diff --git a/0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch b/0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch
new file mode 100644
index 0000000..e373bee
--- /dev/null
+++ b/0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch
@@ -0,0 +1,52 @@
+From 58a67cd38b8be9bef45ce70588763d851840dd65 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
+Date: Tue, 3 Dec 2019 04:13:53 +0100
+Subject: [PATCH] sysdb_sudo: Enable LDAP time format compatibility
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+LDAP specification allows to ommit seconds and minutes
+in time border definition. In that case they defaults to zeros.
+Current sssd.sudo implementation requires precision up to
+seconds in time definition. This commit allows to lower
+the precision up to hours.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/4118
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/db/sysdb_sudo.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
+index 59d6824c0..18088b017 100644
+--- a/src/db/sysdb_sudo.c
++++ b/src/db/sysdb_sudo.c
+@@ -55,6 +55,22 @@ static errno_t sysdb_sudo_convert_time(const char *str, time_t *unix_time)
+                              "%Y%m%d%H%M%S.0%z",
+                              "%Y%m%d%H%M%S,0Z",
+                              "%Y%m%d%H%M%S,0%z",
++                             /* LDAP specification says that minutes and seconds
++                                might be omitted and in that case these are meant
++                                to be treated as zeros [1].
++                             */
++                             "%Y%m%d%H%MZ",    /* Discard seconds */
++                             "%Y%m%d%H%M%z",
++                             "%Y%m%d%H%M.0Z",
++                             "%Y%m%d%H%M.0%z",
++                             "%Y%m%d%H%M,0Z",
++                             "%Y%m%d%H%M,0%z",
++                             "%Y%m%d%HZ",    /* Discard minutes and seconds*/
++                             "%Y%m%d%H%z",
++                             "%Y%m%d%H.0Z",
++                             "%Y%m%d%H.0%z",
++                             "%Y%m%d%H,0Z",
++                             "%Y%m%d%H,0%z",
+                              NULL};
+ 
+     for (format = formats; *format != NULL; format++) {
+-- 
+2.20.1
+
diff --git a/sssd.spec b/sssd.spec
index 5f5b670..f3d80c1 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -36,7 +36,7 @@
 
 Name: sssd
 Version: 2.2.3
-Release: 11%{?dist}
+Release: 12%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://pagure.io/SSSD/sssd/
@@ -59,6 +59,7 @@ Patch0013: 0013-ad-add-ad_use_ldaps.patch
 Patch0014: 0014-ldap-add-new-option-ldap_sasl_maxssf.patch
 Patch0015: 0015-ad-set-min-and-max-ssf-for-ldaps.patch
 Patch0016: 0016-BE_REFRESH-Do-not-try-to-refresh-domains-from-other-.patch
+Patch0017: 0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch
 
 ### Downstream only patches ###
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
@@ -1088,6 +1089,10 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-11
+- Resolves: upstream#4118 - sssd requires timed sudoers ldap entries to be
+  specified up to the seconds
+
 * Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-11
 - Add sssd-dbus package as a dependency of sssd-tools