diff --git a/openldap.spec b/openldap.spec
index 1df7b97..2401847 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -361,12 +361,6 @@ install -d -m755 $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/redhat
 install -m644 %SOURCE6 \
     $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/redhat/
 
-# Move doc files out of _sysconfdir
-mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/README README.schema
-mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/DB_CONFIG.example DB_CONFIG.example
-chmod 0644 DB_CONFIG.example
-chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh
-
 # Move slapd and slurpd out of _libdir
 mv $RPM_BUILD_ROOT/%{_libdir}/slapd $RPM_BUILD_ROOT/%{_sbindir}/
 rm -f $RPM_BUILD_ROOT/%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
@@ -377,9 +371,18 @@ for X in acl add auth cat dn index passwd test schema; do ln -s slapd $RPM_BUILD
 chmod 755 $RPM_BUILD_ROOT/%{_libdir}/lib*.so*
 chmod 644 $RPM_BUILD_ROOT/%{_libdir}/lib*.*a
 
-# Add files and dirs which would be created by %post scriptlet
-touch $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.conf.bak
+# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5)
+# new configuration will be generated in %post
+mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openldap-servers
 mkdir $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d
+mv $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.conf $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/slapd.conf.obsolete
+chmod 0644 $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/slapd.conf.obsolete
+
+# Move doc files out of _sysconfdir
+mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/README README.schema
+mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/DB_CONFIG.example
+chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh
+chmod 0644 $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/DB_CONFIG.example
 
 # Remove files which we don't want packaged.
 rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la
@@ -511,8 +514,15 @@ chmod 640 slapd.pem
 popd
 fi
 
-if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then
-    # if there is no slapd.conf, we probably already have new configuration in place
+if [ `find %{_sysconfdir}/openldap/slapd.d -maxdepth 0 -empty | wc -l` = "1" ]; then
+    # configuration in slapd.d not available
+
+    [ ! -f %{_sysconfdir}/openldap/slapd.conf ]
+    fresh_install=$?
+
+    [ $fresh_install -eq 0 ] && \
+        cp %{_datadir}/openldap-servers/slapd.conf.obsolete %{_sysconfdir}/openldap/slapd.conf
+
     mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak
     mkdir -p %{_sysconfdir}/openldap/slapd.d/
     lines=`egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1`
@@ -532,6 +542,8 @@ EOF
     chmod -R u+rwX %{_sysconfdir}/openldap/slapd.d
     rm -f %{_sysconfdir}/openldap/slapd.conf
 	rm -f %{_sharedstatedir}/ldap/__db* %{_sharedstatedir}/ldap/alock
+
+    [ $fresh_install -eq 0 ] && rm -f %{_sysconfdir}/openldap/slapd.conf.bak
 fi
 
 
@@ -588,14 +600,12 @@ fi
 %doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd
 %doc openldap-%{version}/doc/guide/admin/*.html
 %doc openldap-%{version}/doc/guide/admin/*.png
-%attr(0644,root,root) %doc DB_CONFIG.example
 %doc README.schema
 %ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem
 %attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/slapd
-%attr(0640,root,ldap) %config(noreplace,missingok) %{_sysconfdir}/openldap/slapd.conf
-%attr(0640,root,ldap) %ghost %{_sysconfdir}/openldap/slapd.conf.bak
-%attr(0640,ldap,ldap) %ghost %{_sysconfdir}/openldap/slapd.d
+%attr(0750,ldap,ldap) %dir %config(noreplace) %{_sysconfdir}/openldap/slapd.d
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ldap
+%attr(0755,root,root) %dir %config(noreplace) %{_sysconfdir}/openldap/schema
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/schema/*.schema*
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/schema/*.ldif
 %attr(0755,root,root) %dir %{_sysconfdir}/openldap/schema/redhat
@@ -609,6 +619,11 @@ fi
 %attr(0755,root,root) %{_libdir}/libslapd_db-*.*.so
 %attr(0755,root,root) %dir %{_libdir}/openldap
 %attr(0755,root,root) %{_libdir}/openldap/[^b]*
+%attr(0755,root,root) %dir %{_datadir}/openldap-servers
+%attr(0644,root,root) %{_datadir}/openldap-servers/*
+# obsolete configuration
+%attr(0640,ldap,ldap) %ghost %config(noreplace,missingok) %{_sysconfdir}/openldap/slapd.conf
+%attr(0640,ldap,ldap) %ghost %config(noreplace,missingok) %{_sysconfdir}/openldap/slapd.conf.bak
 
 %files servers-sql
 %defattr(-,root,root)
@@ -639,6 +654,7 @@ fi
 * Tue Jul 20 2010 Jan Vcelak <jvcelak@redhat.com> - 2.4.21-10
 - CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448)
 - CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452)
+- obsolete configuration file moved to /usr/share/openldap-servers (#612602)
 
 * Thu Jul 01 2010 Jan Zeleny <jzeleny@redhat.com> - 2.4.21-9
 - another shot at previous fix