diff --git a/0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch b/0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch
new file mode 100644
index 0000000..ceea7ad
--- /dev/null
+++ b/0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch
@@ -0,0 +1,241 @@
+diff --git a/doc/man/man5/slapd-sock.5 b/doc/man/man5/slapd-sock.5
+index 1ac4f7fdd..903155fa4 100644
+--- a/doc/man/man5/slapd-sock.5
++++ b/doc/man/man5/slapd-sock.5
+@@ -49,7 +49,7 @@ be sent and from which replies are received.
+ 
+ When used as an overlay, these additional directives are defined:
+ .TP
+-.B sockops	[ bind | unbind | search | compare | modify | modrdn | add | delete ]*
++.B sockops	[ bind | unbind | search | compare | modify | modrdn | add | delete | extended ]*
+ Specify which request types to send to the external program. The default is
+ empty (no requests are sent).
+ .TP
+@@ -115,6 +115,17 @@ dn: <DN>
+ .PP
+ .RS
+ .nf
++EXTENDED
++msgid: <message id>
++<repeat { "suffix:" <database suffix DN> }>
++oid: <OID>
++value: <base64-value>
++<blank line>
++.fi
++.RE
++.PP
++.RS
++.nf
+ MODIFY
+ msgid: <message id>
+ <repeat { "suffix:" <database suffix DN> }>
+@@ -213,6 +224,11 @@ msgid: <message id>
+ .fi
+ .RE
+ 
++.SH KNOWN LIMITATIONS
++The 
++.B sock 
++backend does not process extended operation results from an external program.
++
+ .SH ACCESS CONTROL
+ The
+ .B sock
+@@ -292,6 +308,11 @@ access to the
+ pseudo_attribute of the searchBase;
+ .B search (=s)
+ access to the attributes and values used in the filter is not checked.
++.LP
++The
++.B extended
++operation does not require any access special rights.
++The external program has to implement any sort of access control.
+ 
+ .SH EXAMPLE
+ There is an example script in the slapd/back\-sock/ directory
+diff --git a/servers/slapd/back-sock/Makefile.in b/servers/slapd/back-sock/Makefile.in
+index 3e527e545..efb916246 100644
+--- a/servers/slapd/back-sock/Makefile.in
++++ b/servers/slapd/back-sock/Makefile.in
+@@ -18,9 +18,9 @@
+ ## in OpenLDAP Software.
+ 
+ SRCS	= init.c config.c opensock.c search.c bind.c unbind.c add.c \
+-		delete.c modify.c modrdn.c compare.c result.c
++		delete.c modify.c modrdn.c compare.c result.c extended.c
+ OBJS	= init.lo config.lo opensock.lo search.lo bind.lo unbind.lo add.lo \
+-		delete.lo modify.lo modrdn.lo compare.lo result.lo
++		delete.lo modify.lo modrdn.lo compare.lo result.lo extended.lo
+ 
+ LDAP_INCDIR= ../../../include       
+ LDAP_LIBDIR= ../../../libraries
+diff --git a/servers/slapd/back-sock/config.c b/servers/slapd/back-sock/config.c
+index dc3f1365c..2dcf68bf6 100644
+--- a/servers/slapd/back-sock/config.c
++++ b/servers/slapd/back-sock/config.c
+@@ -106,6 +106,7 @@ static ConfigOCs osocs[] = {
+ #define SOCK_OP_MODRDN	0x020
+ #define SOCK_OP_ADD		0x040
+ #define SOCK_OP_DELETE	0x080
++#define SOCK_OP_EXTENDED	0x100
+ 
+ #define SOCK_REP_RESULT	0x001
+ #define SOCK_REP_SEARCH	0x002
+@@ -127,6 +128,7 @@ static slap_verbmasks ov_ops[] = {
+ 	{ BER_BVC("modrdn"), SOCK_OP_MODRDN },
+ 	{ BER_BVC("add"), SOCK_OP_ADD },
+ 	{ BER_BVC("delete"), SOCK_OP_DELETE },
++	{ BER_BVC("extended"), SOCK_OP_EXTENDED },
+ 	{ BER_BVNULL, 0 }
+ };
+ 
+@@ -249,7 +251,9 @@ static BI_op_bind *sockfuncs[] = {
+ 	sock_back_modify,
+ 	sock_back_modrdn,
+ 	sock_back_add,
+-	sock_back_delete
++	sock_back_delete,
++	0,                    /* abandon not supported */
++	sock_back_extended
+ };
+ 
+ static const int sockopflags[] = {
+@@ -260,7 +264,9 @@ static const int sockopflags[] = {
+ 	SOCK_OP_MODIFY,
+ 	SOCK_OP_MODRDN,
+ 	SOCK_OP_ADD,
+-	SOCK_OP_DELETE
++	SOCK_OP_DELETE,
++	0,                    /* abandon not supported */
++	SOCK_OP_EXTENDED
+ };
+ 
+ static int sock_over_op(
+@@ -283,6 +289,7 @@ static int sock_over_op(
+ 	case LDAP_REQ_MODRDN:	which = op_modrdn; break;
+ 	case LDAP_REQ_ADD:	which = op_add; break;
+ 	case LDAP_REQ_DELETE:	which = op_delete; break;
++	case LDAP_REQ_EXTENDED:	which = op_extended; break;
+ 	default:
+ 		return SLAP_CB_CONTINUE;
+ 	}
+@@ -365,6 +372,7 @@ sock_over_setup()
+ 	sockover.on_bi.bi_op_modrdn = sock_over_op;
+ 	sockover.on_bi.bi_op_add = sock_over_op;
+ 	sockover.on_bi.bi_op_delete = sock_over_op;
++	sockover.on_bi.bi_extended = sock_over_op;
+ 	sockover.on_response = sock_over_response;
+ 
+ 	sockover.on_bi.bi_cf_ocs = osocs;
+diff --git a/servers/slapd/back-sock/extended.c b/servers/slapd/back-sock/extended.c
+new file mode 100644
+index 000000000..dfe56b32b
+--- /dev/null
++++ b/servers/slapd/back-sock/extended.c
+@@ -0,0 +1,80 @@
++/* extended.c - sock backend extended routines */
++/* $OpenLDAP$ */
++/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
++ *
++ * Copyright 2000-2017 The OpenLDAP Foundation.
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted only as authorized by the OpenLDAP
++ * Public License.
++ *
++ * A copy of this license is available in the file LICENSE in the
++ * top-level directory of the distribution or, alternatively, at
++ * <http://www.OpenLDAP.org/license.html>.
++ */
++
++#include "portable.h"
++
++#include <stdio.h>
++#include <ac/string.h>
++
++#include "slap.h"
++#include "back-sock.h"
++
++#include "lutil.h"
++
++int
++sock_back_extended( Operation *op, SlapReply *rs )
++{
++	int			rc;
++	struct	sockinfo	*si = (struct sockinfo *) op->o_bd->be_private;
++	FILE		*fp;
++	struct berval b64;
++
++	Debug( LDAP_DEBUG_ARGS, "==> sock_back_extended(%s)\n",
++		op->ore_reqoid.bv_val, op->o_req_dn.bv_val, 0 );
++
++	if ( (fp = opensock( si->si_sockpath )) == NULL ) {
++		send_ldap_error( op, rs, LDAP_OTHER,
++			"could not open socket" );
++		return( -1 );
++	}
++
++	/* write out the request to the extended process */
++	fprintf( fp, "EXTENDED\n" );
++	fprintf( fp, "msgid: %ld\n", (long) op->o_msgid );
++	sock_print_conn( fp, op->o_conn, si );
++	sock_print_suffixes( fp, op->o_bd );
++	fprintf( fp, "oid: %s\n", op->ore_reqoid.bv_val );
++
++  if (op->ore_reqdata) {
++
++		b64.bv_len = LUTIL_BASE64_ENCODE_LEN( op->ore_reqdata->bv_len ) + 1;
++		b64.bv_val = ber_memalloc( b64.bv_len + 1 );
++
++		if( b64.bv_val == NULL ) {
++			return LUTIL_PASSWD_ERR;
++		}
++
++		rc = lutil_b64_ntop(
++			(unsigned char *) op->ore_reqdata->bv_val, op->ore_reqdata->bv_len,
++			b64.bv_val, b64.bv_len );
++
++		b64.bv_len = rc;
++		assert( strlen(b64.bv_val) == b64.bv_len );
++
++		fprintf( fp, "value: %s\n", b64.bv_val );
++
++		ber_memfree( b64.bv_val );
++
++	}
++
++	fprintf( fp, "\n" );
++
++	/* read in the results and send them along */
++	rc = sock_read_and_send_results( op, rs, fp );
++	fclose( fp );
++
++	return( rc );
++}
+diff --git a/servers/slapd/back-sock/init.c b/servers/slapd/back-sock/init.c
+index dcfe61a44..92e68782f 100644
+--- a/servers/slapd/back-sock/init.c
++++ b/servers/slapd/back-sock/init.c
+@@ -53,7 +53,7 @@ sock_back_initialize(
+ 	bi->bi_op_delete = sock_back_delete;
+ 	bi->bi_op_abandon = 0;
+ 
+-	bi->bi_extended = 0;
++	bi->bi_extended = sock_back_extended;
+ 
+ 	bi->bi_chk_referrals = 0;
+ 
+diff --git a/servers/slapd/back-sock/proto-sock.h b/servers/slapd/back-sock/proto-sock.h
+index fa02ab896..8b3b5f3ef 100644
+--- a/servers/slapd/back-sock/proto-sock.h
++++ b/servers/slapd/back-sock/proto-sock.h
+@@ -40,6 +40,8 @@ extern BI_op_modrdn	sock_back_modrdn;
+ extern BI_op_add	sock_back_add;
+ extern BI_op_delete	sock_back_delete;
+ 
++extern BI_op_extended	sock_back_extended;
++
+ extern int sock_back_init_cf( BackendInfo *bi );
+ 
+ LDAP_END_DECL
diff --git a/openldap2.changes b/openldap2.changes
index 14496ba..e6be3c6 100644
--- a/openldap2.changes
+++ b/openldap2.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Sep  6 07:58:06 UTC 2017 - michael@stroeder.com
+
+- updated 0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch
+
+-------------------------------------------------------------------
+Fri Aug 18 17:00:54 UTC 2017 - michael@stroeder.com
+
+- Added OpenLDAP new feature implementing OpenLDAP ITS#8714
+  0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch
+
 -------------------------------------------------------------------
 Thu Jul 20 14:19:47 UTC 2017 - michael@stroeder.com
 
diff --git a/openldap2.spec b/openldap2.spec
index 0f9c263..0349fc1 100644
--- a/openldap2.spec
+++ b/openldap2.spec
@@ -58,6 +58,7 @@ Patch8:         0008-In-monitor-backend-do-not-return-Connection0-entries.patch
 Patch9:         0009-Fix-ldap-host-lookup-ipv6.patch
 Patch11:        0011-openldap-re24-its7796.patch
 Patch13:        0013-ITS-8692-let-back-sock-generate-increment-line.patch
+Patch14:        0014-ITS-8714-Send-out-EXTENDED-operation-message-from-back-sock.patch
 Source200:      %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
 Source201:      %{name_ppolicy_check_module}.Makefile
 Source202:      %{name_ppolicy_check_module}.conf
@@ -251,6 +252,7 @@ gzip -k %{S:203}
 %patch9 -p1
 %patch11 -p1
 %patch13 -p1
+%patch14 -p1
 cp %{SOURCE5} .
 
 # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/