diff --git a/freeipa-2.1.4-selinux-web-migration-policy.patch b/freeipa-2.1.4-selinux-web-migration-policy.patch
new file mode 100644
index 0000000..4795631
--- /dev/null
+++ b/freeipa-2.1.4-selinux-web-migration-policy.patch
@@ -0,0 +1,35 @@
+From d214ba7547fdda279fa3fd38129a600979d6213b Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 21 Dec 2011 14:44:06 +0200
+Subject: [PATCH] Re-enable web password migration on Fedora 16 after SE Linux
+ policy restrictions
+
+Web password migration tool uses connection to the LDAPI socket.
+Enable access to the ns-slapd socket.
+---
+ selinux/ipa_httpd/ipa_httpd.te |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
+index 65b161fe58cbe64c476fc6abb17b68d741d5d321..64525ba99ad2c455941a937d77ea5cc1af6c68d0 100644
+--- a/selinux/ipa_httpd/ipa_httpd.te
++++ b/selinux/ipa_httpd/ipa_httpd.te
+@@ -7,6 +7,7 @@ require {
+         type var_run_t;
+         type krb5kdc_t;
+         type cert_t;
++        type dirsrv_t;
+         class sock_file write;
+         class unix_stream_socket connectto;
+         class file write;
+@@ -15,6 +16,7 @@ require {
+ # Let Apache, bind and the KDC talk to DS over ldapi
+ allow httpd_t var_run_t:sock_file write;
+ allow httpd_t initrc_t:unix_stream_socket connectto;
++allow httpd_t dirsrv_t:unix_stream_socket connectto;
+ allow krb5kdc_t var_run_t:sock_file write;
+ allow krb5kdc_t initrc_t:unix_stream_socket connectto;
+ allow named_t var_run_t:sock_file write;
+-- 
+1.7.8
+
diff --git a/freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch b/freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
new file mode 100644
index 0000000..2e51e09
--- /dev/null
+++ b/freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
@@ -0,0 +1,39 @@
+>From e744b07fe589d36257590f31adf7a5dae3a51f55 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <ssorce@redhat.com>
+Date: Tue, 20 Dec 2011 12:39:34 -0500
+Subject: [PATCH] slapi-plugins: use thread-safe ldap library
+
+---
+ daemons/configure.ac |    2 +-
+ freeipa.spec.in      |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/configure.ac b/daemons/configure.ac
+index d15a5c70c000a9d83f9ccb6d05851f1400ae4627..9ff858a6b360b011be95ff9aac729a0e837356c2 100644
+--- a/daemons/configure.ac
++++ b/daemons/configure.ac
+@@ -174,7 +174,7 @@ if test "$with_ldap" = "yes"; then
+   if test "$with_ldap_lber" = "yes" ; then
+     OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber"
+   fi
+-  OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap"
++  OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap_r"
+ else
+   AC_MSG_ERROR([OpenLDAP not found])
+ fi
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 3305fda55a30523d0b86a0fb79ee74f60a544b92..36b68795eec02d11176c2369b50ec6c732925ad1 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -24,7 +24,7 @@ Source0:        freeipa-%{version}.tar.gz
+ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+ 
+ %if ! %{ONLY_CLIENT}
+-BuildRequires:  389-ds-base-devel >= 1.2.9
++BuildRequires:  389-ds-base-devel >= 1.2.10-0.6.a6
+ BuildRequires:  svrcore-devel
+ BuildRequires:  /usr/share/selinux/devel/Makefile
+ BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
+-- 
+1.7.7.4
+
diff --git a/freeipa.spec b/freeipa.spec
index 77ab0ce..ef68ab0 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 
 Name:           freeipa
 Version:        2.1.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -24,10 +24,12 @@ Source0:        freeipa-%{version}.tar.gz
 Source1:        freeipa-systemd-upgrade
 Patch0:         freeipa-2.1.4-connection-failure-recovery.patch
 Patch1:         freeipa-2.1.4-fix-pylint-f16.patch
+Patch2:         freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
+Patch3:         freeipa-2.1.4-selinux-web-migration-policy.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.2.9
+BuildRequires:  389-ds-base-devel >= 1.2.10-0.6.a6
 BuildRequires:  svrcore-devel
 BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
@@ -220,6 +222,8 @@ package.
 cp %{SOURCE1} init/systemd/
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 export CFLAGS="$CFLAGS %{optflags}"
@@ -541,6 +545,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Wed Dec 21 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-3
+- Allow Web-based migration to work with tightened SE Linux policy (#769440)
+- Rebuild slapi plugins against re-enterant version of libldap
+
 * Sun Dec 11 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-2
 - Allow longer dirsrv startup with systemd:
   - IPAdmin class will wait until dirsrv instance is available up to 10 seconds