diff --git a/.gitignore b/.gitignore
index a2be41e..2d38ac2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,8 @@
 /freeipa-2.0.0.tar.gz
 /freeipa-2.0.1.tar.gz
 /freeipa-2.1.0.tar.gz
+/freeipa-2.1.2.tar.gz
+/freeipa-2.1.2-2.1.3.patch.gz
+/freeipa-2.1.3-systemd.patch.gz
+/freeipa-2.1.3.tar.gz
+/freeipa-2.1.3-wait_for_socket.patch.gz
diff --git a/freeipa.spec b/freeipa.spec
index c893f83..3a0cae3 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -13,22 +13,24 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 %global gettext_domain ipa
 
 Name:           freeipa
-Version:        2.1.0
-Release:        1%{?dist}
+Version:        2.1.3
+Release:        4%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
 License:        GPLv3+
 URL:            http://www.freeipa.org/
-Source0:        http://www.freeipa.org/downloads/src/freeipa-%{version}.tar.gz
+Source0:        freeipa-%{version}.tar.gz
+Patch0:         freeipa-2.1.3-systemd.patch.gz
+Patch1:         freeipa-2.1.3-wait_for_socket.patch.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.2.9
 BuildRequires:  svrcore-devel
 BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
+BuildRequires:  systemd-units
 %endif
 BuildRequires:  nspr-devel
 BuildRequires:  nss-devel
@@ -37,8 +39,8 @@ BuildRequires:  openldap-devel
 BuildRequires:  krb5-devel
 BuildRequires:  krb5-workstation
 BuildRequires:  libuuid-devel
-BuildRequires:  libcurl-devel >= 7.21.3-9
-BuildRequires:  xmlrpc-c-devel >= 1.25.4
+BuildRequires:  libcurl-devel >= 7.21.7-2
+BuildRequires:  xmlrpc-c-devel >= 1.27.4
 BuildRequires:  popt-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -71,12 +73,12 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires(post): %{name}-server-selinux = %{version}-%{release}
-Requires(pre): 389-ds-base >= 1.2.9.6-1
+Requires: %{name}-server-selinux = %{version}-%{release}
+Requires(pre): 389-ds-base >= 1.2.10-0.4.a4
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
-Requires: krb5-server
+Requires: krb5-server >= 1.9.1-15
 Requires: krb5-server-ldap
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
@@ -89,15 +91,29 @@ Requires: python-ldap
 Requires: python-krbV
 Requires: acl
 Requires: python-pyasn1 >= 0.0.9a
-Requires: selinux-policy >= 3.9.16-18
+Requires: systemd-units >= 36-3
+Requires(pre): systemd-units
+Requires(post): systemd-units
+Requires: selinux-policy >= 3.10.0-31
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.21
-Requires: pki-ca >= 9.0.11
-Requires: pki-silent >= 9.0.11
+Requires: pki-ca >= 9.0.15
+Requires: pki-silent >= 9.0.15
+# Only tomcat6 greater than this version provides proper systemd support
+Requires: tomcat6 >= 6.0.32-17
 Requires: dogtag-pki-common-theme
 Requires: dogtag-pki-ca-theme
-Requires(preun):  python initscripts chkconfig
-Requires(postun): python initscripts chkconfig
+%if 0%{?rhel}
+Requires: subscription-manager
+%endif
+Requires(preun): python systemd-units
+Requires(postun): python systemd-units
+
+# We have a soft-requires on bind. It is an optional part of
+# IPA but if it is configured we need a way to require versions
+# that work for us.
+Conflicts: bind-dyndb-ldap < 1.0.0-0.1.b1
+Conflicts: bind < 9.8.1-1
 
 Obsoletes: ipa-server >= 1.0
 
@@ -113,7 +129,8 @@ this package).
 %package server-selinux
 Summary: SELinux rules for freeipa-server daemons
 Group: System Environment/Base
-Requires: %{name}-server = %{version}-%{release}
+Requires(post): %{name}-server = %{version}-%{release}
+Requires(postun): %{name}-server = %{version}-%{release}
 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
 
 Obsoletes: ipa-server-selinux >= 1.0
@@ -138,9 +155,9 @@ Requires: krb5-workstation
 Requires: authconfig
 Requires: pam_krb5
 Requires: wget
-Requires: libcurl >= 7.21.3-9
-Requires: xmlrpc-c >= 1.25.4
-Requires: sssd >= 1.5.1
+Requires:  libcurl >= 7.21.7-2
+Requires:  xmlrpc-c >= 1.27.4
+Requires: sssd >= 1.6.2
 Requires: certmonger >= 0.26
 Requires: nss-tools
 Requires: bind-utils
@@ -177,9 +194,7 @@ IPA administrators.
 %package python
 Summary: Python libraries used by IPA
 Group: System Environment/Libraries
-%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
 Requires: python-kerberos >= 1.1-3
-%endif
 Requires: authconfig
 Requires: gnupg
 Requires: iproute
@@ -201,10 +216,15 @@ package.
 
 %prep
 %setup -n freeipa-%{version} -q
+%patch0 -p1
+%patch1 -p1
 
 %build
 export CFLAGS="$CFLAGS %{optflags}"
 export CPPFLAGS="$CPPFLAGS %{optflags}"
+export SUPPORTED_PLATFORM=fedora16
+# Force re-generate of platform support
+rm -f ipapython/services.py
 make version-update
 cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
 %if ! %{ONLY_CLIENT}
@@ -224,6 +244,9 @@ make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
 %install
 rm -rf %{buildroot}
 %if ! %{ONLY_CLIENT}
+export SUPPORTED_PLATFORM=fedora16
+# Force re-generate of platform support
+rm -f ipapython/services.py
 make install DESTDIR=%{buildroot}
 cd selinux
 make install DESTDIR=%{buildroot}
@@ -264,8 +287,14 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
 # So we can own our Apache configuration
 mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
-install -m755 ipa.init %{buildroot}%{_initrddir}/ipa
+# Default to systemd initscripts for F16 and above
+mkdir -p %{buildroot}%{_unitdir}
+for i in ipa.service ipa_kpasswd.service ; do
+    install -m 644 init/systemd/$i %{buildroot}%{_unitdir}/$i
+done
+rm -f %{buildroot}%{_initrddir}/ipa_kpasswd
 %endif
 
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/
@@ -284,10 +313,8 @@ rm -rf %{buildroot}
 
 %if ! %{ONLY_CLIENT}
 %post server
-if [ $1 = 1 ]; then
-    /sbin/chkconfig --add ipa
-    /sbin/chkconfig --add ipa_kpasswd
-fi
+# Use systemd scheme, update systemd as service units have changed
+    /bin/systemctl --system daemon-reload 2>&1 || :
 if [ $1 -gt 1 ] ; then
     /usr/sbin/ipa-upgradeconfig || :
     /usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || :
@@ -295,18 +322,19 @@ fi
 
 %preun server
 if [ $1 = 0 ]; then
-    /sbin/chkconfig --del ipa
-    /sbin/chkconfig --del ipa_kpasswd
-    /sbin/service ipa stop >/dev/null 2>&1 || :
+# Use systemd scheme
+    /bin/systemctl --quiet stop ipa.service || :
+    /bin/systemctl --quiet disable ipa.service || :
 fi
 
 %postun server
 if [ "$1" -ge "1" ]; then
-    /sbin/service ipa condrestart >/dev/null 2>&1 || :
+# Use systemd scheme
+    /bin/systemctl --quiet is-active ipa.service >/dev/null && \
+    /bin/systemctl try-restart ipa.service >/dev/null 2>&1 || :
 fi
 
 %pre server-selinux
-# Save the content state so we can restore it when/if this package is removed
 if [ -s /etc/selinux/config ]; then
        . %{_sysconfdir}/selinux/config
        FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
@@ -316,7 +344,6 @@ if [ -s /etc/selinux/config ]; then
 fi
 
 %post server-selinux
-# Insert our provide SELinux policy
 semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
@@ -327,7 +354,6 @@ if [ $? == 0  -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; t
 fi
 
 %preun server-selinux
-# On the last uninstallation prepare to restore state
 if [ $1 = 0 ]; then
 if [ -s /etc/selinux/config ]; then
        . %{_sysconfdir}/selinux/config
@@ -339,7 +365,6 @@ fi
 fi
 
 %postun server-selinux
-# On the last uninstallation remove our SELinux policy and restore the state
 if [ $1 = 0 ]; then
 semodule -s targeted -r ipa_kpasswd ipa_httpd ipa_dogtag
 . %{_sysconfdir}/selinux/config
@@ -369,14 +394,15 @@ fi
 %{_sbindir}/ipa-ldap-updater
 %{_sbindir}/ipa-compat-manage
 %{_sbindir}/ipa-nis-manage
-%{_sbindir}/ipa-host-net-manage
+%{_sbindir}/ipa-managed-entries
 %{_sbindir}/ipa_kpasswd
 %{_sbindir}/ipactl
 %{_sbindir}/ipa-upgradeconfig
 %{_sbindir}/ipa-compliance
 %{_sysconfdir}/cron.d/ipa-compliance
-%attr(755,root,root) %{_initrddir}/ipa
-%attr(755,root,root) %{_initrddir}/ipa_kpasswd
+# Use systemd scheme
+%attr(644,root,root) %{_unitdir}/ipa.service
+%attr(644,root,root) %{_unitdir}/ipa_kpasswd.service
 %dir %{python_sitelib}/ipaserver
 %{python_sitelib}/ipaserver/*
 %dir %{_usr}/share/ipa
@@ -416,8 +442,10 @@ fi
 %config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 %{_usr}/share/ipa/ipa.conf
 %{_usr}/share/ipa/ipa-rewrite.conf
+%{_usr}/share/ipa/ipa-pki-proxy.conf
 %dir %{_usr}/share/ipa/updates/
 %{_usr}/share/ipa/updates/*
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
@@ -443,7 +471,7 @@ fi
 %{_mandir}/man1/ipa-ca-install.1.gz
 %{_mandir}/man1/ipa-compat-manage.1.gz
 %{_mandir}/man1/ipa-nis-manage.1.gz
-%{_mandir}/man1/ipa-host-net-manage.1.gz
+%{_mandir}/man1/ipa-managed-entries.1.gz
 %{_mandir}/man1/ipa-ldap-updater.1.gz
 %{_mandir}/man8/ipa_kpasswd.8.gz
 %{_mandir}/man8/ipactl.8.gz
@@ -491,18 +519,34 @@ fi
 %defattr(-,root,root,-)
 %doc COPYING README Contributors.txt
 %dir %{python_sitelib}/ipapython
+%dir %{python_sitelib}/ipapython/platform
 %{python_sitelib}/ipapython/*.py*
+%{python_sitelib}/ipapython/platform/*.py*
 %dir %{python_sitelib}/ipalib
 %{python_sitelib}/ipalib/*
 %{python_sitearch}/default_encoding_utf8.so
-%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
 %{python_sitelib}/ipapython-*.egg-info
 %{python_sitelib}/freeipa-*.egg-info
 %{python_sitearch}/python_default_encoding-*.egg-info
-%endif
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Wed Oct 19 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-4
+- clean up spec 
+- Depend on sssd >= 1.6.2 for better user experience
+
+* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-3
+- Fix Fedora package changelog after merging systemd changes
+
+* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-2
+- Fix postin scriplet for F-15/F-16
+
+* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-1
+- 2.1.3
+
+* Mon Oct 17 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.2-1
+- Default to systemd for Fedora 16 and onwards
+
 * Thu Aug 16 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.0-1
 - Update to upstream 2.1.0
 
diff --git a/sources b/sources
index 2f82bc9..65d1a20 100644
--- a/sources
+++ b/sources
@@ -1 +1,3 @@
-2272a05e8d09a009a999e4fef25588a6  freeipa-2.1.0.tar.gz
+8475a0768b90171f58b4be76d09d6820  freeipa-2.1.3.tar.gz
+558f5ccb5610cf66db1eeb969420cac2  freeipa-2.1.3-systemd.patch.gz
+eee14c5b2640d9b1d6f694befc62e85f  freeipa-2.1.3-wait_for_socket.patch.gz