diff --git a/pkgs/servers/ldap/389/default.nix b/pkgs/servers/ldap/389/default.nix
index 4387542e5af0..e445184b9561 100644
--- a/pkgs/servers/ldap/389/default.nix
+++ b/pkgs/servers/ldap/389/default.nix
@@ -1,32 +1,107 @@
-{ lib, stdenv, fetchurl, fetchpatch, autoreconfHook, pkg-config, doxygen, perl, pam, nspr, nss, openldap
-, db, cyrus_sasl, svrcore, icu, net-snmp, libkrb5, pcre, perlPackages, libevent, openssl, python3
+{ stdenv
+, autoreconfHook
+, fetchFromGitHub
+, lib
+
+, bzip2
+, cmocka
+, cracklib
+, cyrus_sasl
+, db
+, doxygen
+, icu
+, libevent
+, libkrb5
+, lm_sensors
+, net-snmp
+, nspr
+, nss
+, openldap
+, openssl
+, pcre
+, perl
+, perlPackages
+, pkg-config
+, python3
+, svrcore
+, zlib
+
+, enablePamPassthru ? true
+, pam
+
+, enableCockpit ? true
+, rsync
+
+, enableDna ? true
+, enableLdapi ? true
+, enableAutobind ? false
+, enableAutoDnSuffix ? false
+, enableBitwise ? true
+, enableAcctPolicy ? true
+, enablePosixWinsync ? true
 }:
 
 stdenv.mkDerivation rec {
   pname = "389-ds-base";
-  version = "1.3.9.1";
+  version = "2.0.5";
 
-  src = fetchurl {
-    url = "https://releases.pagure.org/${pname}/${pname}-${version}.tar.bz2";
-    sha256 = "141iv1phgk1lw74sfjj3v7wy6qs0q56lvclwv2p0hqn1wg8ic4q6";
+  src = fetchFromGitHub {
+    owner = "389ds";
+    repo = pname;
+    rev = "${pname}-${version}";
+    sha256 = "sha256-H0G8py4sB+2CSZKyCIb2TCIXOpnPx7udWUEK4Tg5TD8=";
   };
 
   nativeBuildInputs = [ autoreconfHook pkg-config doxygen ];
-  buildInputs = [
-    perl pam nspr nss openldap db cyrus_sasl svrcore icu
-    net-snmp libkrb5 pcre libevent openssl python3
-  ] ++ (with perlPackages; [ MozillaLdap NetAddrIP DBFile ]);
 
-  patches = [
-    (fetchpatch {
-      name = "389-ds-nss.patch";
-      url = "https://aur.archlinux.org/cgit/aur.git/plain/nss.patch?h=389-ds-base&id=b80ed52cc65ff9b1d72f8ebc54dbd462b12f6be9";
-      sha256 = "07z7jl9z4gzhk3k6qyfn558xl76js8041llyr5n99h20ckkbwagk";
-    })
-  ];
+  buildInputs = [
+    bzip2
+    cracklib
+    cyrus_sasl
+    db
+    icu
+    libevent
+    libkrb5
+    lm_sensors
+    net-snmp
+    nspr
+    nss
+    openldap
+    openssl
+    pcre
+    perl
+    python3
+    svrcore
+    zlib
+
+    # tests
+    cmocka
+    libevent
+
+    # lib389
+    (python3.withPackages (ps: with ps; [
+      setuptools
+      ldap
+      six
+      pyasn1
+      pyasn1-modules
+      dateutil
+      argcomplete
+      libselinux
+    ]))
+
+    # logconv.pl
+    perlPackages.DBFile
+    perlPackages.ArchiveTar
+  ]
+  ++ lib.optional enableCockpit rsync
+  ++ lib.optional enablePamPassthru pam;
+
   postPatch = ''
     substituteInPlace Makefile.am \
       --replace 's,@perlpath\@,$(perldir),g' 's,@perlpath\@,$(perldir) $(PERLPATH),g'
+
+    patchShebangs ./buildnum.py ./ldap/servers/slapd/mkDBErrStrs.py
   '';
 
   preConfigure = ''
@@ -38,21 +113,37 @@ stdenv.mkDerivation rec {
     export PERLPATH
   '';
 
-  configureFlags = [
-    "--sysconfdir=/etc"
-    "--localstatedir=/var"
-    "--with-openldap"
-    "--with-db"
-    "--with-db-inc=${db.dev}/include"
-    "--with-db-lib=${db.out}/lib"
-    "--with-sasl=${cyrus_sasl.dev}"
-    "--with-netsnmp=yes"
-    "--with-netsnmp-inc=${lib.getDev net-snmp}/include"
-    "--with-netsnmp-lib=${lib.getLib net-snmp}/lib"
-  ];
+  configureFlags =
+    let
+      mkEnable = cond: name: if cond then "--enable-${name}" else "--disable-${name}";
+    in
+    [
+      "--enable-cmocka"
+      "--localstatedir=/var"
+      "--sysconfdir=/etc"
+      "--with-db-inc=${db.dev}/include"
+      "--with-db-lib=${db.out}/lib"
+      "--with-db=yes"
+      "--with-netsnmp-inc=${lib.getDev net-snmp}/include"
+      "--with-netsnmp-lib=${lib.getLib net-snmp}/lib"
+      "--with-netsnmp=yes"
+      "--with-openldap"
+
+      "${mkEnable enableCockpit "cockpit"}"
+      "${mkEnable enablePamPassthru "pam-passthru"}"
+      "${mkEnable enableDna "dna"}"
+      "${mkEnable enableLdapi "ldapi"}"
+      "${mkEnable enableAutobind "autobind"}"
+      "${mkEnable enableAutoDnSuffix "auto-dn-suffix"}"
+      "${mkEnable enableBitwise "bitwise"}"
+      "${mkEnable enableAcctPolicy "acctpolicy"}"
+      "${mkEnable enablePosixWinsync "posix-winsync"}"
+    ];
 
   enableParallelBuilding = true;
 
+  doCheck = true;
+
   installFlags = [
     "sysconfdir=${placeholder "out"}/etc"
     "localstatedir=${placeholder "TMPDIR"}"
@@ -65,8 +156,5 @@ stdenv.mkDerivation rec {
     description = "Enterprise-class Open Source LDAP server for Linux";
     license = licenses.gpl3Plus;
     platforms = platforms.linux;
-    knownVulnerabilities = [
-      "CVE-2021-3514" # https://nvd.nist.gov/vuln/detail/CVE-2021-3514
-    ];
   };
 }