summaryrefslogtreecommitdiff
path: root/sys-auth
diff options
context:
space:
mode:
authorV3n3RiX <venerix@koprulu.sector>2023-09-06 10:25:44 +0100
committerV3n3RiX <venerix@koprulu.sector>2023-09-06 10:25:44 +0100
commit64b277f858d171900cba8a53e675ef8c3ff893fc (patch)
tree7a19533ece87b58d4bbcc04d91701aaf888b0d99 /sys-auth
parentededf7351b15c0df4d166af8fc7928bd1a0b2c8e (diff)
gentoo auto-resync : 06:09:2023 - 10:25:44
Diffstat (limited to 'sys-auth')
-rw-r--r--sys-auth/Manifest.gzbin9260 -> 9264 bytes
-rw-r--r--sys-auth/sssd/Manifest9
-rw-r--r--sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch12
-rw-r--r--sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch31
-rw-r--r--sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch87
-rw-r--r--sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch19
-rw-r--r--sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch39
-rw-r--r--sys-auth/sssd/metadata.xml10
-rw-r--r--sys-auth/sssd/sssd-2.9.1.ebuild330
9 files changed, 536 insertions, 1 deletions
diff --git a/sys-auth/Manifest.gz b/sys-auth/Manifest.gz
index bdf0512f6a6e..38031f43f2d8 100644
--- a/sys-auth/Manifest.gz
+++ b/sys-auth/Manifest.gz
Binary files differ
diff --git a/sys-auth/sssd/Manifest b/sys-auth/sssd/Manifest
index a8253201d472..4856953cbae4 100644
--- a/sys-auth/sssd/Manifest
+++ b/sys-auth/sssd/Manifest
@@ -1,5 +1,12 @@
AUX sssd-2.6.0-conditional-python-install.patch 418 BLAKE2B 47f3653982c551bc99d547daa998422a94fac132b3c6ce5a9db9ae64ef3d7426b3ded0426d969ad7eef27b942985404d413cc415332b0bd83acdf7f2c9adbad2 SHA512 12ba5a0adb8bc9227216e7f3ebe5805917d155b9064d13becdfb40555d416892c7d101f208bde75a87f4b70862f3dcdc242ee3f1593ebd452fcefba6c5b47a1c
+AUX sssd-2.8.2-krb5_pw_locked.patch 453 BLAKE2B 7aed1dd32f0743381b704444ac36dcffa76535d58cd39d307d370290b9b5ad634ef9b90f4d076c7b91b41113792b0d24cf04b63bcd1e1220aa3e790f9c9a23c0 SHA512 e3c210032d6f65ebffa14aa7c398ca929b7bb17d9aa9ef30c2a1522311bc0bf278214d008d7dbac47e8565245b35e00f7143f5c7d0d24f99d64a92486ec50e45
+AUX sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch 1104 BLAKE2B ef4f781ed437183147bc9fb657d830e510fbde21b92a0edc577ae407ac6384e5a5b936bc4b065ad6c7676180b0d3e84c9e0df3894744a10bd282874d04f88f05 SHA512 8f0d4bb5ed403c122d392cf98c7a37d9ecd8eb63b7dc190d5349747ff656c5618b42c0b0b64db1c6a51847e80cf007e96f1ce2d295407c32848861aab2bb1103
+AUX sssd-2.9.1-certmap-fix-partial-string-comparison.patch 3182 BLAKE2B 1e4a41d82fcf7654d5f8ec6f1c41e47b28f05faefd3e14cf5861c198d1efbae8b87ec0e3a5a9eef037b7a69ad59b8291e8238a81d18a1fda14afcbd49f06471e SHA512 ed2ba0f0cdc2aea524f73d1aa73ae14a7c535b12e511c29042c23c34a801b004ed19609c351ea587254fa9c18e1ad527fb77cc997b8e7d82704da17c503c87a9
+AUX sssd-2.9.1-conditional-python-install.patch 533 BLAKE2B ce076e4e00bd1b3e8a18427fde385b6a65fbbc65f28a542f575d3b77b8e7d277ebc829a7d43fdbced51475b69553de4fd6e564d52d06c6a83edcae7fa8a2a53a SHA512 4348577c16ab96717e0b92dcae00e955e76e9be6c58a6f6c4435f2315c8393336396e7a0ccdd05f50b97233a956ef674fd64589780500159748ac47c65edb623
+AUX sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch 2137 BLAKE2B 58207d28ab800ae880aa7df1ac90055a9750bef31dcdef2a1152c0108797f82419aa3d26b6ab645e52449cff507f946e750ed261cf767b7181217dd979160bec SHA512 ca2794f7484b1b845184acbcb68dfa09dc582e0f6bd9a15b6c9929027414eb6a7fac7b77ba83585c12924dc9c70c3875e43dd6a71d4f83bc7aabef2506685f54
AUX sssd.conf 124 BLAKE2B b6f9c016a014510f97b036d23d5f50e1e13085220fe82b0e6ef7a3ceeb114e59af935f39e66e4ad60a46f43983930e5d381b16b0ed31ba4349abe38c4b509367 SHA512 f16908c44b213edbf6b0c6e8d49df92e8c06fc623279037074fe51e49b8aca7dc18f5ed83f71909fc8209df80dfc150583edb1687f88e61588bdf9d1fbf6ed5a
DIST sssd-2.6.0.tar.gz 7440969 BLAKE2B 6b05fcea09ef10a5b2f373dc6a66032edc4c4f46f65f42fdc9ffb5b676025095e16de4a86b3088351c22746e062829d1d68fa7e960cccb7c5a77d960e6d38e2a SHA512 0b9e169424cbadfa6132a3e5e9789facf82f04cce94cb5344b8ff49370ae8817c2cb16cf21caddf6a7cd42e661d5ff5bf97843d79681683aacff0053ff93f64b
+DIST sssd-2.9.1.tar.gz 7943540 BLAKE2B 9113b63d54beb40ba85c5b5c75068197317b3b8088119cf6557c6b4aed113d2d67f0bc64fc68fb34f4dbef54cccdb8b32ef44112115930751fdec5ec92e0a09b SHA512 eb7345dcfbbd51f005f67ee5032364d369d24589111ded60701e2dbe09563f0b862d343f231dd2e9d548acd8c560a036c8b88a0601f9aa048a7202da8202cd9b
EBUILD sssd-2.6.0-r2.ebuild 7490 BLAKE2B 0ea58c35d8d257197510b7be61b960729d00ce48388d22ae47e9ab625cd80adb89dcc3b24ba8a75e38866e2c3b7548b995d5ec8f9e9fb2fd143a104cacc50c66 SHA512 5c78c5a8d3fdc6be8c8d80a8809263c839f008ce0befc40673d7519cc50c425967ef80a33ba27be116964085246a6d33382e0a917a64147044d6a08d9f894d38
-MISC metadata.xml 984 BLAKE2B 504d2c1331e380de9fb6a566bffad9be3e6ee92a00d74c387764b059be68d26482be30e2b8da6e24e509c2aabcd101916f379f9bff3b5915273d8e726b3f3e98 SHA512 1e1bf2afd3faff736673ae73971254a77e3c2051b1413347fbda0d5ab12999c1b88a7d0f1fa92e328029dc78aa2e743b3e9c5aed110a2ffc6350a5cd24c93fa2
+EBUILD sssd-2.9.1.ebuild 8471 BLAKE2B 82be5ed9f0eb38ca24a34545c4bcede05dc8a51608f5fedc46d30bafdb381122693cb1540d56d5ea8820d1c7185133608d340eb709cb3cc31fbbd9851f2f0d19 SHA512 efd7997e4e1faf119ba6d40a9e2e1a555bf72fb6416a3c6ccd4175842ebdc5bbf9101c55cdf552b17ccea02d0b4c669da4d4ae2fa5119f3c1780d8cb88e08ce4
+MISC metadata.xml 1412 BLAKE2B e5a565890defc1f33790851bb52a750107ca9348660f47ec735784140f51c13203acce4cda53355b858669822cbb50683615224f893570f443e84f4aa8f84057 SHA512 26c210ab796fd63e5bcd2f8563002f5f48796cd0241631e56fcc5c9aba0afc94334665768f1c89b25ef28830c88bfd9cf24dff5e9df16efe330b377348f9a314
diff --git a/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch
new file mode 100644
index 000000000000..a8bd397cd063
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch
@@ -0,0 +1,12 @@
+diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
+index a1c0b36..207c010 100644
+--- a/src/providers/krb5/krb5_auth.c
++++ b/src/providers/krb5/krb5_auth.c
+@@ -1037,6 +1037,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
+ case ERR_ACCOUNT_LOCKED:
+ state->pam_status = PAM_PERM_DENIED;
+ state->dp_err = DP_ERR_OK;
++ state->pd->account_locked = true;
+ ret = EOK;
+ goto done;
+
diff --git a/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
new file mode 100644
index 000000000000..c849fe76b446
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
@@ -0,0 +1,31 @@
+From 74d0f4538deb766592079b1abca0d949d6dea105 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Thu, 15 Jun 2023 12:05:03 +0200
+Subject: [PATCH 1/1] BUILD: Accept krb5 1.21 for building the PAC plugin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/external/pac_responder.m4 | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
+index 3cbe3c9cfba03b59e26a8c5c2d73446eead2acea..90727185b574411bddd928f8d87efdc87076eba4 100644
+--- a/src/external/pac_responder.m4
++++ b/src/external/pac_responder.m4
+@@ -22,7 +22,8 @@ then
+ Kerberos\ 5\ release\ 1.17* | \
+ Kerberos\ 5\ release\ 1.18* | \
+ Kerberos\ 5\ release\ 1.19* | \
+- Kerberos\ 5\ release\ 1.20*)
++ Kerberos\ 5\ release\ 1.20* | \
++ Kerberos\ 5\ release\ 1.21*)
+ krb5_version_ok=yes
+ AC_MSG_RESULT([yes])
+ ;;
+--
+2.41.0
+
diff --git a/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
new file mode 100644
index 000000000000..258940bab38e
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
@@ -0,0 +1,87 @@
+From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 19:06:27 +0200
+Subject: [PATCH 3/3] certmap: fix partial string comparison
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the formatting option of the certificate digest/hash function
+contained and additional specifier separated with a '_' the comparison
+of the provided digest name and the available ones was incomplete, the
+last character was ignored and the comparison was successful if even if
+there was only a partial match.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc)
+---
+ src/lib/certmap/sss_certmap_ldap_mapping.c | 9 ++++++++-
+ src/tests/cmocka/test_certmap.c | 22 ++++++++++++++++++++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c
+index 2f16837a1..354b0310b 100644
+--- a/src/lib/certmap/sss_certmap_ldap_mapping.c
++++ b/src/lib/certmap/sss_certmap_ldap_mapping.c
+@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list,
+ bool colon = false;
+ bool reverse = false;
+ char *c;
++ size_t len = 0;
+
+ sep = strchr(inp, '_');
++ if (sep != NULL) {
++ len = sep - inp;
++ }
+
+ for (d = 0; digest_list[d] != NULL; d++) {
+ if (sep == NULL) {
+ cmp = strcasecmp(digest_list[d], inp);
+ } else {
+- cmp = strncasecmp(digest_list[d], inp, (sep - inp -1));
++ if (strlen(digest_list[d]) != len) {
++ continue;
++ }
++ cmp = strncasecmp(digest_list[d], inp, len);
+ }
+
+ if (cmp == 0) {
+diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
+index da312beaf..a15984d60 100644
+--- a/src/tests/cmocka/test_certmap.c
++++ b/src/tests/cmocka/test_certmap.c
+@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state)
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+
++ /* cert!sha */
++ ret = sss_certmap_add_rule(ctx, 91,
++ "KRB5:<ISSUER>.*",
++ "LDAP:rule91={cert!sha}", NULL);
++ assert_int_equal(ret, EINVAL);
++
++ ret = sss_certmap_add_rule(ctx, 91,
++ "KRB5:<ISSUER>.*",
++ "LDAPU1:rule91={cert!sha}", NULL);
++ assert_int_equal(ret, EINVAL);
++
++ /* cert!sha_u */
++ ret = sss_certmap_add_rule(ctx, 90,
++ "KRB5:<ISSUER>.*",
++ "LDAP:rule90={cert!sha_u}", NULL);
++ assert_int_equal(ret, EINVAL);
++
++ ret = sss_certmap_add_rule(ctx, 99,
++ "KRB5:<ISSUER>.*",
++ "LDAPU1:rule90={cert!sha_u}", NULL);
++ assert_int_equal(ret, EINVAL);
++
+ /* cert!sha555 */
+ ret = sss_certmap_add_rule(ctx, 89,
+ "KRB5:<ISSUER>.*",
+--
+2.38.1
+
diff --git a/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch
new file mode 100644
index 000000000000..de46b96c82f9
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch
@@ -0,0 +1,19 @@
+diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
+index b40043d04..dce6b9d36 100644
+--- a/src/tools/analyzer/Makefile.am
++++ b/src/tools/analyzer/Makefile.am
+@@ -5,7 +5,9 @@ dist_sss_analyze_python_SCRIPTS = \
+ $(NULL)
+
+ pkgpythondir = $(python3dir)/sssd
++modulesdir = $(pkgpythondir)/modules
+
++if BUILD_PYTHON_BINDINGS
+ dist_pkgpython_DATA = \
+ __init__.py \
+ source_files.py \
+@@ -20,3 +22,4 @@ dist_modules_DATA = \
+ modules/__init__.py \
+ modules/request.py \
+ $(NULL)
++endif
diff --git a/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
new file mode 100644
index 000000000000..3a724363382b
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
@@ -0,0 +1,39 @@
+From 15d7d34b20219e2fd45c43881088f5d542e9603e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 18:56:35 +0200
+Subject: [PATCH 2/3] sssct: allow cert-show and cert-eval-rule as non-root
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The cert-show and cert-eval-rule sub-commands do not need root access and
+do not require SSSD to be configured on the host.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 8466f0e4d0c6cd2b98d2789970847b9adc01d7d4)
+---
+ src/tools/sssctl/sssctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index 855260aed..04c41aa9a 100644
+--- a/src/tools/sssctl/sssctl.c
++++ b/src/tools/sssctl/sssctl.c
+@@ -340,9 +340,9 @@ int main(int argc, const char **argv)
+ SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
+ #endif
+ SSS_TOOL_DELIMITER("Certificate related tools:"),
+- SSS_TOOL_COMMAND("cert-show", "Print information about the certificate", 0, sssctl_cert_show),
++ SSS_TOOL_COMMAND_FLAGS("cert-show", "Print information about the certificate", 0, sssctl_cert_show, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+ SSS_TOOL_COMMAND("cert-map", "Show users mapped to the certificate", 0, sssctl_cert_map),
+- SSS_TOOL_COMMAND("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule),
++ SSS_TOOL_COMMAND_FLAGS("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+ #ifdef BUILD_PASSKEY
+ SSS_TOOL_DELIMITER("Passkey related tools:"),
+ SSS_TOOL_COMMAND_FLAGS("passkey-register", "Perform passkey registration", 0, sssctl_passkey_register, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+--
+2.38.1
+
diff --git a/sys-auth/sssd/metadata.xml b/sys-auth/sssd/metadata.xml
index 36a8e6c631a2..628b459ea0a0 100644
--- a/sys-auth/sssd/metadata.xml
+++ b/sys-auth/sssd/metadata.xml
@@ -5,12 +5,22 @@
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
+ <maintainer type="person" proxied="yes">
+ <email>salah.coronya@gmail.com</email>
+ <name>Christopher Byrne</name>
+ </maintainer>
+ <maintainer type="project" proxied="proxy">
+ <email>proxy-maint@gentoo.org</email>
+ <name>Proxy Maintainers</name>
+ </maintainer>
<use>
<flag name="acl"> Build and use the cifsidmap plugin</flag>
<flag name="locator">Install sssd's Kerberos plugin</flag>
<flag name="netlink">Add support for netlink protocol via <pkg>dev-libs/libnl</pkg></flag>
<flag name="nfsv4">Add support for the nfsv4 idmapd plugin provided by <pkg>net-fs/nfs-utils</pkg></flag>
<flag name="pac">Add Privileged Attribute Certificate Support for Kerberos</flag>
+ <flag name="samba">Add Privileged Attribute Certificate Support for Kerberos</flag>
+ <flag name="subid">Support subordinate uid and gid ranges in FreeIPA</flag>
<flag name="sudo">Build helper to let <pkg>app-admin/sudo</pkg> use sssd provided information</flag>
<flag name="systemtap">Enable SystemTAP/DTrace tracing</flag>
</use>
diff --git a/sys-auth/sssd/sssd-2.9.1.ebuild b/sys-auth/sssd/sssd-2.9.1.ebuild
new file mode 100644
index 000000000000..bebb882e63fa
--- /dev/null
+++ b/sys-auth/sssd/sssd-2.9.1.ebuild
@@ -0,0 +1,330 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PLOCALES="ca de es fr ja ko pt_BR ru sv tr uk"
+PLOCALES_BIN="${PLOCALES} bg cs eu fi hu id it ka nb nl pl pt tg zh_TW zh_CN"
+PLOCALE_BACKUP="sv"
+PYTHON_COMPAT=( python3_{10..12} )
+
+inherit autotools linux-info multilib-minimal optfeature plocale \
+ python-single-r1 pam systemd toolchain-funcs
+
+DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
+HOMEPAGE="https://github.com/SSSD/sssd"
+if [[ ${PV} != 9999 ]]; then
+ SRC_URI="https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz"
+else
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SSSD/sssd.git"
+ EGIT_BRANCH="master"
+fi
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+IUSE="acl doc +netlink nfsv4 nls +man python samba selinux subid sudo systemd systemtap test"
+REQUIRED_USE="
+ python? ( ${PYTHON_REQUIRED_USE} )
+ test? ( sudo )"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+ >=app-crypt/mit-krb5-1.19.1[${MULTILIB_USEDEP}]
+ app-crypt/p11-kit
+ >=dev-libs/ding-libs-0.2
+ >=dev-libs/cyrus-sasl-2.1.25-r3[kerberos]
+ dev-libs/jansson:=
+ dev-libs/libpcre2:=
+ dev-libs/libunistring:=
+ >=dev-libs/popt-1.16
+ >=dev-libs/openssl-1.0.2:=
+ >=net-dns/bind-tools-9.9[gssapi]
+ >=net-dns/c-ares-1.10.0-r1:=[${MULTILIB_USEDEP}]
+ >=net-nds/openldap-2.4.30:=[sasl,experimental]
+ >=sys-apps/dbus-1.6
+ >=sys-apps/keyutils-1.5:=
+ >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}]
+ >=sys-libs/talloc-2.0.7
+ >=sys-libs/tdb-1.2.9
+ >=sys-libs/tevent-0.9.16
+ >=sys-libs/ldb-1.1.17-r1:=
+ virtual/libintl
+ acl? ( net-fs/cifs-utils[acl] )
+ netlink? ( dev-libs/libnl:3 )
+ nfsv4? ( >=net-fs/nfs-utils-2.3.1-r2 )
+ nls? ( >=sys-devel/gettext-0.18 )
+ python? (
+ ${PYTHON_DEPS}
+ systemd? (
+ $(python_gen_cond_dep '
+ dev-python/python-systemd[${PYTHON_USEDEP}]
+ ')
+ )
+ )
+ samba? ( >=net-fs/samba-4.10.2[winbind] )
+ selinux? (
+ >=sys-libs/libselinux-2.1.9
+ >=sys-libs/libsemanage-2.1
+ )
+ subid? ( >=sys-apps/shadow-4.9 )
+ systemd? (
+ sys-apps/systemd:=
+ sys-apps/util-linux
+ )
+ systemtap? ( dev-util/systemtap )"
+RDEPEND="${DEPEND}
+ selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )"
+BDEPEND="
+ virtual/pkgconfig
+ ${PYTHON_DEPS}
+ doc? ( app-doc/doxygen )
+ man? (
+ app-text/docbook-xml-dtd:4.4
+ >=dev-libs/libxslt-1.1.26
+ nls? ( app-text/po4a )
+ )
+ nls? ( sys-devel/gettext )
+ test? (
+ dev-libs/check
+ dev-libs/softhsm:2
+ dev-util/cmocka
+ net-libs/gnutls[pkcs11,tools]
+ sys-libs/libfaketime
+ sys-libs/nss_wrapper
+ sys-libs/pam_wrapper
+ sys-libs/uid_wrapper
+ )
+"
+
+CONFIG_CHECK="~KEYS"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-2.8.2-krb5_pw_locked.patch"
+ "${FILESDIR}/${PN}-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch"
+ "${FILESDIR}/${PN}-2.9.1-certmap-fix-partial-string-comparison.patch"
+ "${FILESDIR}/${PN}-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch"
+ "${FILESDIR}/${PN}-2.9.1-conditional-python-install.patch"
+)
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/ipa_hbac.h
+ /usr/include/sss_idmap.h
+ /usr/include/sss_nss_idmap.h
+ # --with-ifp
+ /usr/include/sss_sifp.h
+ /usr/include/sss_sifp_dbus.h
+ # from 1.15.3
+ /usr/include/sss_certmap.h
+)
+
+pkg_setup() {
+ linux-info_pkg_setup
+ python-single-r1_pkg_setup
+}
+
+src_prepare() {
+ default
+
+ plocale_get_locales > src/man/po/LINGUAS || die
+
+ sed -i \
+ -e "/_langs]/ s/ .*//" \
+ src/man/po/po4a.cfg \
+ || die
+ enable_locale() {
+ local locale=${1}
+
+ sed -i \
+ -e "/_langs]/ s/$/ ${locale}/" \
+ src/man/po/po4a.cfg \
+ || die
+ }
+
+ plocale_for_each_locale enable_locale
+
+ PLOCALES="${PLOCALES_BIN}"
+ plocale_get_locales > po/LINGUAS || die
+
+ sed -i \
+ -e 's:/var/run:/run:' \
+ src/examples/logrotate \
+ || die
+
+ # disable flaky test, see https://github.com/SSSD/sssd/issues/5631
+ sed -i \
+ -e '/^\s*pam-srv-tests[ \\]*$/d' \
+ Makefile.am \
+ || die
+
+ eautoreconf
+
+ multilib_copy_sources
+}
+
+src_configure() {
+ local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1 || die)
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ local myconf=()
+
+ myconf+=(
+ --libexecdir="${EPREFIX}"/usr/libexec
+ --localstatedir="${EPREFIX}"/var
+ --runstatedir="${EPREFIX}"/run
+ --sbindir="${EPREFIX}"/usr/sbin
+ --with-pid-path="${EPREFIX}"/run
+ --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
+ --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir)
+ --with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb
+ --with-db-path="${EPREFIX}"/var/lib/sss/db
+ --with-gpo-cache-path="${EPREFIX}"/var/lib/sss/gpo_cache
+ --with-pubconf-path="${EPREFIX}"/var/lib/sss/pubconf
+ --with-pipe-path="${EPREFIX}"/var/lib/sss/pipes
+ --with-mcache-path="${EPREFIX}"/var/lib/sss/mc
+ --with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets
+ --with-log-path="${EPREFIX}"/var/log/sssd
+ --with-kcm
+ --enable-kcm-renewal
+ --with-os=gentoo
+ --disable-rpath
+ --disable-static
+ # Valgrind is only used for tests
+ --disable-valgrind
+ $(use_with samba)
+ --with-smb-idmap-interface-version=6
+ $(multilib_native_use_enable acl cifs-idmap-plugin)
+ $(multilib_native_use_with selinux)
+ $(multilib_native_use_with selinux semanage)
+ --enable-krb5-locator-plugin
+ $(use_enable samba pac-responder)
+ $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin)
+ $(use_enable nls)
+ $(multilib_native_use_with netlink libnl)
+ $(multilib_native_use_with man manpages)
+ $(multilib_native_use_with sudo)
+ $(multilib_native_with autofs)
+ $(multilib_native_with ssh)
+ --without-oidc-child
+ --without-passkey
+ $(use_with subid)
+ $(use_enable systemtap)
+ --without-python2-bindings
+ $(multilib_native_use_with python python3-bindings)
+ # Annoyingly configure requires that you pick systemd XOR sysv
+ --with-initscript=$(usex systemd systemd sysv)
+ )
+
+ use systemd && myconf+=(
+ --with-systemdunitdir=$(systemd_get_systemunitdir)
+ )
+
+ if ! multilib_is_native_abi; then
+ # work-around all the libraries that are used for CLI and server
+ myconf+=(
+ {POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' '
+ # ldb headers are fine since native needs it
+ # ldb lib fails... but it does not seem to bother
+ {DHASH,UNISTRING,INI_CONFIG_V{0,1,1_1,1_3}}_{CFLAGS,LIBS}=' '
+ {PCRE,CARES,SYSTEMD_LOGIN,SASL,DBUS,CRYPTO,P11_KIT}_{CFLAGS,LIBS}=' '
+ {NDR_NBT,SAMBA_UTIL,SMBCLIENT,NDR_KRB5PAC,JANSSON}_{CFLAGS,LIBS}=' '
+
+ # use native include path for dbus (needed for build)
+ DBUS_CFLAGS="${native_dbus_cflags}"
+
+ # non-pkgconfig checks
+ ac_cv_lib_ldap_ldap_search=yes
+ --without-kcm
+ --without-manpages
+ )
+ fi
+
+ econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+ if multilib_is_native_abi; then
+ default
+ use doc && emake docs
+ else
+ emake libnss_sss.la pam_sss.la pam_sss_gss.la
+ emake sssd_krb5_locator_plugin.la
+ use samba && emake sssd_pac_plugin.la
+ fi
+}
+
+multilib_src_test() {
+ if multilib_is_native_abi; then
+ local -x CK_TIMEOUT_MULTIPLIER=10
+ emake check VERBOSE=yes
+ fi
+}
+
+multilib_src_install() {
+ if multilib_is_native_abi; then
+ emake -j1 DESTDIR="${D}" install
+ if use python; then
+ python_fix_shebang "${ED}"
+ python_optimize
+ fi
+ else
+ # easier than playing with automake...
+ dopammod .libs/pam_sss.so
+ dopammod .libs/pam_sss_gss.so
+
+ into /
+ dolib.so .libs/libnss_sss.so*
+
+ exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5
+ doexe .libs/sssd_krb5_locator_plugin.so
+
+ if use samba; then
+ exeinto /usr/$(get_libdir)/krb5/plugins/authdata
+ doexe .libs/sssd_pac_plugin.so
+ fi
+ fi
+}
+
+multilib_src_install_all() {
+ einstalldocs
+
+ insinto /etc/sssd
+ insopts -m600
+ doins src/examples/sssd-example.conf
+
+ insinto /etc/logrotate.d
+ insopts -m644
+ newins src/examples/logrotate sssd
+
+ newconfd "${FILESDIR}"/sssd.conf sssd
+
+ keepdir /var/lib/sss/db
+ keepdir /var/lib/sss/deskprofile
+ keepdir /var/lib/sss/gpo_cache
+ keepdir /var/lib/sss/keytabs
+ keepdir /var/lib/sss/mc
+ keepdir /var/lib/sss/pipes/private
+ keepdir /var/lib/sss/pubconf/krb5.include.d
+ keepdir /var/lib/sss/secrets
+ keepdir /var/log/sssd
+
+ # strip empty dirs
+ if ! use doc; then
+ rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die
+ rm -r "${ED}"/usr/share/doc/"${PF}"/{hbac,idmap,nss_idmap}_doc || die
+ fi
+
+ rm -r "${ED}"/run || die
+ find "${ED}" -type f -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+ elog "You must set up sssd.conf (default installed into /etc/sssd)"
+ elog "and (optionally) configuration in /etc/pam.d in order to use SSSD"
+ elog "features."
+ optfeature "Kerberos keytab renew (see krb5_renew_interval)" app-crypt/adcli
+}