diff --git a/.gitignore b/.gitignore
index b9b914a..8772936 100644
--- a/.gitignore
+++ b/.gitignore
@@ -120,3 +120,5 @@
 /freeipa-4.9.9.tar.gz.asc
 /freeipa-4.9.10.tar.gz
 /freeipa-4.9.10.tar.gz.asc
+/freeipa-4.10.0.tar.gz
+/freeipa-4.10.0.tar.gz.asc
diff --git a/0001-Only-calculate-LDAP-password-grace-when-the-password.patch b/0001-Only-calculate-LDAP-password-grace-when-the-password.patch
new file mode 100644
index 0000000..5e5d9d7
--- /dev/null
+++ b/0001-Only-calculate-LDAP-password-grace-when-the-password.patch
@@ -0,0 +1,56 @@
+From 22d1392a8a0d2887c389dcd78be06104cff88d30 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 29 Jun 2022 13:25:55 +0000
+Subject: [PATCH] Only calculate LDAP password grace when the password is
+ expired
+
+The user's pwd expiration was retrieved but inadvertently was never
+compared to current time. So any LDAP bind, including from the
+IPA API, counted against the grace period. There is no need to go
+through the graceperiod code for non-expired passwords.
+
+https://pagure.io/freeipa/issue/1539
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ .../ipa-graceperiod/ipa_graceperiod.c                | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+index 0860b5c20..a3f57cb4b 100644
+--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
++++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
+     Slapi_ValueSet *values = NULL;
+     long grace_limit = 0;
+     int grace_user_time;
+-    char *pwd_expiration = NULL;
++    char *tmpstr = NULL;
++    time_t pwd_expiration;
+     int pwresponse_requested = 0;
+     Slapi_PBlock *pbtm = NULL;
+     Slapi_Mods *smods = NULL;
+@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
+     }
+     slapi_value_free(&objectclass);
+ 
+-    pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
+-    if (pwd_expiration == NULL) {
++    tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
++    if (tmpstr == NULL) {
+         /* No expiration means nothing to do */
+         LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
+         goto done;
+     }
++    pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
++    if (pwd_expiration > time(NULL)) {
++        /* Not expired, nothing to see here */
++        goto done;
++    }
+ 
+     ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
+                                     &values, &actual_type_name,
+-- 
+2.31.1
+
diff --git a/freeipa.spec b/freeipa.spec
index dbcc77d..6a39d68 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -175,7 +175,7 @@
 
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.9.10
+%define IPA_VERSION 4.10.0
 # Release candidate version -- uncomment with one percent for RC versions
 #%%global rc_version %%nil
 %define AT_SIGN @
@@ -188,7 +188,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?rc_version:.%rc_version}%{?dist}.1
+Release:        1%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -205,6 +205,8 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 # product-name.png
 # RHEL spec file only: END: Change branding to IPA and Identity Management
 
+Patch0001:      0001-Only-calculate-LDAP-password-grace-when-the-password.patch
+
 # RHEL spec file only: START
 %if %{NON_DEVELOPER_BUILD}
 %if 0%{?rhel} >= 8
@@ -1716,6 +1718,9 @@ fi
 %endif
 
 %changelog
+* Thu Jun 30 2022 Rob Crittenden <rcritten@redhat.com> - 4.10.0-1
+- Upstream release FreeIPA 4.10.0
+
 * Thu Jun 16 2022 Python Maint <python-maint@redhat.com> - 4.9.10-1.1
 - Rebuilt for Python 3.11
 
diff --git a/sources b/sources
index f0cfe18..74575ae 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (freeipa-4.9.10.tar.gz) = d2da42dc70684aecd4fc3685c71f58ad5fcd4a0a096deaa2af0a720f9cac566b3976f688c8c119bdcd39e94c9b114b9b7de67a562455c37c55686f64651c73a4
-SHA512 (freeipa-4.9.10.tar.gz.asc) = 23732343fce7ba4bf958b178c68259f1f8419f28a02f27fa0b3950354f5b62fb2c7ec74aec688fc0d759592d4bab037b658ce3e29b1ffb062ae2189b4be0af62
+SHA512 (freeipa-4.10.0.tar.gz) = e2e2e07263a5ae35149a7f320f41efa51c36d07d050c19c047350f764d8d2ba67c01f0d317c18e54d8d7ee0c750d15d14c5d49eafea650d94d6b833ff8aa6edc
+SHA512 (freeipa-4.10.0.tar.gz.asc) = e53de8b9dd9d4c84aab6b7c604142389a53c42f42774a912c58d46bc84fa0556bf565434d786395a5730d9d1c15fb01739b305aeba163559ae7edbe827b73112