diff --git a/.gitignore b/.gitignore
index 9085f0f..546f23c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -88,3 +88,5 @@
 /freeipa-4.8.5.tar.gz.asc
 /freeipa-4.8.6.tar.gz
 /freeipa-4.8.6.tar.gz.asc
+/freeipa-4.8.7.tar.gz
+/freeipa-4.8.7.tar.gz.asc
diff --git a/freeipa.spec b/freeipa.spec
index 65b74fb..d6dbfa5 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -90,9 +90,9 @@
 # Require 4.7.0 which brings Python 3 bindings
 # Require 4.12 which has DsRGetForestTrustInformation access rights fixes
 %global samba_version 2:4.12
-# SELinux context for /etc/named directory, RHBZ#1759495
-%global selinux_policy_version 3.14.3-52
-%global slapi_nis_version 0.56.4
+
+%global selinux_policy_version 3.14.5-40
+%global slapi_nis_version 0.56.5
 
 # krb5 can only provide one KDB at a time
 %if 0%{?fedora} >= 32
@@ -149,7 +149,7 @@
 
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.8.6
+%define IPA_VERSION 4.8.7
 %define AT_SIGN @
 # redefine IPA_VERSION only if its value matches the Autoconf placeholder
 %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
@@ -158,7 +158,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -175,7 +175,7 @@ BuildRequires:  openldap-devel
 # will cause the build to fail due to unsatisfied dependencies.
 # DAL version change may cause code crash or memory leaks, it is better to fail early.
 BuildRequires:  krb5-kdb-version = %{krb5_kdb_version}
-BuildRequires:  krb5-devel >= %{krb5_version}
+BuildRequires:  krb5-kdb-devel-version = %{krb5_kdb_version}
 # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
 BuildRequires:  xmlrpc-c-devel >= 1.27.4
 BuildRequires:  popt-devel
@@ -193,7 +193,6 @@ BuildRequires:  systemd
 # systemd-tmpfiles which is executed from make install requires apache user
 BuildRequires:  httpd
 BuildRequires:  nspr-devel
-BuildRequires:  nss-devel >= %{nss_version}
 BuildRequires:  openssl-devel
 BuildRequires:  libini_config-devel
 BuildRequires:  cyrus-sasl-devel
@@ -206,8 +205,8 @@ BuildRequires:  libuuid-devel
 BuildRequires:  libsss_idmap-devel
 BuildRequires:  libsss_certmap-devel
 BuildRequires:  libsss_nss_idmap-devel >=  %{sssd_version}
-BuildRequires:  nodejs
-BuildRequires:  uglify-js
+BuildRequires:  nodejs(abi)
+BuildRequires:  python-rjsmin
 BuildRequires:  libverto-devel
 BuildRequires:  libunistring-devel
 # 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
@@ -332,11 +331,11 @@ Requires: python3-ipaserver = %{version}-%{release}
 Requires: python3-ldap >= %{python_ldap_version}
 Requires: 389-ds-base >= %{ds_version}
 Requires: openldap-clients > 2.4.35-4
-Requires: nss >= %{nss_version}
 Requires: nss-tools >= %{nss_version}
 Requires(post): krb5-server >= %{krb5_version}
 Requires(post): krb5-server >= %{krb5_base_version}
 Requires: krb5-kdb-version = %{krb5_kdb_version}
+
 Requires: krb5-pkinit-openssl >= %{krb5_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
@@ -465,11 +464,11 @@ If you are installing an IPA server, you need to install this package.
 Summary: IPA integrated DNS server with support for automatic DNSSEC signing
 BuildArch: noarch
 Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 11.0-2
-Requires: bind >= 9.11.0-6.P2
-Requires: bind-utils >= 9.11.0-6.P2
-Requires: bind-pkcs11 >= 9.11.0-6.P2
-Requires: bind-pkcs11-utils >= 9.11.0-6.P2
+Requires: bind-dyndb-ldap >= 11.3-1
+Requires: bind >= 9.11.19
+Requires: bind-utils >= 9.11.19
+Requires: bind-pkcs11 >= 9.11.19
+Requires: bind-pkcs11-utils >= 9.11.19
 Requires: opendnssec >= 2.1.6-3
 %{?systemd_requires}
 
@@ -591,6 +590,17 @@ Requires: cifs-utils
 This package provides command-line tools to deploy Samba domain member
 on the machine enrolled into a FreeIPA environment
 
+%if ! %{ONLY_CLIENT}
+%package client-epn
+Summary: Tools to configure Expiring Password Notification in IPA
+Group: System Environment/Base
+Requires: %{name}-client = %{version}-%{release}
+
+%description client-epn
+This package provides a service to collect and send expiring password
+notifications via email (SMTP).
+%endif
+
 %package -n python3-ipaclient
 Summary: Python libraries used by IPA client
 BuildArch: noarch
@@ -739,7 +749,7 @@ Requires: ldns-utils
 Requires: python3-coverage
 Requires: python3-cryptography >= 1.6
 Requires: python3-polib
-Requires: python3-pytest >= 2.6
+Requires: python3-pytest >= 3.9.1
 Requires: python3-pytest-multihost >= 0.5
 Requires: python3-pytest-sourceorder
 Requires: python3-sssdconfig >= %{sssd_version}
@@ -903,6 +913,13 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d
 # ONLY_CLIENT
 %endif
 
+%if %{ONLY_CLIENT}
+# Remove ipa-epn parts as we don't have ipa-epn systemd integration generated
+# for client-only build
+rm %{buildroot}/%{_sbindir}/ipa-epn
+rm %{buildroot}/%{_mandir}/man1/ipa-epn.1*
+rm %{buildroot}/%{_mandir}/man5/epn.conf.5*
+%endif
 
 %if ! %{ONLY_CLIENT}
 
@@ -1149,6 +1166,7 @@ fi
 %{_libexecdir}/ipa/ipa-pki-retrieve-key
 %{_libexecdir}/ipa/ipa-pki-wait-running
 %{_libexecdir}/ipa/ipa-otpd
+%{_libexecdir}/ipa/ipa-print-pac
 %dir %{_libexecdir}/ipa/custodia
 %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
 %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
@@ -1232,7 +1250,6 @@ fi
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
-%{_usr}/share/ipa/bind.ipa-ext.conf
 %dir %{_usr}/share/ipa/advise
 %dir %{_usr}/share/ipa/advise/legacy
 %{_usr}/share/ipa/advise/legacy/*.template
@@ -1278,6 +1295,7 @@ fi
 %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
 %ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
 %ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
+%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-options-ext.conf
 %ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con
 %ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini
 %ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con
@@ -1357,6 +1375,18 @@ fi
 %{_sbindir}/ipa-client-samba
 %{_mandir}/man1/ipa-client-samba.1*
 
+%if ! %{ONLY_CLIENT}
+%files client-epn
+%doc README.md Contributors.txt
+%license COPYING
+%{_sbindir}/ipa-epn
+%{_mandir}/man1/ipa-epn.1*
+%{_mandir}/man5/epn.conf.5*
+%attr(644,root,root) %{_unitdir}/ipa-epn.service
+%attr(644,root,root) %{_unitdir}/ipa-epn.timer
+%attr(644,root,root) %{_sysconfdir}/ipa/epn/expire_msg.template
+%endif
+
 %files -n python3-ipaclient
 %doc README.md Contributors.txt
 %license COPYING
@@ -1431,7 +1461,6 @@ fi
 %{python3_sitelib}/ipapython-*.egg-info
 %{python3_sitelib}/ipalib-*.egg-info
 %{python3_sitelib}/ipaplatform-*.egg-info
-%{python3_sitelib}/ipaplatform-*-nspkg.pth
 
 
 %if 0%{?with_ipatests}
@@ -1465,6 +1494,9 @@ fi
 %endif
 
 %changelog
+* Wed Jun 10 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.7-1
+- Upstream release FreeIPA 4.8.7
+
 * Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 4.8.6-2
 - Rebuilt for Python 3.9
 
diff --git a/sources b/sources
index 8d1a2b2..dcff7ae 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (freeipa-4.8.6.tar.gz) = 36b2b4c2f6eb91f48017493710333a4ab3f022afe36ee66eb672bae8c6fcd826024e60930aa12713edff9e68ecb3d3eda190058df7488ccdf26212330b39ed09
-SHA512 (freeipa-4.8.6.tar.gz.asc) = d51d894e7693668f8fb4476c5d61e23e32412f3b9d048958f4b9f3f6e030945cc5d126d8b844d0d43b7ace17cbb27211db713e5b5df378c49a983eb471a65c11
+SHA512 (freeipa-4.8.7.tar.gz) = 8bcf0cea184c7c364606327a4fac8943d43c4981b2632e20d7979189d5c02099a34b75aeb7122176f7438698aefae4efd3ac6ebba12b720b24d3823638171b05
+SHA512 (freeipa-4.8.7.tar.gz.asc) = 7d3e10fbfaa28413dbfeb0614ae49c9a93251fe464a4d4bc495df03511a12adbb66f998e671fb7c2675c2c69d1d000848f7d4dd91b86235554f4da6118805494