diff --git a/0001-revert-minssf-defaults.patch b/0001-revert-minssf-defaults.patch
new file mode 100644
index 0000000..777c13e
--- /dev/null
+++ b/0001-revert-minssf-defaults.patch
@@ -0,0 +1,136 @@
+From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 1 May 2019 21:25:31 +0300
+Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"
+
+This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
+---
+ install/share/Makefile.am       |  1 -
+ install/share/min-ssf.ldif      | 14 --------------
+ ipalib/constants.py             |  3 ---
+ ipapython/ipaldap.py            | 17 ++---------------
+ ipaserver/install/dsinstance.py |  5 -----
+ 5 files changed, 2 insertions(+), 38 deletions(-)
+ delete mode 100644 install/share/min-ssf.ldif
+
+diff --git a/install/share/Makefile.am b/install/share/Makefile.am
+index be83bdf75..8d039d95c 100644
+--- a/install/share/Makefile.am
++++ b/install/share/Makefile.am
+@@ -94,7 +94,6 @@ dist_app_DATA =				\
+ 	ipa-kdc-proxy.conf.template	\
+ 	ipa-pki-proxy.conf.template	\
+ 	ipa-rewrite.conf.template	\
+-	min-ssf.ldif			\
+ 	ipaca_default.ini		\
+ 	ipaca_customize.ini		\
+ 	ipaca_softhsm2.ini		\
+diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif
+deleted file mode 100644
+index 1c2566f84..000000000
+--- a/install/share/min-ssf.ldif
++++ /dev/null
+@@ -1,14 +0,0 @@
+-# config
+-# pretend SSF for LDAPI connections
+-# nsslapd-localssf must be equal to or greater than nsslapd-minssf
+-dn: cn=config
+-changetype: modify
+-replace: nsslapd-localssf
+-nsslapd-localssf: 256
+-
+-# minimum security strength factor for SASL and TLS
+-# 56 is considered weak, but some old clients announce wrong SSF.
+-dn: cn=config
+-changetype: modify
+-replace: nsslapd-minssf
+-nsslapd-minssf: 56
+diff --git a/ipalib/constants.py b/ipalib/constants.py
+index bcf6f3373..c22dd26ae 100644
+--- a/ipalib/constants.py
++++ b/ipalib/constants.py
+@@ -311,9 +311,6 @@ TLS_VERSIONS = [
+ ]
+ TLS_VERSION_MINIMAL = "tls1.0"
+ 
+-# minimum SASL secure strength factor for LDAP connections
+-# 56 provides backwards compatibility with old libraries.
+-LDAP_SSF_MIN_THRESHOLD = 56
+ 
+ # Use cache path
+ USER_CACHE_PATH = (
+diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
+index d9d67be1d..9ff443fe4 100644
+--- a/ipapython/ipaldap.py
++++ b/ipapython/ipaldap.py
+@@ -43,9 +43,7 @@ import six
+ 
+ # pylint: disable=ipa-forbidden-import
+ from ipalib import errors, x509, _
+-from ipalib.constants import (
+-    LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
+-)
++from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
+ # pylint: enable=ipa-forbidden-import
+ from ipaplatform.paths import paths
+ from ipapython.ipautil import format_netloc, CIDict
+@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
+     return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
+ 
+ 
+-def ldap_initialize(uri, cacertfile=None,
+-                    ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
++def ldap_initialize(uri, cacertfile=None):
+     """Wrapper around ldap.initialize()
+ 
+     The function undoes global and local ldap.conf settings that may cause
+@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
+       locations, also known as system-wide trust store.
+     * Cert validation is enforced.
+     * SSLv2 and SSLv3 are disabled.
+-    * Require a minimum SASL security factor of 56. That level ensures
+-      data integrity and confidentiality. Although at least AES128 is
+-      enforced pretty much everywhere, 56 is required for backwards
+-      compatibility with systems that announce wrong SSF.
+     """
+     conn = ldap.initialize(uri)
+ 
+@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
+     conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
+ 
+     if not uri.startswith('ldapi://'):
+-        # require a minimum SSF for TCP connections, but don't lower SSF_MIN
+-        # if the current value is already larger.
+-        cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
+-        if cur_min_ssf < ssf_min_threshold:
+-            conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
+-
+         if cacertfile:
+             if not os.path.isfile(cacertfile):
+                 raise IOError(errno.ENOENT, cacertfile)
+diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
+index 8240e3043..9f05db1db 100644
+--- a/ipaserver/install/dsinstance.py
++++ b/ipaserver/install/dsinstance.py
+@@ -324,8 +324,6 @@ class DsInstance(service.Service):
+         else:
+             self.step("importing CA certificates from LDAP",
+                       self.__import_ca_certs)
+-        # set min SSF after DS is configured for TLS
+-        self.step("require minimal SSF", self.__min_ssf)
+         self.step("restarting directory server", self.__restart_instance)
+ 
+         self.start_creation()
+@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):
+             dm_password=self.dm_password
+         )
+ 
+-    def __min_ssf(self):
+-        self._ldap_mod("min-ssf.ldif")
+-
+     def __add_sudo_binduser(self):
+         self._ldap_mod("sudobind.ldif", self.sub_dict)
+ 
+-- 
+2.21.0
+
diff --git a/freeipa.spec b/freeipa.spec
index 190e9b4..20eef8b 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -135,13 +135,14 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
+Patch0001:      0001-revert-minssf-defaults.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -1306,6 +1307,10 @@ fi
 
 
 %changelog
+* Wed May  1 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-2
+- Revert MINSSF defaults because realmd cannot join FreeIPA right now
+  as it uses anonymous LDAP connection for the discovery and validation
+
 * Mon Apr 29 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-1
 - First release candidate for FreeIPA 4.8.0