diff --git a/.gitignore b/.gitignore
index f7374d7..e26dc56 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@
 /freeipa-2.1.3.tar.gz
 /freeipa-2.1.3-wait_for_socket.patch.gz
 /freeipa-2.1.4.tar.gz
+/freeipa-2.1.90.pre1.tar.gz
diff --git a/freeipa-2.1.4-connection-failure-recovery.patch b/freeipa-2.1.4-connection-failure-recovery.patch
deleted file mode 100644
index 98c7d95..0000000
--- a/freeipa-2.1.4-connection-failure-recovery.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 859d28ce9d4b0f356122b576eab397ed7a066745 Mon Sep 17 00:00:00 2001
-From: Martin Kosek <mkosek@redhat.com>
-Date: Thu, 8 Dec 2011 14:52:49 +0100
-Subject: [PATCH 4/6] Add connection failure recovery to IPAdmin
-
-Recover from connection failures in IPAdmin LDAP bind functions and
-rather try reconnect in scope of a given timeout instead of giving
-up after the first failed connection.
-
-The recovery fixes ipa-ldap-updater on F-16 which always failed
-because of a missing dirsrv socket.
-
-https://fedorahosted.org/freeipa/ticket/2175
----
- ipaserver/ipaldap.py |   35 +++++++++++++++++++++++++++++------
- 1 files changed, 29 insertions(+), 6 deletions(-)
-
-diff --git a/ipaserver/ipaldap.py b/ipaserver/ipaldap.py
-index 74cfbfda911facbf6f3bddf5972b3f035a9cfde0..1820e690b10c820efcd3217801bde6b685bbf20b 100644
---- a/ipaserver/ipaldap.py
-+++ b/ipaserver/ipaldap.py
-@@ -30,14 +30,17 @@ import cStringIO
- import time
- import struct
- import ldap.sasl
-+import ldapurl
- from ldap.controls import LDAPControl,DecodeControlTuples,EncodeControlTuples
- from ldap.ldapobject import SimpleLDAPObject
- from ipaserver import ipautil
-+from ipaserver.install import installutils
- from ipalib import errors
- from ipapython.ipautil import format_netloc
- 
- # Global variable to define SASL auth
- SASL_AUTH = ldap.sasl.sasl({},'GSSAPI')
-+DEFAULT_TIMEOUT = 10
- 
- class Entry:
-     """
-@@ -330,6 +333,26 @@ class IPAdmin(SimpleLDAPObject):
-         except ldap.LDAPError, e:
-             raise errors.DatabaseError(desc=desc,info=info)
- 
-+    def __wait_for_connection(self, timeout):
-+        lurl = ldapurl.LDAPUrl(self._uri)
-+        if lurl.urlscheme == 'ldapi':
-+            installutils.wait_for_open_socket(lurl.hostport, timeout)
-+        else:
-+            (host,port) = lurl.hostport.split(':')
-+            installutils.wait_for_open_ports(host, int(port), timeout)
-+
-+    def __bind_with_wait(self, bind_func, timeout, *args, **kwargs):
-+        try:
-+            bind_func(*args, **kwargs)
-+        except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN), e:
-+            if not timeout:
-+                raise e
-+            try:
-+                self.__wait_for_connection(timeout)
-+            except:
-+                raise e
-+            bind_func(*args, **kwargs)
-+
-     def toLDAPURL(self):
-         return "ldap://%s/" % format_netloc(self.host, self.port)
- 
-@@ -346,19 +369,19 @@ class IPAdmin(SimpleLDAPObject):
-         except ldap.LDAPError, e:
-             self.__handle_errors(e, **{})
- 
--    def do_simple_bind(self, binddn="cn=directory manager", bindpw=""):
-+    def do_simple_bind(self, binddn="cn=directory manager", bindpw="", timeout=DEFAULT_TIMEOUT):
-         self.binddn = binddn
-         self.bindpwd = bindpw
--        self.simple_bind_s(binddn, bindpw)
-+        self.__bind_with_wait(self.simple_bind_s, timeout, binddn, bindpw)
-         self.__lateinit()
- 
--    def do_sasl_gssapi_bind(self):
--        self.sasl_interactive_bind_s('', SASL_AUTH)
-+    def do_sasl_gssapi_bind(self, timeout=DEFAULT_TIMEOUT):
-+        self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', SASL_AUTH)
-         self.__lateinit()
- 
--    def do_external_bind(self, user_name=None):
-+    def do_external_bind(self, user_name=None, timeout=DEFAULT_TIMEOUT):
-         auth_tokens = ldap.sasl.external(user_name)
--        self.sasl_interactive_bind_s("", auth_tokens)
-+        self.__bind_with_wait(self.sasl_interactive_bind_s, timeout, '', auth_tokens)
-         self.__lateinit()
- 
-     def getEntry(self,*args):
--- 
-1.7.7.4
-
diff --git a/freeipa-2.1.4-fix-pylint-f16.patch b/freeipa-2.1.4-fix-pylint-f16.patch
deleted file mode 100644
index 06d24c6..0000000
--- a/freeipa-2.1.4-fix-pylint-f16.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From d27b23d4315d24e62d83ddf0012b347ffad36e9c Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 8 Dec 2011 16:11:22 -0500
-Subject: [PATCH 6/6] Fix some pylint issues found in F-16
-
-* Using default_attributes rather than what would be defined in output
-  is the preferred mechanism for determining what attributes to
-  retrieve.
-
-* Replace some add_s() calls with addEntry()
----
- doc/examples/examples.py         |    9 +++++++--
- ipaserver/install/krbinstance.py |    4 ++--
- ipaserver/install/service.py     |    2 +-
- 3 files changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/doc/examples/examples.py b/doc/examples/examples.py
-index a969c898bcf8a6829b83898bd2d68400ae939ff3..7053e589a1a058d7742b51cbceaf683971555621 100644
---- a/doc/examples/examples.py
-+++ b/doc/examples/examples.py
-@@ -314,6 +314,11 @@ class exuser(Object):
-         ),
-     )
- 
-+    # You may not want to return all attributes in the entry by default.
-+    # Use default_attributes to limit the list of returned values. The
-+    # caller can set all to True to return all attributes.
-+    default_attributes = ['uid', 'givenname', 'sn']
-+
- # register the object, uncomment this line if you want to try it out
- #api.register(exuser)
- 
-@@ -352,7 +357,7 @@ class exuser_show(Method):
-         if options.get('all', False):
-             attrs_list = ['*']
-         else:
--            attrs_list = [p.name for p in self.output_params()]
-+            attrs_list = self.obj.default_attributes
- 
-         (dn, entry_attrs) = ldap.get_entry(dn, attrs_list)
-         entry_attrs['dn'] = dn
-@@ -398,7 +403,7 @@ class exuser_find(Method):
-         if options.get('all', False):
-             attrs_list = ['*']
-         else:
--            attrs_list = [p.name for p in self.output_params()]
-+            attrs_list = self.obj.default_attributes
- 
-         # perform the search
-         (entries, truncated) = ldap.find_entries(
-diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
-index ce70c231dfb7e7b6b59c0496721cced0d09f1604..df6fc5a6ea6fbc4d9c207122dbb3c1ce1f5b4f50 100644
---- a/ipaserver/install/krbinstance.py
-+++ b/ipaserver/install/krbinstance.py
-@@ -284,7 +284,7 @@ class KrbInstance(service.Service):
-         entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=\\1@\\2)')
- 
-         try:
--            self.admin_conn.add_s(entry)
-+            self.admin_conn.addEntry(entry)
-         except ldap.ALREADY_EXISTS:
-             logging.critical("failed to add Full Principal Sasl mapping")
-             raise e
-@@ -297,7 +297,7 @@ class KrbInstance(service.Service):
-         entry.setValues("nsSaslMapFilterTemplate", '(krbPrincipalName=&@%s)' % self.realm)
- 
-         try:
--            self.admin_conn.add_s(entry)
-+            self.admin_conn.addEntry(entry)
-         except ldap.ALREADY_EXISTS:
-             logging.critical("failed to add Name Only Sasl mapping")
-             raise e
-diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
-index 2fd15d8f8010114914549871fc5d0a228561fe1c..9fcc095b64f1abc121f1960d7c7ec15dbe53821f 100644
---- a/ipaserver/install/service.py
-+++ b/ipaserver/install/service.py
-@@ -287,7 +287,7 @@ class Service(object):
-                         "enabledService", "startOrder " + str(order))
- 
-         try:
--            conn.add_s(entry)
-+            conn.addEntry(entry)
-         except ldap.ALREADY_EXISTS, e:
-             logging.critical("failed to add %s Service startup entry" % name)
-             raise e
--- 
-1.7.7.4
-
diff --git a/freeipa-2.1.4-logging.patch b/freeipa-2.1.4-logging.patch
deleted file mode 100644
index f9f7fb3..0000000
--- a/freeipa-2.1.4-logging.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From 402867038f8664e88e2d9ca42f2c77a46a0be7ae Mon Sep 17 00:00:00 2001
-From: Martin Kosek <mkosek@redhat.com>
-Date: Mon, 2 Jan 2012 16:49:59 +0100
-Subject: [PATCH 1/3] Make sure that install tools log
-
-When any log message is emitted before IPA install tools logging is
-configured, it may break and leave install tools log empty. This
-happens for example when
-
-ipa-server-install --ip-address=$IP_ADDRESS
-
-is run.
-
-This patch makes sure that logging is right in these cases.
-
-https://fedorahosted.org/freeipa/ticket/2214
----
- install/tools/ipa-ca-install      |    1 +
- install/tools/ipa-dns-install     |    1 +
- install/tools/ipa-replica-install |    1 +
- install/tools/ipa-server-install  |    2 +
- ipaserver/install/installutils.py |   43 +++++++++++++++++++++++++++++++++++++
- 5 files changed, 48 insertions(+), 0 deletions(-)
-
-diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
-index 445b0621419b7aa5b4616e154d9f8193a5d517fb..c813659f34f4471132b83fd4159b69b76f5ce487 100755
---- a/install/tools/ipa-ca-install
-+++ b/install/tools/ipa-ca-install
-@@ -70,6 +70,7 @@ def get_dirman_password():
-     return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
- 
- def main():
-+    installutils.bootstrap_logging()
-     safe_options, options, filename = parse_options()
-     installutils.standard_logging_setup("/var/log/ipareplica-ca-install.log", options.debug)
-     logging.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
-diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
-index d81b6a2e804a815d5bece8426a286e3190f6dee3..25c1bb0cac251d098e3744afd7b7eeab32a3fe6b 100755
---- a/install/tools/ipa-dns-install
-+++ b/install/tools/ipa-dns-install
-@@ -82,6 +82,7 @@ def parse_options():
-     return safe_options, options
- 
- def main():
-+    bootstrap_logging()
-     safe_options, options = parse_options()
- 
-     if os.getegid() != 0:
-diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
-index dbc736764f38489df15900c4540a381764d0c261..7310d286292f571ef25b57b29d2a213f4bd855a1 100755
---- a/install/tools/ipa-replica-install
-+++ b/install/tools/ipa-replica-install
-@@ -286,6 +286,7 @@ def check_bind():
-         sys.exit(1)
- 
- def main():
-+    installutils.bootstrap_logging()
-     safe_options, options, filename = parse_options()
-     installutils.standard_logging_setup("/var/log/ipareplica-install.log", options.debug)
-     logging.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
-diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
-index 8f156e8dde7fbc4cfde00a0f6a2fc8e23403cc73..755f2772780010c62fdc642125107843bef61668 100755
---- a/install/tools/ipa-server-install
-+++ b/install/tools/ipa-server-install
-@@ -562,6 +562,8 @@ def main():
-     global installation_cleanup
-     ds = None
- 
-+    bootstrap_logging()
-+
-     safe_options, options = parse_options()
- 
-     if os.getegid() != 0:
-diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
-index 0a36c354e1d2f901bfdef51c151d035ba8ee64ca..d0f611c611847d02f3d264d669a2e90689f5a87b 100644
---- a/ipaserver/install/installutils.py
-+++ b/ipaserver/install/installutils.py
-@@ -314,7 +314,47 @@ def port_available(port):
- 
-     return rv
- 
-+class BufferingHandler(logging.Handler):
-+    log_queue = []
-+
-+    def __init__(self):
-+        logging.Handler.__init__(self)
-+        self.level = logging.DEBUG
-+
-+    def emit(self, record):
-+        self.log_queue.append(record)
-+
-+    def flush(self):
-+        pass
-+
-+def bootstrap_logging():
-+    """
-+    Bootstrap logging and create special handler which will buffer any log
-+    emitted before standard_logging_setup is called. These will be later
-+    processed when the logging is set up.
-+    """
-+    root_logger = logging.getLogger()
-+    root_logger.setLevel(logging.DEBUG)
-+    root_logger.addHandler(BufferingHandler())
-+
- def standard_logging_setup(log_filename, debug=False, filemode='w'):
-+    """
-+    Set up logging. bootstrap_logging() should be called earlier if there
-+    is a chance that a log is emitted before this setup.
-+    """
-+    root_logger = logging.getLogger()
-+    log_queue = []
-+
-+    if root_logger.handlers:
-+        # Remove any handlers that may have been set and which may cause
-+        # problems with logging in install utils
-+        handler_list = list(logging.getLogger().handlers)
-+
-+        for handler in handler_list:
-+            if isinstance(handler, BufferingHandler):
-+                log_queue.extend(handler.log_queue)
-+            root_logger.removeHandler(handler)
-+
-     old_umask = os.umask(077)
-     # Always log everything (i.e., DEBUG) to the log
-     # file.
-@@ -335,6 +375,9 @@ def standard_logging_setup(log_filename, debug=False, filemode='w'):
-     console.setFormatter(formatter)
-     logging.getLogger('').addHandler(console)
- 
-+    for log_record in log_queue:
-+        root_logger.handle(log_record)
-+
- def get_password(prompt):
-     if os.isatty(sys.stdin.fileno()):
-         return getpass.getpass(prompt)
--- 
-1.7.7.5
-
diff --git a/freeipa-2.1.4-replica-install-services.patch b/freeipa-2.1.4-replica-install-services.patch
deleted file mode 100644
index a00895a..0000000
--- a/freeipa-2.1.4-replica-install-services.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From a018ba4013ad18eb75bdfd50887ef12ad2d77972 Mon Sep 17 00:00:00 2001
-From: Martin Kosek <mkosek@redhat.com>
-Date: Wed, 11 Jan 2012 10:07:03 +0100
-Subject: [PATCH 3/3] Prevent service restart failures in ipa-replica-install
-
-Call restart() methods of appropriate services instead of calling
-the system service restart command directly as service() method
-has a capability to wait until the service is fully up. Without
-this patch ipa-replica-install crashed on F-16 because krb5kdc
-service was started before dirsrv service was fully up.
-
-https://fedorahosted.org/freeipa/ticket/2139
----
- install/tools/ipa-replica-install |   21 ++++++++++++++++-----
- 1 files changed, 16 insertions(+), 5 deletions(-)
-
-diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
-index 7310d286292f571ef25b57b29d2a213f4bd855a1..9c637202917fc67da68cea61ebc1b41169bbf2db 100755
---- a/install/tools/ipa-replica-install
-+++ b/install/tools/ipa-replica-install
-@@ -155,6 +155,8 @@ def install_krb(config, setup_pkinit=False):
-                        ldappwd_filename, kpasswd_filename,
-                        setup_pkinit, pkcs12_info)
- 
-+    return krb
-+
- def install_ca_cert(config):
-     cafile = config.dir + "/ca.crt"
-     if not ipautil.file_exists(cafile):
-@@ -188,6 +190,8 @@ def install_http(config, auto_redirect):
-             print "error copying files: " + str(e)
-             sys.exit(1)
- 
-+    return http
-+
- def install_bind(config, options):
-     api.Backend.ldap2.connect(bind_dn="cn=Directory Manager",
-                               bind_pw=config.dirman_password)
-@@ -442,8 +446,8 @@ def main():
-         cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
-         cs.add_cert_to_service()
- 
--    install_krb(config, setup_pkinit=options.setup_pkinit)
--    install_http(config, auto_redirect=options.ui_redirect)
-+    krb = install_krb(config, setup_pkinit=options.setup_pkinit)
-+    http = install_http(config, auto_redirect=options.ui_redirect)
-     if CA:
-         CA.import_ra_cert(dir + "/ra.p12")
-         CA.fix_ra_perms()
-@@ -457,9 +461,16 @@ def main():
-     service.print_msg("Applying LDAP updates")
-     ds.apply_updates()
- 
--    ipaservices.knownservices.dirsrv.restart()
--    ipaservices.knownservices.krb5kdc.restart()
--    ipaservices.knownservices.httpd.restart()
-+    # Restart ds and krb after configurations have been changed
-+    service.print_msg("Restarting the directory server")
-+    ds.restart()
-+
-+    service.print_msg("Restarting the KDC")
-+    krb.restart()
-+
-+    # Restart httpd to pick up the new IPA configuration
-+    service.print_msg("Restarting the web server")
-+    http.restart()
- 
-     if options.setup_dns:
-         install_bind(config, options)
--- 
-1.7.7.5
-
diff --git a/freeipa-2.1.4-replication-addentry.patch b/freeipa-2.1.4-replication-addentry.patch
deleted file mode 100644
index 1b89234..0000000
--- a/freeipa-2.1.4-replication-addentry.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From e14b13000890ff13cb9c062e6a32e1e127587bc7 Mon Sep 17 00:00:00 2001
-From: Martin Kosek <mkosek@redhat.com>
-Date: Wed, 11 Jan 2012 10:06:39 +0100
-Subject: [PATCH 2/3] Fix LDAP add calls in replication module
-
-Replace conn.add_s(entry) with conn.addEntry(entry) to avoid
-function calls with an invalid number of parameters.
-
-https://fedorahosted.org/freeipa/ticket/2139
----
- ipaserver/install/replication.py |   22 +++++++++++-----------
- 1 files changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
-index a6bd7af37bb7c6761841d68ff733276045a7ddab..8f0f226dbacc0ee3b84357c059c91936af034fed 100644
---- a/ipaserver/install/replication.py
-+++ b/ipaserver/install/replication.py
-@@ -225,8 +225,8 @@ class ReplicationManager(object):
-         ent.setValues("sn", "replication manager pseudo user")
- 
-         try:
--            conn.add_s(ent)
--        except ldap.ALREADY_EXISTS:
-+            conn.addEntry(ent)
-+        except errors.DuplicateEntry:
-             conn.modify_s(dn, [(ldap.MOD_REPLACE, "userpassword", pw)])
-             pass
- 
-@@ -275,7 +275,7 @@ class ReplicationManager(object):
-         entry.setValues('nsds5replicabinddn', [replica_binddn])
-         entry.setValues('nsds5replicalegacyconsumer', "off")
- 
--        conn.add_s(entry)
-+        conn.addEntry(entry)
- 
-     def setup_changelog(self, conn):
-         dn = "cn=changelog5, cn=config"
-@@ -285,8 +285,8 @@ class ReplicationManager(object):
-         entry.setValues('cn', "changelog5")
-         entry.setValues('nsslapd-changelogdir', dirpath)
-         try:
--            conn.add_s(entry)
--        except ldap.ALREADY_EXISTS:
-+            conn.addEntry(entry)
-+        except errors.DuplicateEntry:
-             return
- 
-     def setup_chaining_backend(self, conn):
-@@ -308,11 +308,11 @@ class ReplicationManager(object):
-                 entry.setValues('nsmultiplexorbinddn', self.repl_man_dn)
-                 entry.setValues('nsmultiplexorcredentials', self.repl_man_passwd)
- 
--                self.conn.add_s(entry)
-+                self.conn.addEntry(entry)
-                 done = True
--            except ldap.ALREADY_EXISTS:
-+            except errors.DuplicateEntry:
-                 benum += 1
--            except ldap.LDAPError, e:
-+            except errors.ExecutionError, e:
-                 print "Could not add backend entry " + dn, e
-                 raise
- 
-@@ -376,7 +376,7 @@ class ReplicationManager(object):
-         entry.setValues("objectclass", ["account", "simplesecurityobject"])
-         entry.setValues("uid", "passsync")
-         entry.setValues("userPassword", password)
--        conn.add_s(entry)
-+        conn.addEntry(entry)
- 
-         # Add it to the list of users allowed to bypass password policy
-         extop_dn = "cn=ipa_pwd_extop,cn=plugins,cn=config"
-@@ -470,7 +470,7 @@ class ReplicationManager(object):
-         if iswinsync:
-             self.setup_winsync_agmt(entry, win_subtree)
- 
--        a_conn.add_s(entry)
-+        a_conn.addEntry(entry)
- 
-         entry = a_conn.waitForEntry(entry)
- 
-@@ -746,7 +746,7 @@ class ReplicationManager(object):
-         entry.setValues("ipaConfigString", "winsync:%s" % self.hostname)
- 
-         try:
--            self.conn.add_s(entry)
-+            self.conn.addEntry(entry)
-         except Exception, e:
-             logging.info("Failed to create public entry for winsync replica")
- 
--- 
-1.7.7.5
-
diff --git a/freeipa-2.1.4-selinux-web-migration-policy.patch b/freeipa-2.1.4-selinux-web-migration-policy.patch
deleted file mode 100644
index 4795631..0000000
--- a/freeipa-2.1.4-selinux-web-migration-policy.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From d214ba7547fdda279fa3fd38129a600979d6213b Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 21 Dec 2011 14:44:06 +0200
-Subject: [PATCH] Re-enable web password migration on Fedora 16 after SE Linux
- policy restrictions
-
-Web password migration tool uses connection to the LDAPI socket.
-Enable access to the ns-slapd socket.
----
- selinux/ipa_httpd/ipa_httpd.te |    2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
-
-diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
-index 65b161fe58cbe64c476fc6abb17b68d741d5d321..64525ba99ad2c455941a937d77ea5cc1af6c68d0 100644
---- a/selinux/ipa_httpd/ipa_httpd.te
-+++ b/selinux/ipa_httpd/ipa_httpd.te
-@@ -7,6 +7,7 @@ require {
-         type var_run_t;
-         type krb5kdc_t;
-         type cert_t;
-+        type dirsrv_t;
-         class sock_file write;
-         class unix_stream_socket connectto;
-         class file write;
-@@ -15,6 +16,7 @@ require {
- # Let Apache, bind and the KDC talk to DS over ldapi
- allow httpd_t var_run_t:sock_file write;
- allow httpd_t initrc_t:unix_stream_socket connectto;
-+allow httpd_t dirsrv_t:unix_stream_socket connectto;
- allow krb5kdc_t var_run_t:sock_file write;
- allow krb5kdc_t initrc_t:unix_stream_socket connectto;
- allow named_t var_run_t:sock_file write;
--- 
-1.7.8
-
diff --git a/freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch b/freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
deleted file mode 100644
index 2e51e09..0000000
--- a/freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
+++ /dev/null
@@ -1,39 +0,0 @@
->From e744b07fe589d36257590f31adf7a5dae3a51f55 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <ssorce@redhat.com>
-Date: Tue, 20 Dec 2011 12:39:34 -0500
-Subject: [PATCH] slapi-plugins: use thread-safe ldap library
-
----
- daemons/configure.ac |    2 +-
- freeipa.spec.in      |    2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/daemons/configure.ac b/daemons/configure.ac
-index d15a5c70c000a9d83f9ccb6d05851f1400ae4627..9ff858a6b360b011be95ff9aac729a0e837356c2 100644
---- a/daemons/configure.ac
-+++ b/daemons/configure.ac
-@@ -174,7 +174,7 @@ if test "$with_ldap" = "yes"; then
-   if test "$with_ldap_lber" = "yes" ; then
-     OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber"
-   fi
--  OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap"
-+  OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap_r"
- else
-   AC_MSG_ERROR([OpenLDAP not found])
- fi
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index 3305fda55a30523d0b86a0fb79ee74f60a544b92..36b68795eec02d11176c2369b50ec6c732925ad1 100644
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -24,7 +24,7 @@ Source0:        freeipa-%{version}.tar.gz
- BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
- 
- %if ! %{ONLY_CLIENT}
--BuildRequires:  389-ds-base-devel >= 1.2.9
-+BuildRequires:  389-ds-base-devel >= 1.2.10-0.6.a6
- BuildRequires:  svrcore-devel
- BuildRequires:  /usr/share/selinux/devel/Makefile
- BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
--- 
-1.7.7.4
-
diff --git a/freeipa.spec b/freeipa.spec
index 0fb8cbb..6d23c3b 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -11,27 +11,21 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 %endif
 %global POLICYCOREUTILSVER 1.33.12-1
 %global gettext_domain ipa
+%global VERSION 2.1.90.pre1
 
 Name:           freeipa
-Version:        2.1.4
-Release:        5%{?dist}
+Version:        2.1.90
+Release:        0.1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
 License:        GPLv3+
 URL:            http://www.freeipa.org/
-Source0:        freeipa-%{version}.tar.gz
-Patch0:         freeipa-2.1.4-connection-failure-recovery.patch
-Patch1:         freeipa-2.1.4-fix-pylint-f16.patch
-Patch2:         freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
-Patch3:         freeipa-2.1.4-selinux-web-migration-policy.patch
-Patch4:         freeipa-2.1.4-logging.patch
-Patch5:         freeipa-2.1.4-replication-addentry.patch
-Patch6:         freeipa-2.1.4-replica-install-services.patch
+Source0:        freeipa-%{VERSION}.tar.gz
 Patch7:         freeipa-2.1.4-inifiles-support.patch
 Patch8:         freeipa-2.1.4-python-ldap-2.4.6-support.patch
 Patch9:         freeipa-2.1.4-upgrade-systemd.patch
-BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRoot:      %{_tmppath}/%{name}-%{VERSION}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.2.10-0.6.a6
@@ -86,7 +80,7 @@ Requires(pre): 389-ds-base >= 1.2.10-0.8.a7
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
-Requires: krb5-server >= 1.9.1-15
+Requires: krb5-server >= 1.10-2
 Requires: krb5-server-ldap
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
@@ -102,9 +96,9 @@ Requires: python-pyasn1 >= 0.0.9a
 Requires: systemd-units >= 36-3
 Requires(pre): systemd-units
 Requires(post): systemd-units
-Requires: selinux-policy >= 3.10.0-31
+Requires: selinux-policy >= 3.10.0-82
 Requires(post): selinux-policy-base
-Requires: slapi-nis >= 0.21
+Requires: slapi-nis >= 0.36
 Requires: pki-ca >= 9.0.17
 Requires: pki-silent >= 9.0.17
 # Only tomcat6 greater than this version provides proper systemd support
@@ -163,8 +157,8 @@ Requires: krb5-workstation
 Requires: authconfig
 Requires: pam_krb5
 Requires: wget
-Requires:  libcurl >= 7.21.7-2
-Requires:  xmlrpc-c >= 1.27.4
+Requires: libcurl >= 7.21.7-2
+Requires: xmlrpc-c >= 1.27.4
 Requires: sssd >= 1.6.2
 Requires: certmonger >= 0.26
 Requires: nss-tools
@@ -223,14 +217,7 @@ package.
 
 
 %prep
-%setup -n freeipa-%{version} -q
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
+%setup -n freeipa-%{VERSION} -q
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
@@ -283,6 +270,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la
 rm %{buildroot}/%{plugin_dir}/libipa_uuid.la
 rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la
 rm %{buildroot}/%{plugin_dir}/libipa_lockout.la
+rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
 
 # Some user-modifiable HTML files are provided. Move these to /etc
 # and link back.
@@ -295,8 +283,6 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
     %{buildroot}%{_usr}/share/ipa/html/unauthorized.html
 ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
     %{buildroot}%{_usr}/share/ipa/html/browserconfig.html
-ln -s ../../../..%{_sysconfdir}/ipa/html/hbac-deny-remove.html \
-    %{buildroot}%{_usr}/share/ipa/html/hbac-deny-remove.html
 ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
     %{buildroot}%{_usr}/share/ipa/html/ipa_error.css
 
@@ -305,18 +291,24 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
+mkdir -p %{buildroot}%{_usr}/share/ipa/html/
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/configure.jar
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
+mkdir -p %{buildroot}%{_initrddir}
 # Default to systemd initscripts for F16 and above
 mkdir -p %{buildroot}%{_unitdir}
-for i in ipa.service ipa_kpasswd.service ; do
-    install -m 644 init/systemd/$i %{buildroot}%{_unitdir}/$i
-done
+install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
 mkdir -p %{buildroot}%{_libexecdir}
 install -m 755 init/systemd/freeipa-systemd-upgrade %{buildroot}%{_libexecdir}/freeipa-systemd-upgrade
-rm -f %{buildroot}%{_initrddir}/ipa_kpasswd
 %endif
 
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/
 /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
+/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
 
 %if ! %{ONLY_CLIENT}
@@ -341,9 +333,13 @@ if [ $1 -gt 1 ] ; then
     # after it has been migrated to systemd setup
     /usr/libexec/freeipa-systemd-upgrade || :
     /usr/sbin/ipa-upgradeconfig || :
-    /usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || :
 fi
 
+%posttrans server
+# This must be run in posttrans so that updates from previous
+# execution that may no longer be shipped are not applied.
+/usr/sbin/ipa-ldap-updater --upgrade >/dev/null 2>&1 || :
+
 %preun server
 if [ $1 = 0 ]; then
 # Use systemd scheme
@@ -368,7 +364,7 @@ if [ -s /etc/selinux/config ]; then
 fi
 
 %post server-selinux
-semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
+semodule -s targeted -i /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
 selinuxenabled
@@ -390,7 +386,7 @@ fi
 
 %postun server-selinux
 if [ $1 = 0 ]; then
-semodule -s targeted -r ipa_kpasswd ipa_httpd ipa_dogtag
+semodule -s targeted -r ipa_httpd ipa_dogtag
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
 selinuxenabled
@@ -419,14 +415,12 @@ fi
 %{_sbindir}/ipa-compat-manage
 %{_sbindir}/ipa-nis-manage
 %{_sbindir}/ipa-managed-entries
-%{_sbindir}/ipa_kpasswd
 %{_sbindir}/ipactl
 %{_sbindir}/ipa-upgradeconfig
 %{_sbindir}/ipa-compliance
 %{_sysconfdir}/cron.d/ipa-compliance
 # Use systemd scheme
 %attr(644,root,root) %{_unitdir}/ipa.service
-%attr(644,root,root) %{_unitdir}/ipa_kpasswd.service
 %{_libexecdir}/freeipa-systemd-upgrade
 %dir %{python_sitelib}/ipaserver
 %{python_sitelib}/ipaserver/*
@@ -439,7 +433,6 @@ fi
 %{_usr}/share/ipa/html/ssbrowser.html
 %{_usr}/share/ipa/html/browserconfig.html
 %{_usr}/share/ipa/html/unauthorized.html
-%{_usr}/share/ipa/html/hbac-deny-remove.html
 %{_usr}/share/ipa/html/ipa_error.css
 %dir %{_usr}/share/ipa/migration
 %{_usr}/share/ipa/migration/error.html
@@ -449,8 +442,6 @@ fi
 %{_usr}/share/ipa/migration/migration.py*
 %dir %{_usr}/share/ipa/ui
 %{_usr}/share/ipa/ui/index.html
-%{_usr}/share/ipa/ui/*.png
-%{_usr}/share/ipa/ui/*.gif
 %{_usr}/share/ipa/ui/*.ico
 %{_usr}/share/ipa/ui/*.css
 %{_usr}/share/ipa/ui/*.js
@@ -458,19 +449,28 @@ fi
 %{_usr}/share/ipa/ui/*.svg
 %{_usr}/share/ipa/ui/*.ttf
 %{_usr}/share/ipa/ui/*.woff
+%config(noreplace) %{_usr}/share/ipa/ui/extension.js
+%dir %{_usr}/share/ipa/ui/images
+%{_usr}/share/ipa/ui/images/*.png
+%{_usr}/share/ipa/ui/images/*.gif
 %dir %{_sysconfdir}/ipa
 %dir %{_sysconfdir}/ipa/html
 %config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
 %config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
 %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
 %config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
-%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 %{_usr}/share/ipa/ipa.conf
 %{_usr}/share/ipa/ipa-rewrite.conf
 %{_usr}/share/ipa/ipa-pki-proxy.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/preferences.html
 %dir %{_usr}/share/ipa/updates/
 %{_usr}/share/ipa/updates/*
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
@@ -484,7 +484,7 @@ fi
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
 %dir %{_localstatedir}/cache/ipa
 %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions
-%attr(700,root,root) %dir %{_localstatedir}/cache/ipa/kpasswd
+%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
 %{_mandir}/man1/ipa-replica-conncheck.1.gz
 %{_mandir}/man1/ipa-replica-install.1.gz
 %{_mandir}/man1/ipa-replica-manage.1.gz
@@ -498,14 +498,13 @@ fi
 %{_mandir}/man1/ipa-nis-manage.1.gz
 %{_mandir}/man1/ipa-managed-entries.1.gz
 %{_mandir}/man1/ipa-ldap-updater.1.gz
-%{_mandir}/man8/ipa_kpasswd.8.gz
 %{_mandir}/man8/ipactl.8.gz
+%{_mandir}/man8/ipa-upgradeconfig.8.gz
 %{_mandir}/man1/ipa-compliance.1.gz
 
 %files server-selinux
 %defattr(-,root,root,-)
 %doc COPYING README Contributors.txt
-%{_usr}/share/selinux/targeted/ipa_kpasswd.pp
 %{_usr}/share/selinux/targeted/ipa_httpd.pp
 %{_usr}/share/selinux/targeted/ipa_dogtag.pp
 %endif
@@ -554,8 +553,12 @@ fi
 %{python_sitelib}/freeipa-*.egg-info
 %{python_sitearch}/python_default_encoding-*.egg-info
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Mon Feb 06 2012 Rob Crittenden <rcritten@redhat.com> - 2.1.90-0.1
+- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)
+
 * Wed Feb 01 2012 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-5
 - Force to use 389-ds 1.2.10-0.8.a7 or above
 - Improve upgrade script to handle systemd 389-ds change
diff --git a/sources b/sources
index 983450e..664d51b 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-213047f62f3dfa5d6088fe916356c298  freeipa-2.1.4.tar.gz
+c0d9c3bbc2ba603d14f97098fe11057d  freeipa-2.1.90.pre1.tar.gz