diff --git a/.gitignore b/.gitignore
index 3d258dd..b832b7b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -92,3 +92,5 @@
 /freeipa-4.8.7.tar.gz.asc
 /freeipa-4.8.9.tar.gz
 /freeipa-4.8.9.tar.gz.asc
+/freeipa-4.8.10.tar.gz
+/freeipa-4.8.10.tar.gz.asc
diff --git a/freeipa.spec b/freeipa.spec
index de3f736..5429d6f 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -53,7 +53,7 @@
 %endif
 
 # Include SELinux subpackage
-%if 0%{?fedora} >= 30 || 0%{?rhel} > 8
+%if 0%{?fedora} >= 30 || 0%{?rhel}
     %global with_selinux 1
     %global selinuxtype targeted
     %global modulename ipa
@@ -62,7 +62,7 @@
 %if 0%{?rhel}
 %global package_name ipa
 %global alt_name freeipa
-%global krb5_version 1.16.1
+%global krb5_version 1.18
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.16
 # Require 4.7.0 which brings Python 3 bindings
@@ -89,14 +89,19 @@
 # Require 4.12 which has DsRGetForestTrustInformation access rights fixes
 %global samba_version 2:4.12
 
-%global selinux_policy_version 3.14.5-40
+# SELinux context for dirsrv unit file, BZ 1820298
+%if 0%{?fedora} >= 32
+%global selinux_policy_version 3.14.5-39
+%else
+%global selinux_policy_version 3.14.4-52
+%endif
 %global slapi_nis_version 0.56.5
 
 # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
 %global python_ldap_version 3.1.0-1
-# Fix for create suffix
-# https://pagure.io/389-ds-base/issue/49984
-%global ds_version 1.4.1.1
+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
+# https://pagure.io/freeipa/issue/8515
+%global ds_version 1.4.3
 
 # Fix for TLS 1.3 PHA, RHBZ#1775146
 %if 0%{?fedora} >= 31
@@ -120,9 +125,9 @@
 %global krb5_kdb_version 7.0
 %endif
 
-# 10.7.3 supports LWCA key replication using AES
-# https://pagure.io/freeipa/issue/8020
-%global pki_version 10.7.3-1
+# PKIConnection has been modified to always validate certs.
+# https://pagure.io/freeipa/issue/8379
+%global pki_version 10.9.0-0.4
 
 # https://pagure.io/certmonger/issue/90
 %global certmonger_version 0.79.7-1
@@ -147,7 +152,7 @@
 
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.8.9
+%define IPA_VERSION 4.8.10
 %define AT_SIGN @
 # redefine IPA_VERSION only if its value matches the Autoconf placeholder
 %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
@@ -156,14 +161,13 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
-Patch0001:      freeipa-4.8.9-support-older-installations.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -202,14 +206,20 @@ BuildRequires:  libtevent-devel
 BuildRequires:  libuuid-devel
 BuildRequires:  libsss_idmap-devel
 BuildRequires:  libsss_certmap-devel
-BuildRequires:  libsss_nss_idmap-devel >=  %{sssd_version}
+BuildRequires:  libsss_nss_idmap-devel >= %{sssd_version}
 BuildRequires:  nodejs(abi)
-BuildRequires:  python-rjsmin
+# use old dependency on RHEL 8 for now
+%if 0%{?fedora} >= 31 || 0%{?rhel} > 8
+BuildRequires:  python3-rjsmin
+%else
+BuildRequires:  uglify-js
+%endif
 BuildRequires:  libverto-devel
 BuildRequires:  libunistring-devel
 # 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
 # 0.13.0-2: fix for missing dependency on python-six
 BuildRequires:  python3-lesscpy >= 0.13.0-2
+
 # ONLY_CLIENT
 %endif 
 
@@ -224,6 +234,7 @@ BuildRequires:  python3-netaddr >= %{python_netaddr_version}
 BuildRequires:  python3-pyasn1
 BuildRequires:  python3-pyasn1-modules
 BuildRequires:  python3-six
+BuildRequires:  python3-psutil
 
 #
 # Build dependencies for wheel packaging and PyPI upload
@@ -245,10 +256,12 @@ BuildRequires:  python3-wheel
 # Build dependencies for lint and fastcheck
 #
 %if 0%{?with_lint}
+BuildRequires:  git
 BuildRequires:  jsl
+BuildRequires:  nss-tools
 BuildRequires:  rpmlint
 BuildRequires:  softhsm
-
+BuildRequires:  keyutils
 BuildRequires:  python3-augeas
 BuildRequires:  python3-cffi
 BuildRequires:  python3-cryptography >= 1.6
@@ -289,6 +302,7 @@ BuildRequires:  python3-sss
 BuildRequires:  python3-sss-murmur
 BuildRequires:  python3-sssdconfig >= %{sssd_version}
 BuildRequires:  python3-systemd
+BuildRequires:  python3-yaml
 BuildRequires:  python3-yubico
 # with_lint
 %endif
@@ -419,6 +433,7 @@ Requires: python3-lxml
 Requires: python3-pki >= %{pki_version}
 Requires: python3-pyasn1 >= 0.3.2-2
 Requires: python3-sssdconfig >= %{sssd_version}
+Requires: python3-psutil
 Requires: rpm-libs
 # Indirect dependency: use newer urllib3 with TLS 1.3 PHA support
 %if 0%{?rhel}
@@ -443,7 +458,6 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= %{httpd_version}
 Requires: systemd-units >= 38
-Requires: custodia >= 0.3.1
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -588,7 +602,6 @@ Requires: cifs-utils
 This package provides command-line tools to deploy Samba domain member
 on the machine enrolled into a FreeIPA environment
 
-%if ! %{ONLY_CLIENT}
 %package client-epn
 Summary: Tools to configure Expiring Password Notification in IPA
 Group: System Environment/Base
@@ -601,7 +614,6 @@ Requires: %{name}-client = %{version}-%{release}
 %description client-epn
 This package provides a service to collect and send expiring password
 notifications via email (SMTP).
-%endif
 
 %package -n python3-ipaclient
 Summary: Python libraries used by IPA client
@@ -776,6 +788,7 @@ This package contains tests that verify IPA functionality under Python 3.
 %package selinux
 Summary:             FreeIPA SELinux policy
 BuildArch:           noarch
+Requires:            %{name}-server = %{version}-%{release}
 Requires:            selinux-policy-%{selinuxtype}
 Requires(post):      selinux-policy-%{selinuxtype}
 %{?selinux_requires}
@@ -816,8 +829,7 @@ done
 export PATH=/usr/bin:/usr/sbin:$PATH
 
 export PYTHON=%{__python3}
-aclocal --force
-autoconf --force
+autoreconf -ivf
 %configure --with-vendor-suffix=-%{release} \
            %{enable_server_option} \
            %{with_ipatests_option} \
@@ -915,18 +927,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d
 # ONLY_CLIENT
 %endif
 
-%if %{ONLY_CLIENT}
-# Remove ipa-epn parts as we don't have ipa-epn systemd integration generated
-# for client-only build
-rm %{buildroot}/%{_sbindir}/ipa-epn
-rm %{buildroot}/%{_mandir}/man1/ipa-epn.1*
-rm %{buildroot}/%{_mandir}/man5/epn.conf.5*
-rm %{buildroot}/%{_unitdir}/ipa-epn.service
-rm %{buildroot}/%{_unitdir}/ipa-epn.timer
-rm %{buildroot}/%{_sysconfdir}/ipa/epn.conf
-rm %{buildroot}/%{_sysconfdir}/ipa/epn/expire_msg.template
-%endif
-
 %if ! %{ONLY_CLIENT}
 
 %post server
@@ -1037,6 +1037,9 @@ if [ $1 -eq 0 ]; then
     /bin/systemctl reload-or-try-restart oddjobd
 fi
 
+# ONLY_CLIENT
+%endif
+
 %preun client-epn
 %systemd_preun ipa-epn.service
 %systemd_preun ipa-epn.timer
@@ -1049,10 +1052,6 @@ fi
 %systemd_post ipa-epn.service
 %systemd_post ipa-epn.timer
 
-# ONLY_CLIENT
-%endif
-
-
 %post client
 if [ $1 -gt 1 ] ; then
     # Has the client been configured?
@@ -1076,14 +1075,10 @@ if [ $1 -gt 1 ] ; then
         fi
 
         %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
-    fi
-
-    if [ $restore -ge 2 ]; then
-        %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
-    fi
-
-    if [ $restore -ge 2 ]; then
-        sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config
+        SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
+        if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
+            sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
+        fi
     fi
 fi
 
@@ -1110,7 +1105,7 @@ fi
 %endif
 
 
-%triggerin client -- openssh-server
+%triggerin client -- openssh-server < 8.2
 # Has the client been configured?
 restore=0
 test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
@@ -1145,6 +1140,25 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
     fi
 fi
 
+%triggerin client -- openssh-server >= 8.2
+# Has the client been configured?
+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+    # If the snippet already exists, skip
+    if [ ! -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then
+        # Take the values from /etc/ssh/sshd_config and put them in 04-ipa.conf
+        grep -E '^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)' /etc/ssh/sshd_config 2>/dev/null > /etc/ssh/sshd_config.d/04-ipa.conf
+        # Remove the values from sshd_conf
+        sed -ri '
+            /^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)[ \t]/ d
+        ' /etc/ssh/sshd_config
+
+        /bin/systemctl condrestart sshd.service 2>&1 || :
+    fi
+fi
+
 
 %if ! %{ONLY_CLIENT}
 
@@ -1209,7 +1223,6 @@ fi
 %attr(755,root,root) %{plugin_dir}/libipa_uuid.so
 %attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
 %attr(755,root,root) %{plugin_dir}/libipa_lockout.so
-%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
 %attr(755,root,root) %{plugin_dir}/libipa_dns.so
 %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
 %attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
@@ -1266,6 +1279,7 @@ fi
 %{_usr}/share/ipa/kdcproxy.wsgi
 %{_usr}/share/ipa/ipaca*.ini
 %{_usr}/share/ipa/*.ldif
+%exclude %{_datadir}/ipa/ipa-cldap-conf.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
 %dir %{_usr}/share/ipa/advise
@@ -1357,6 +1371,8 @@ fi
 %{_sbindir}/ipa-adtrust-install
 %{_usr}/share/ipa/smb.conf.empty
 %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
+%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
+%{_datadir}/ipa/ipa-cldap-conf.ldif
 %{_mandir}/man1/ipa-adtrust-install.1*
 %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 %{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
@@ -1393,7 +1409,6 @@ fi
 %{_sbindir}/ipa-client-samba
 %{_mandir}/man1/ipa-client-samba.1*
 
-%if ! %{ONLY_CLIENT}
 %files client-epn
 %doc README.md Contributors.txt
 %dir %{_sysconfdir}/ipa/epn
@@ -1404,8 +1419,7 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-epn.service
 %attr(644,root,root) %{_unitdir}/ipa-epn.timer
 %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
-%attr(644,root,root) %{_sysconfdir}/ipa/epn/expire_msg.template
-%endif
+%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
 
 %files -n python3-ipaclient
 %doc README.md Contributors.txt
diff --git a/sources b/sources
index 18db8f2..f373cc2 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (freeipa-4.8.9.tar.gz) = 5db9056b63316023e2d94db1400e14d90b1915e129a01a3518d2487ef4461af1b6fa596da1a44ff36ffa6130d03c0f9d9c04d97ac73164d3bd24ebf06afa7451
-SHA512 (freeipa-4.8.9.tar.gz.asc) = dcd4ec94394fe44b3737d7b39a36a5057a152352a290dd78c7f64fc48dfe06a6cc613c6f75f9d1b2b32289b873ee81533096355b8f194425506f4a9b1cf3e879
+SHA512 (freeipa-4.8.10.tar.gz) = a14608cd2f8b50f1404df4761f1f72f1c250ea54257e8f072f488c1684a5f01dba060c67d17e11ab1237f65e041d9fca0eb4d0b9d1804cedb33a957c9ecfd954
+SHA512 (freeipa-4.8.10.tar.gz.asc) = 7d188fd8ce742e4900c8b359e23406efda955578930d7d800fca96f03b461162bd2799e3915db7968c325c9c24712cfc108064e93dc3d6dd97b77968390e0e04