
-+/* sssd.DataProvider.AccessControl */
- struct tevent_req *
- dp_access_control_refresh_rules_send(TALLOC_CTX *mem_ctx,
-                                      struct tevent_context *ev,
-diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
-index 6d2477e..7043e7a 100644
---- a/src/providers/data_provider_be.c
-+++ b/src/providers/data_provider_be.c
-@@ -48,7 +48,7 @@
- #include "resolv/async_resolv.h"
- #include "sss_iface/sss_iface_async.h"
- 
--/* org.freedesktop.sssd.service */
-+/* sssd.service */
- static errno_t
- data_provider_res_init(TALLOC_CTX *mem_ctx,
-                        struct sbus_request *sbus_req,
-2.9.5
-
diff --git a/0064-CONFIGURE-Add-minimal-required-version-for-p11-kit.patch b/0064-CONFIGURE-Add-minimal-required-version-for-p11-kit.patch
deleted file mode 100644
index 249aa9c..0000000
--- a/0064-CONFIGURE-Add-minimal-required-version-for-p11-kit.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 05ba237af582c1ca3780e5fe06ab3320494efe52 Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Sat, 13 Oct 2018 16:22:13 +0000
-Subject: [PATCH 80/83] CONFIGURE: Add minimal required version for p11-kit
-
-There are few functions which were added in upstream p11-kit 0.23.3.
-And there are compilation failures with older versions.
-
-src/p11_child/p11_child_openssl.c: In function 'get_pkcs11_uri':
-src/p11_child/p11_child_openssl.c:87:12: error: implicit declaration of function 'p11_kit_uri_get_slot_info' [-Werror=implicit-function-declaration]
-     memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
-            ^
-
-src/p11_child/p11_child_openssl.c:88:5: error: implicit declaration of function 'p11_kit_uri_set_slot_id' [-Werror=implicit-function-declaration]
-     p11_kit_uri_set_slot_id(uri, slot_id);
-     ^
-
-src/p11_child/p11_child_openssl.c: In function 'do_card':
-src/p11_child/p11_child_openssl.c:767:35: error: implicit declaration of function 'p11_kit_uri_get_slot_id' [-Werror=implicit-function-declaration]
-                     uri_slot_id = p11_kit_uri_get_slot_id(uri);
-                                   ^
-src/p11_child/p11_child_openssl.c:770:32: error: implicit declaration of function 'p11_kit_uri_match_slot_info' [-Werror=implicit-function-declaration]
-                             || p11_kit_uri_match_slot_info(uri, &info) != 1) {
-                                ^
-Merges: https://pagure.io/SSSD/sssd/pull-request/3852
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/external/p11-kit.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/external/p11-kit.m4 b/src/external/p11-kit.m4
-index a959f43..eb0474f 100644
---- a/src/external/p11-kit.m4
-+++ b/src/external/p11-kit.m4
-@@ -1,4 +1,4 @@
- AC_SUBST(P11_KIT_CFLAGS)
- AC_SUBST(P11_KIT_LIBS)
- 
--PKG_CHECK_MODULES([P11_KIT], [p11-kit-1])
-+PKG_CHECK_MODULES([P11_KIT], [p11-kit-1 >= 0.23.3])
--- 
-2.9.5
-
diff --git a/0065-SBUS-Silence-warning-maybe-uninitialized.patch b/0065-SBUS-Silence-warning-maybe-uninitialized.patch
deleted file mode 100644
index 0d99b4f..0000000
--- a/0065-SBUS-Silence-warning-maybe-uninitialized.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From d143319bce8fc778df93fe7cd7ef4d03b7a3fc92 Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Sat, 13 Oct 2018 16:24:56 +0000
-Subject: [PATCH 81/83] SBUS: Silence warning maybe-uninitialized
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It should not happen because function sbus_interface_find_property
-should return NULL for access different than SBUS_PROPERTY_READABLE
-or SBUS_PROPERTY_WRITABLE. And thus we would return ERR_SBUS_UNKNOWN_PROPERTY
-from the function sbus_request_property.
-
-src/sbus/interface/sbus_properties.c: In function 'sbus_request_property.isra.0':
-src/sbus/interface/sbus_properties.c:360:14:
-  error: 'type' may be used uninitialized in this function
-  [-Werror=maybe-uninitialized]
-     sbus_req = sbus_request_create(mem_ctx, conn, type, destination,
-     ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-                                    interface_name, property_name, path);
-                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-cc1: all warnings being treated as errors
-
-Merges: https://pagure.io/SSSD/sssd/pull-request/3851
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/sbus/interface/sbus_properties.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/sbus/interface/sbus_properties.c b/src/sbus/interface/sbus_properties.c
-index bd15807..906e6db 100644
---- a/src/sbus/interface/sbus_properties.c
-+++ b/src/sbus/interface/sbus_properties.c
-@@ -355,6 +355,8 @@ sbus_request_property(TALLOC_CTX *mem_ctx,
-     case SBUS_PROPERTY_WRITABLE:
-         type = SBUS_REQUEST_PROPERTY_SET;
-         break;
-+    default:
-+        return EINVAL;
-     }
- 
-     sbus_req = sbus_request_create(mem_ctx, conn, type, destination,
--- 
-2.9.5
-
diff --git a/0066-files-add-session-recording-flag.patch b/0066-files-add-session-recording-flag.patch
deleted file mode 100644
index 9f3cd3a..0000000
--- a/0066-files-add-session-recording-flag.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From 46c483c09b85cecf8d1cc72618da993d8948c894 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 15 Oct 2018 20:05:09 +0200
-Subject: [PATCH 82/83] files: add session recording flag
-
-If session recording is configured for a group the NSS ans PAM
-responder rely on a attribute in the cache set by the backend to
-determine is session recording is configured for the user or not. This
-flag is typically set during the initgroups request.
-
-Since the files provider does not have a dedicated initgroups request
-the attribute must be set otherwise. This patch sets is for all users
-after the files are reloaded.
-
-Related to https://pagure.io/SSSD/sssd/issue/3855
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/providers/data_provider/dp_iface.h     |  3 ++
- src/providers/data_provider/dp_target_id.c | 62 ++++++++++++++++++++++++++++++
- src/providers/files/files_ops.c            |  7 ++++
- 3 files changed, 72 insertions(+)
-
-diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h
-index d1382cd..8635ae0 100644
---- a/src/providers/data_provider/dp_iface.h
-+++ b/src/providers/data_provider/dp_iface.h
-@@ -188,4 +188,7 @@ errno_t
- dp_access_control_refresh_rules_recv(TALLOC_CTX *mem_ctx,
-                                      struct tevent_req *req);
- 
-+
-+errno_t
-+dp_add_sr_attribute(struct be_ctx *be_ctx);
- #endif /* DP_IFACE_H_ */
-diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c
-index 265788b..748d886 100644
---- a/src/providers/data_provider/dp_target_id.c
-+++ b/src/providers/data_provider/dp_target_id.c
-@@ -328,6 +328,68 @@ done:
-     talloc_free(tmp_ctx);
- }
- 
-+errno_t dp_add_sr_attribute(struct be_ctx *be_ctx)
-+{
-+    int ret;
-+    struct dp_initgr_ctx *dp_initgr_ctx = NULL;
-+    TALLOC_CTX *tmp_ctx = NULL;
-+    struct dp_id_data *data;
-+    size_t msgs_count;
-+    struct ldb_message **msgs = NULL;
-+    const char *attrs[] = {SYSDB_NAME, NULL};
-+    size_t c;
-+
-+    tmp_ctx = talloc_new(NULL);
-+    if (tmp_ctx == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
-+        return ENOMEM;
-+    }
-+
-+    ret = sysdb_search_users(tmp_ctx, be_ctx->domain, "("SYSDB_NAME "=*)", attrs,
-+                            &msgs_count, &msgs);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_users failed.\n");
-+        goto done;
-+    }
-+
-+    data = talloc_zero(tmp_ctx, struct dp_id_data);
-+    if (data == NULL) {
-+        ret = ENOMEM;
-+        goto done;
-+    }
-+
-+    data->entry_type = BE_REQ_INITGROUPS;
-+    data->filter_type = BE_FILTER_NAME;
-+    data->filter_value = NULL;
-+    data->extra_value = NULL;
-+    data->domain = be_ctx->domain->name;
-+
-+    for (c = 0; c < msgs_count; c++) {
-+        data->filter_value = ldb_msg_find_attr_as_string(msgs[c], SYSDB_NAME,
-+                                                         NULL);
-+        if (data->filter_value == NULL) {
-+            DEBUG(SSSDBG_CRIT_FAILURE,
-+                  "Cache object [%s] does not have a name, skipping.\n",
-+                  ldb_dn_get_linearized(msgs[c]->dn));
-+            continue;
-+        }
-+
-+        talloc_free(dp_initgr_ctx);
-+        ret = dp_create_initgroups_ctx(tmp_ctx, be_ctx, data, &dp_initgr_ctx);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_OP_FAILURE, "dp_create_initgroups_ctx failed.\n");
-+            goto done;
-+        }
-+
-+        dp_req_initgr_pp_sr_overlay(be_ctx->provider, dp_initgr_ctx);
-+    }
-+
-+done:
-+    talloc_free(tmp_ctx);
-+
-+    return ret;
-+}
-+
- static errno_t set_initgroups_expire_attribute(struct sss_domain_info *domain,
-                                                const char *name)
- {
-diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
-index f5a4029..74f77b5 100644
---- a/src/providers/files/files_ops.c
-+++ b/src/providers/files/files_ops.c
-@@ -26,6 +26,7 @@
- #include "db/sysdb.h"
- #include "util/inotify.h"
- #include "util/util.h"
-+#include "providers/data_provider/dp_iface.h"
- 
- /* When changing this constant, make sure to also adjust the files integration
-  * test for reallocation branch
-@@ -771,6 +772,12 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
-         }
-     }
- 
-+    ret = dp_add_sr_attribute(id_ctx->be);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              "Failed to add session recording attribute, ignored.\n");
-+    }
-+
-     ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
-     if (ret != EOK) {
-         goto done;
--- 
-2.9.5
-
diff --git a/0067-UTIL-Suppress-Coverity-warning.patch b/0067-UTIL-Suppress-Coverity-warning.patch
deleted file mode 100644
index 56da74e..0000000
--- a/0067-UTIL-Suppress-Coverity-warning.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From fc29c3eb9750c5e7def4e1ab6eb18f4f5024f567 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Tue, 16 Oct 2018 10:42:43 +0200
-Subject: [PATCH 83/83] UTIL: Suppress Coverity warning
-
-We recently added this code:
-         if (domain_name != NULL
-                &&  is_files_provider(find_domain_by_name(dom,
-                                                          domain_name,
-                                                          false)))
-
-find_domain_by_name returns NULL if the domain_name can't be found. This
-of course makes mostly sense for trusted domains that can appear and
-disappear. And is_files_provider() didn't handle the situation where the
-domain pointer was NULL and would directly dereference it.
-
-This commit just adds a NULL check for the domain pointer so that
-is_files_provider() returns 'false' if the domain pointer was NULL.
-
-Another alternative might be to check the return value of
-find_domain_by_name(), but I don't think it's worth the trouble.
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/util/domain_info_utils.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
-index 8bef6c9..ffb8cdf 100644
---- a/src/util/domain_info_utils.c
-+++ b/src/util/domain_info_utils.c
-@@ -931,6 +931,7 @@ bool sss_domain_info_get_output_fqnames(struct sss_domain_info *domain)
- 
- bool is_files_provider(struct sss_domain_info *domain)
- {
--    return domain->provider != NULL &&
-+    return domain != NULL &&
-+           domain->provider != NULL &&
-            strcasecmp(domain->provider, "files") == 0;
- }
--- 
-2.9.5
-
diff --git a/0068-UTIL-move-and-rename-sysdb_error_to_errno-to-utils.patch b/0068-UTIL-move-and-rename-sysdb_error_to_errno-to-utils.patch
deleted file mode 100644
index 46f690c..0000000
--- a/0068-UTIL-move-and-rename-sysdb_error_to_errno-to-utils.patch
+++ /dev/null
@@ -1,360 +0,0 @@
-From f62f3b290cb5393bf9c4a9c2c424fd5c5185fe44 Mon Sep 17 00:00:00 2001
-From: Tomas Halman <thalman@redhat.com>
-Date: Wed, 3 Oct 2018 11:44:13 +0200
-Subject: [PATCH 1/5] UTIL: move and rename sysdb_error_to_errno to utils
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The function sysdb_error_to_errno() is used by multiple component,
-so we want to move it to shared place. Function is renamed to
-sss_ldb_error_to_errno() and moved to util/util_errors.c.
-
-Old name is still #defined in sysdb.h and points to new
-name.
-
-Also few places where ldb error code was handled manually
-has been updated to use sss_ldb_error_to_errno.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3802
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-Reviewed-by: Michal Židek <mzidek@redhat.com>
----
- src/confdb/confdb.c                                |  6 ++---
- src/confdb/confdb_setup.c                          |  6 ++---
- src/db/sysdb.c                                     | 25 ---------------------
- src/db/sysdb.h                                     |  6 ++---
- .../common/cache_req/cache_req_sr_overlay.c        |  4 ++--
- src/responder/ifp/ifp_cache.c                      |  2 +-
- src/tools/sss_override.c                           |  6 ++---
- src/util/secrets/secrets.c                         | 26 +++++++---------------
- src/util/util_errors.c                             | 25 +++++++++++++++++++++
- src/util/util_errors.h                             |  3 +++
- 10 files changed, 51 insertions(+), 58 deletions(-)
-
-diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
-index fdc6122..b0d886c 100644
---- a/src/confdb/confdb.c
-+++ b/src/confdb/confdb.c
-@@ -842,7 +842,7 @@ static int confdb_get_domain_section(TALLOC_CTX *mem_ctx,
-     ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn,
-                      LDB_SCOPE_BASE, NULL, NULL);
-     if (ret != LDB_SUCCESS) {
--        ret = sysdb_error_to_errno(ret);
-+        ret = sss_ldb_error_to_errno(ret);
-         goto done;
-     }
- 
-@@ -2076,7 +2076,7 @@ static int confdb_merge_parent_domain(const char *name,
- 
-         ret = ldb_modify(cdb->ldb, replace_msg);
-         if (ret != LDB_SUCCESS) {
--            ret = sysdb_error_to_errno(ret);
-+            ret = sss_ldb_error_to_errno(ret);
-             DEBUG(SSSDBG_OP_FAILURE,
-                 "Inheriting options from parent domain failed [%d]: %s\n",
-                 ret, sss_strerror(ret));
-@@ -2131,7 +2131,7 @@ static int confdb_merge_parent_domain(const char *name,
-      */
-     ret = sss_ldb_modify_permissive(cdb->ldb, app_msg);
-     if (ret != LDB_SUCCESS) {
--        ret = sysdb_error_to_errno(ret);
-+        ret = sss_ldb_error_to_errno(ret);
-         DEBUG(SSSDBG_OP_FAILURE,
-               "Adding app-specific options failed [%d]: %s\n",
-               ret, sss_strerror(ret));
-diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
-index 5e35589..c2b7f9f 100644
---- a/src/confdb/confdb_setup.c
-+++ b/src/confdb/confdb_setup.c
-@@ -96,7 +96,7 @@ static int confdb_purge(struct confdb_ctx *cdb)
-     ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn,
-                      LDB_SCOPE_SUBTREE, attrs, NULL);
-     if (ret != LDB_SUCCESS) {
--        ret = sysdb_error_to_errno(ret);
-+        ret = sss_ldb_error_to_errno(ret);
-         goto done;
-     }
- 
-@@ -104,7 +104,7 @@ static int confdb_purge(struct confdb_ctx *cdb)
-         /* Delete this DN */
-         ret = ldb_delete(cdb->ldb, res->msgs[i]->dn);
-         if (ret != LDB_SUCCESS) {
--            ret = sysdb_error_to_errno(ret);
-+            ret = sss_ldb_error_to_errno(ret);
-             goto done;
-         }
-     }
-@@ -313,7 +313,7 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
-         DEBUG(SSSDBG_FATAL_FAILURE,
-               "Failed to start a transaction for "
-                "updating the configuration\n");
--        ret = sysdb_error_to_errno(ret);
-+        ret = sss_ldb_error_to_errno(ret);
-         goto done;
-     }
-     in_transaction = true;
-diff --git a/src/db/sysdb.c b/src/db/sysdb.c
-index 06d7f27..51acb86 100644
---- a/src/db/sysdb.c
-+++ b/src/db/sysdb.c
-@@ -871,31 +871,6 @@ char *sysdb_group_strdn(TALLOC_CTX *mem_ctx,
-     return build_dom_dn_str_escape(mem_ctx, SYSDB_TMPL_GROUP, domain, name);
- }
- 
--/* TODO: make a more complete and precise mapping */
--int sysdb_error_to_errno(int ldberr)
--{
--    switch (ldberr) {
--    case LDB_SUCCESS:
--        return EOK;
--    case LDB_ERR_OPERATIONS_ERROR:
--        return EIO;
--    case LDB_ERR_NO_SUCH_OBJECT:
--        return ENOENT;
--    case LDB_ERR_BUSY:
--        return EBUSY;
--    case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
--    case LDB_ERR_ENTRY_ALREADY_EXISTS:
--        return EEXIST;
--    case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
--        return EINVAL;
--    default:
--        DEBUG(SSSDBG_CRIT_FAILURE,
--              "LDB returned unexpected error: [%s]\n",
--               ldb_strerror(ldberr));
--        return EFAULT;
--    }
--}
--
- /* =Transactions========================================================== */
- 
- int sysdb_transaction_start(struct sysdb_ctx *sysdb)
-diff --git a/src/db/sysdb.h b/src/db/sysdb.h
-index 2187947..f6e3160 100644
---- a/src/db/sysdb.h
-+++ b/src/db/sysdb.h
-@@ -454,9 +454,6 @@ errno_t sysdb_get_highest_usn(TALLOC_CTX *mem_ctx,
-                               size_t num_attrs,
-                               char **_usn);
- 
--/* convert an ldb error into an errno error */
--int sysdb_error_to_errno(int ldberr);
--
- /* DNs related helper functions */
- errno_t sysdb_get_rdn(struct sysdb_ctx *sysdb, TALLOC_CTX *mem_ctx,
-                       const char *dn, char **_name, char **_val);
-@@ -1434,4 +1431,7 @@ errno_t sysdb_handle_original_uuid(const char *orig_name,
-                                    struct sysdb_attrs *dest_attrs,
-                                    const char *dest_name);
- 
-+/* define old name for backward compatibility */
-+#define sysdb_error_to_errno(ldberr) sss_ldb_error_to_errno(ldberr)
-+
- #endif /* __SYS_DB_H__ */
-diff --git a/src/responder/common/cache_req/cache_req_sr_overlay.c b/src/responder/common/cache_req/cache_req_sr_overlay.c
-index 60da26f..b06a80a 100644
---- a/src/responder/common/cache_req/cache_req_sr_overlay.c
-+++ b/src/responder/common/cache_req/cache_req_sr_overlay.c
-@@ -192,7 +192,7 @@ static errno_t cache_req_sr_overlay_match_users(
-             }
-             lret = ldb_msg_add_string(msg, SYSDB_SESSION_RECORDING, enabled_str);
-             if (lret != LDB_SUCCESS) {
--                ret = sysdb_error_to_errno(lret);
-+                ret = sss_ldb_error_to_errno(lret);
-                 CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr,
-                                 "Failed adding %s attribute: %s\n",
-                                 SYSDB_SESSION_RECORDING, sss_strerror(ret));
-@@ -279,7 +279,7 @@ static void cache_req_sr_overlay_match_all_step_done(
-         }
-         lret = ldb_msg_add_string(msg, SYSDB_SESSION_RECORDING, enabled_copy);
-         if (lret != LDB_SUCCESS) {
--            ret = sysdb_error_to_errno(lret);
-+            ret = sss_ldb_error_to_errno(lret);
-             CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, state->cr,
-                             "Failed adding %s attribute: %s\n",
-                             SYSDB_SESSION_RECORDING, sss_strerror(ret));
-diff --git a/src/responder/ifp/ifp_cache.c b/src/responder/ifp/ifp_cache.c
-index 083f274..27681d0 100644
---- a/src/responder/ifp/ifp_cache.c
-+++ b/src/responder/ifp/ifp_cache.c
-@@ -119,7 +119,7 @@ ifp_cache_get_cached_objects(TALLOC_CTX *mem_ctx,
-                          SYSDB_IFP_CACHED);
-     if (ldb_ret != LDB_SUCCESS) {
-         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to search the cache\n");
--        ret = sysdb_error_to_errno(ldb_ret);
-+        ret = sss_ldb_error_to_errno(ldb_ret);
-         goto done;
-     }
- 
-diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
-index 21fe62d..a12aa27 100644
---- a/src/tools/sss_override.c
-+++ b/src/tools/sss_override.c
-@@ -936,7 +936,7 @@ static errno_t override_object_del(struct sss_domain_info *domain,
-     ret = ldb_msg_add_empty(msg, SYSDB_OVERRIDE_DN, LDB_FLAG_MOD_DELETE, NULL);
-     if (ret != LDB_SUCCESS) {
-         DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty() failed\n");
--        ret = sysdb_error_to_errno(ret);
-+        ret = sss_ldb_error_to_errno(ret);
-         goto done;
-     }
- 
-@@ -945,7 +945,7 @@ static errno_t override_object_del(struct sss_domain_info *domain,
-         DEBUG(SSSDBG_OP_FAILURE,
-               "ldb_modify() failed: [%s](%d)[%s]\n",
-               ldb_strerror(ret), ret, ldb_errstring(ldb));
--        ret = sysdb_error_to_errno(ret);
-+        ret = sss_ldb_error_to_errno(ret);
-         goto done;
-     }
- 
-@@ -1025,7 +1025,7 @@ static errno_t append_name(struct sss_domain_info *domain,
- 
-     ret = ldb_msg_add_string(override, ORIGNAME, fqname);
-     if (ret != LDB_SUCCESS) {
--        ret = sysdb_error_to_errno(ret);
-+        ret = sss_ldb_error_to_errno(ret);
-         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add attribute to msg\n");
-         goto done;
-     }
-diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c
-index ca3e657..6a317a0 100644
---- a/src/util/secrets/secrets.c
-+++ b/src/util/secrets/secrets.c
-@@ -417,17 +417,16 @@ static int local_db_create(struct sss_sec_req *req)
-     }
- 
-     ret = ldb_add(req->sctx->ldb, msg);
--    if (ret != EOK) {
-+    if (ret != LDB_SUCCESS) {
-         if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
-             DEBUG(SSSDBG_OP_FAILURE,
-                   "Secret %s already exists\n", ldb_dn_get_linearized(msg->dn));
--            ret = EEXIST;
-         } else {
-             DEBUG(SSSDBG_CRIT_FAILURE,
-                   "Failed to add secret [%s]: [%d]: %s\n",
-                   ldb_dn_get_linearized(msg->dn), ret, ldb_strerror(ret));
--            ret = EIO;
-         }
-+        ret = sss_ldb_error_to_errno (ret);
-         goto done;
-     }
- 
-@@ -1109,17 +1108,16 @@ errno_t sss_sec_put(struct sss_sec_req *req,
-     }
- 
-     ret = ldb_add(req->sctx->ldb, msg);
--    if (ret != EOK) {
-+    if (ret != LDB_SUCCESS) {
-         if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
-             DEBUG(SSSDBG_OP_FAILURE,
-                   "Secret %s already exists\n", ldb_dn_get_linearized(msg->dn));
--            ret = EEXIST;
-         } else {
-             DEBUG(SSSDBG_CRIT_FAILURE,
-                   "Failed to add secret [%s]: [%d]: %s\n",
-                   ldb_dn_get_linearized(msg->dn), ret, ldb_strerror(ret));
--            ret = EIO;
-         }
-+        ret = sss_ldb_error_to_errno (ret);
-         goto done;
-     }
- 
-@@ -1210,13 +1208,13 @@ errno_t sss_sec_update(struct sss_sec_req *req,
-     ret = ldb_modify(req->sctx->ldb, msg);
-     if (ret == LDB_ERR_NO_SUCH_OBJECT) {
-         DEBUG(SSSDBG_MINOR_FAILURE, "No such object to modify\n");
--        ret = ENOENT;
-+        ret = sss_ldb_error_to_errno (ret);
-         goto done;
-     } else if (ret != LDB_SUCCESS) {
-         DEBUG(SSSDBG_MINOR_FAILURE,
-               "ldb_modify failed: [%s](%d)[%s]\n",
-               ldb_strerror(ret), ret, ldb_errstring(req->sctx->ldb));
--        ret = EIO;
-+        ret = sss_ldb_error_to_errno (ret);
-         goto done;
-     }
- 
-@@ -1282,20 +1280,12 @@ errno_t sss_sec_delete(struct sss_sec_req *req)
-         /* fall through */
-     }
- 
--    switch (ret) {
--    case LDB_SUCCESS:
--        ret = EOK;
--        break;
--    case LDB_ERR_NO_SUCH_OBJECT:
--        ret = ENOENT;
--        break;
--    default:
-+    if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_OBJECT) {
-         DEBUG(SSSDBG_CRIT_FAILURE,
-               "LDB returned unexpected error: [%s]\n",
-                ldb_strerror(ret));
--        ret = EFAULT;
--        break;
-     }
-+    ret = sss_ldb_error_to_errno (ret);
- 
- done:
-     talloc_free(tmp_ctx);
-diff --git a/src/util/util_errors.c b/src/util/util_errors.c
-index 5f8a2a2..d3f5e89 100644
---- a/src/util/util_errors.c
-+++ b/src/util/util_errors.c
-@@ -19,6 +19,7 @@
- */
- 
- #include "util/util.h"
-+#include <ldb.h>
- 
- struct err_string {
-     const char *msg;
-@@ -146,3 +147,27 @@ const char *sss_strerror(errno_t error)
-     return strerror(error);
- }
- 
-+/* TODO: make a more complete and precise mapping */
-+errno_t sss_ldb_error_to_errno(int ldberr)
-+{
-+    switch (ldberr) {
-+    case LDB_SUCCESS:
-+        return EOK;
-+    case LDB_ERR_OPERATIONS_ERROR:
-+        return EIO;
-+    case LDB_ERR_NO_SUCH_OBJECT:
-+        return ENOENT;
-+    case LDB_ERR_BUSY:
-+        return EBUSY;
-+    case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
-+    case LDB_ERR_ENTRY_ALREADY_EXISTS:
-+        return EEXIST;
-+    case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
-+        return EINVAL;
-+    default:
-+        DEBUG(SSSDBG_CRIT_FAILURE,
-+              "LDB returned unexpected error: [%i]\n",
-+              ldberr);
-+        return EFAULT;
-+    }
-+}
-diff --git a/src/util/util_errors.h b/src/util/util_errors.h
-index c6731d4..a799bba 100644
---- a/src/util/util_errors.h
-+++ b/src/util/util_errors.h
-@@ -178,4 +178,7 @@ enum sssd_errors {
-  */
- const char *sss_strerror(errno_t error);
- 
-+/* return ldb error converted to an errno */
-+errno_t sss_ldb_error_to_errno(int ldberr);
-+
- #endif /* __SSSD_UTIL_ERRORS_H__ */
--- 
-2.9.5
-
diff --git a/0069-PYSSS-Re-add-the-pysss.getgrouplist-interface.patch b/0069-PYSSS-Re-add-the-pysss.getgrouplist-interface.patch
deleted file mode 100644
index d030d1e..0000000
--- a/0069-PYSSS-Re-add-the-pysss.getgrouplist-interface.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From f0603645f5ea5f707875807b4f815400f4b79e41 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Wed, 24 Oct 2018 09:41:44 +0200
-Subject: [PATCH 5/5] PYSSS: Re-add the pysss.getgrouplist() interface
-
-Related:
-https://pagure.io/SSSD/sssd/issue/3493
-
-Commit 0e211b8ba30c3adcdeef21ca1339b194cbfffb04 was supposed to remove
-only the parts of the pysss API that relate to the local domain. But it
-removed also the getgrouplist() method by accident. This method is very
-important to IPA, so we need to add it back.
-
-Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- src/python/pysss.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 83 insertions(+)
-
-diff --git a/src/python/pysss.c b/src/python/pysss.c
-index e92653a..78b8de0 100644
---- a/src/python/pysss.c
-+++ b/src/python/pysss.c
-@@ -215,12 +215,95 @@ static PyTypeObject pysss_password_type = {
-     .tp_doc   = sss_py_const_p(char, "SSS password obfuscation"),
- };
- 
-+/*
-+ * Get list of groups user belongs to
-+ */
-+PyDoc_STRVAR(py_sss_getgrouplist__doc__,
-+    "Get list of groups user belongs to.\n\n"
-+    "NOTE: The interface uses the system NSS calls and is not limited to "
-+    "users served by the SSSD!\n"
-+    ":param username: name of user to get list for\n");
-+
-+static PyObject *py_sss_getgrouplist(PyObject *self, PyObject *args)
-+{
-+    char *username = NULL;
-+    gid_t *groups = NULL;
-+    struct passwd *pw;
-+    struct group *gr;
-+    int ngroups;
-+    int ret;
-+    Py_ssize_t i, idx;
-+    PyObject *groups_tuple;
-+
-+    if(!PyArg_ParseTuple(args, discard_const_p(char, "s"), &username)) {
-+        goto fail;
-+    }
-+
-+    pw = getpwnam(username);
-+    if (pw == NULL) {
-+        goto fail;
-+    }
-+
-+    ngroups = 32;
-+    groups = malloc(sizeof(gid_t) * ngroups);
-+    if (groups == NULL) {
-+        goto fail;
-+    }
-+
-+    do {
-+        ret = getgrouplist(username, pw->pw_gid, groups, &ngroups);
-+        if (ret < ngroups) {
-+            gid_t *tmp_groups = realloc(groups, ngroups * sizeof(gid_t));
-+            if (tmp_groups == NULL) {
-+                goto fail;
-+            }
-+            groups = tmp_groups;
-+        }
-+    } while (ret != ngroups);
-+
-+    groups_tuple = PyTuple_New((Py_ssize_t) ngroups);
-+    if (groups_tuple == NULL) {
-+        goto fail;
-+    }
-+
-+    /* Populate a tuple with names of groups
-+     * In unlikely case of group not being able to resolve, skip it
-+     * We also need to resize resulting tuple to avoid empty elements there */
-+    idx = 0;
-+    for (i = 0; i < ngroups; i++) {
-+        gr = getgrgid(groups[i]);
-+        if (gr) {
-+            PyTuple_SetItem(groups_tuple, idx,
-+#ifdef IS_PY3K
-+                    PyUnicode_FromString(gr->gr_name)
-+#else
-+                    PyString_FromString(gr->gr_name)
-+#endif
-+                    );
-+            idx++;
-+        }
-+    }
-+    free(groups);
-+    groups = NULL;
-+
-+    if (i != idx) {
-+        _PyTuple_Resize(&groups_tuple, idx);
-+    }
-+
-+    return groups_tuple;
-+
-+fail:
-+    free(groups);
-+    return NULL;
-+}
-+
- /* ==================== the sss module initialization =======================*/
- 
- /*
-  * Module methods
-  */
- static PyMethodDef module_methods[] = {
-+        {"getgrouplist", py_sss_getgrouplist, METH_VARARGS, py_sss_getgrouplist__doc__},
-         {NULL, NULL, 0, NULL}  /* Sentinel */
- };
- 
--- 
-2.9.5
-
diff --git a/sources b/sources
index 6c7baa1..339e4a8 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (sssd-2.0.0.tar.gz) = affeb0799d8a4fcbcb4b2ed7925b397ae6ba0e2982c5603e98636b765d3820a3b29ac58b0771e5cc00c752512f091ae4fd271d441544147a0570d3c14b535701
+SHA512 (sssd-2.1.0.tar.gz) = 12a7e5b89d462350af3c43e15b24a437dd985ac4a2e419d5e52cc0d05c6eacb9319d39b23681595ef860120cd1ae6e5fb265054afeddcb05d3d5f5de5d6ffa63
diff --git a/sssd.spec b/sssd.spec
index c00ac1c..1ef5621 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -35,99 +35,19 @@
 %endif
 
 Name: sssd
-Version: 2.0.0
-Release: 9%{?dist}
+Version: 2.1.0
+Release: 1%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://pagure.io/SSSD/sssd/
 Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
 
 ### Patches ###
-Patch0001: 0001-BUILD-Fix-issue-with-installation-of-libsss_secrets.patch
-Patch0002: 0002-BUILD-Add-missing-deps-to-libsss_sbus-.so.patch
-Patch0003: 0003-BUILD-Reduce-compilation-of-unnecessary-files.patch
-Patch0004: 0004-KCM-Don-t-error-out-if-creating-a-new-ID-as-the-firs.patch
-Patch0005: 0005-sbus-register-filter-on-new-connection.patch
-Patch0006: 0006-sbus-fix-typo.patch
-Patch0007: 0007-sbus-check-for-null-message-in-sbus_message_bound.patch
-Patch0008: 0008-sbus-replace-sbus_message_bound_ref-with-sbus_messag.patch
-Patch0009: 0009-sbus-add-unit-tests-for-public-sbus_message-module.patch
-Patch0010: 0010-SELINUX-Always-add-SELinux-user-to-the-semanage-data.patch
-Patch0011: 0011-intg-flush-the-SSSD-caches-to-sync-with-files.patch
-Patch0012: 0012-sbus-dectect-python-binary-for-sbus_generate.sh.patch
-Patch0013: 0013-sudo-respect-case-sensitivity-in-sudo-responder.patch
-Patch0014: 0014-GPO-Add-gpo_implicit_deny-option.patch
-Patch0015: 0015-Skip-local-domain-if-not-supported.patch
-Patch0016: 0016-sysdb-extract-sysdb_ldb_msg_attr_to_certmap_info-cal.patch
-Patch0017: 0017-sysdb_ldb_msg_attr_to_certmap_info-set-SSS_CERTMAP_M.patch
-Patch0018: 0018-sysdb-add-attr_map-attribute-to-sysdb_ldb_msg_attr_t.patch
-Patch0019: 0019-confdb-add-confdb_certmap_to_sysdb.patch
-Patch0020: 0020-AD-LDAP-read-certificate-mapping-rules-from-config-f.patch
-Patch0021: 0021-sysdb-sysdb_certmap_add-handle-domains-more-flexible.patch
-Patch0022: 0022-confdb-add-special-handling-for-rules-for-the-files-.patch
-Patch0023: 0023-files-add-support-for-Smartcard-authentication.patch
-Patch0024: 0024-responder-make-sure-SSS_DP_CERT-is-passed-to-files-p.patch
-Patch0025: 0025-PAM-add-certificate-matching-rules-from-all-domains.patch
-Patch0026: 0026-doc-add-certificate-mapping-section-to-man-page.patch
-Patch0027: 0027-intg-user-default-locale.patch
-Patch0028: 0028-PAM-use-better-PAM-error-code-for-failed-Smartcard-a.patch
-Patch0029: 0029-test_ca-test-library-only-for-readable.patch
-Patch0030: 0030-test_ca-set-a-password-PIN-to-nss-databases.patch
-Patch0031: 0031-getsockopt_wrapper-add-support-for-PAM-clients.patch
-Patch0032: 0032-intg-add-Smartcard-authentication-tests.patch
-Patch0033: 0033-proxy-access-provider-directly-not-through-be_ctx.patch
-Patch0034: 0034-dp-set-be_ctx-provider-as-part-of-dp_init-request.patch
-Patch0035: 0035-sbus-read-destination-after-sender-is-set.patch
-Patch0036: 0036-sbus-do-not-try-to-remove-signal-listeners-when-disc.patch
-Patch0037: 0037-sbus-free-watch_fd-fdevent-explicitly.patch
-Patch0038: 0038-doc-remove-local-provider-reference-from-manpages.patch
-Patch0039: 0039-confdb-log-an-error-when-domain-is-misconfigured.patch
-Patch0040: 0040-be-use-be_is_offline-for-the-main-domain-when-asking.patch
-Patch0041: 0041-p11-handle-multiple-certs-during-auth-with-OpenSSL.patch
-Patch0042: 0042-doc-Add-nsswitch.conf-note-to-manpage.patch
-Patch0043: 0043-MAN-Fix-typo-in-ad_gpo_implicit_deny-default-value.patch
-Patch0044: 0044-p11_child-add-wait_for_card-option.patch
-Patch0045: 0045-PAM-add-p11_wait_for_card_timeout-option.patch
-Patch0046: 0046-pam_sss-make-flags-public.patch
-Patch0047: 0047-pam_sss-add-try_cert_auth-option.patch
-Patch0048: 0048-pam_sss-add-option-require_cert_auth.patch
-Patch0049: 0049-intg-require-SC-tests.patch
-Patch0050: 0050-p11_child-show-PKCS-11-URI-in-debug-output.patch
-Patch0051: 0051-p11_child-add-PKCS-11-uri-to-restrict-selection.patch
-Patch0052: 0052-PAM-add-p11_uri-option.patch
-Patch0053: 0053-tests-add-PKCS-11-URI-tests.patch
-Patch0054: 0054-test_config-Test-for-invalid-characker-in-domain.patch
-Patch0055: 0055-PAM-return-short-name-for-files-provider-users.patch
-Patch0056: 0056-TESTS-Add-a-test-for-whitespace-trimming-in-netgroup.patch
-Patch0057: 0057-FILES-The-files-provider-should-not-enumerate.patch
-Patch0058: 0058-p11_child-add-OCSP-check-ot-the-OpenSSL-version.patch
-Patch0059: 0059-p11_child-add-crl_file-option-for-the-OpenSSL-build.patch
-Patch0060: 0060-p11-Fix-two-instances-of-Wmaybe-uninitialized-in-p11.patch
-Patch0061: 0061-sudo-use-correct-sbus-interface.patch
-Patch0062: 0062-sudo-fix-error-handling-in-sudosrv_refresh_rules_don.patch
-Patch0063: 0063-sbus-remove-leftovers-from-previous-implementation.patch
-Patch0064: 0064-CONFIGURE-Add-minimal-required-version-for-p11-kit.patch
-Patch0065: 0065-SBUS-Silence-warning-maybe-uninitialized.patch
-Patch0066: 0066-files-add-session-recording-flag.patch
-Patch0067: 0067-UTIL-Suppress-Coverity-warning.patch
-Patch0068: 0068-UTIL-move-and-rename-sysdb_error_to_errno-to-utils.patch
-Patch0069: 0069-PYSSS-Re-add-the-pysss.getgrouplist-interface.patch
-
-# not in sequence, backported to fix build with newer krb5
-Patch0400: 0001-tests-fix-mocking-krb5_creds-in-test_copy_ccache.patch
-Patch0401: 0001-BUILD-Accept-krb5-1.17-for-building-the-PAC-plugin.patch
-# not in sequence, backports to fix RHBZ #1676946
-Patch0402: 0001-sbus-avoid-using-invalid-stack-point-in-SBUS_INTERFA.patch
-Patch0403: 0002-sbus-improve-documentation-of-SBUS_INTERFACE.patch
-Patch0404: 0003-sbus-interface-fixed-interface-copy-helpers.patch
+# Patch0001:
 
 ### Downstream only patches ###
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
 
-# https://github.com/SSSD/sssd/pull/715
-# https://bugzilla.redhat.com/show_bug.cgi?id=1654537
-Patch1000: 0001-sbus-use-120-second-default-timeout.patch
-
 ### Dependencies ###
 
 Requires: sssd-common = %{version}-%{release}
@@ -193,6 +113,7 @@ BuildRequires: selinux-policy-targeted
 BuildRequires: libcmocka-devel >= 1.0.0
 BuildRequires: uid_wrapper
 BuildRequires: nss_wrapper
+BuildRequires: pam_wrapper
 BuildRequires: libnl3-devel
 BuildRequires: systemd-devel
 BuildRequires: systemd
@@ -811,12 +732,12 @@ done
 %dir %{sssdstatedir}
 %dir %{_localstatedir}/cache/krb5rcache
 %attr(700,root,root) %dir %{dbpath}
-%attr(755,root,root) %dir %{mcpath}
+%attr(775,root,root) %dir %{mcpath}
 %attr(700,root,root) %dir %{secdbpath}
 %attr(751,root,root) %dir %{deskprofilepath}
-%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
-%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
-%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
+%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
+%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/group
+%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
 %attr(755,root,root) %dir %{pipepath}
 %attr(700,root,root) %dir %{pipepath}/private
 %attr(755,root,root) %dir %{pubconfpath}
@@ -1147,6 +1068,10 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Wed Mar 27 2019 Michal Židek <mzidek@redhat.com> - 2.1.0-1
+- Update to latest released upstream version
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_1_0.html
+
 * Wed Feb 13 2019 Sinny Kumari <skumari@redhat.com> - 2.0.0-9
 - Resolves: rhbz#1667444 -  sssd: make python3-sssdconfig as suggest