summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristopher Byrne <salah.coronya@gmail.com>2023-09-06 10:29:13 +0200
committerDavid Seifert <soap@gentoo.org>2023-09-06 10:29:13 +0200
commit1e446ceef146a87ec68f2629ea69674a8393dc43 (patch)
tree1fd883ebd0549a1064ab4c3eb5f864f8529ce010 /sys-auth/sssd
parentsys-boot/gnu-efi: pass OBJCOPY to build system (diff)
downloadgentoo-1e446ceef146a87ec68f2629ea69674a8393dc43.tar.gz
gentoo-1e446ceef146a87ec68f2629ea69674a8393dc43.tar.bz2
gentoo-1e446ceef146a87ec68f2629ea69674a8393dc43.zip
sys-auth/sssd: add 2.9.1
Closes: https://bugs.gentoo.org/499578 Closes: https://bugs.gentoo.org/542324 Closes: https://bugs.gentoo.org/592402 Closes: https://bugs.gentoo.org/640760 Closes: https://bugs.gentoo.org/752978 Closes: https://bugs.gentoo.org/878177 Closes: https://bugs.gentoo.org/880097 Closes: https://bugs.gentoo.org/904280 Closes: https://bugs.gentoo.org/906292 Closes: https://github.com/gentoo/gentoo/pull/32466 Signed-off-by: Christopher Byrne <salah.coronya@gmail.com> Signed-off-by: David Seifert <soap@gentoo.org>
Diffstat (limited to 'sys-auth/sssd')
-rw-r--r--sys-auth/sssd/Manifest1
-rw-r--r--sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch12
-rw-r--r--sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch31
-rw-r--r--sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch87
-rw-r--r--sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch19
-rw-r--r--sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch39
-rw-r--r--sys-auth/sssd/metadata.xml10
-rw-r--r--sys-auth/sssd/sssd-2.9.1.ebuild330
8 files changed, 529 insertions, 0 deletions
diff --git a/sys-auth/sssd/Manifest b/sys-auth/sssd/Manifest
index ae3ce6acb21c..e2f173e39988 100644
--- a/sys-auth/sssd/Manifest
+++ b/sys-auth/sssd/Manifest
@@ -1 +1,2 @@
DIST sssd-2.6.0.tar.gz 7440969 BLAKE2B 6b05fcea09ef10a5b2f373dc6a66032edc4c4f46f65f42fdc9ffb5b676025095e16de4a86b3088351c22746e062829d1d68fa7e960cccb7c5a77d960e6d38e2a SHA512 0b9e169424cbadfa6132a3e5e9789facf82f04cce94cb5344b8ff49370ae8817c2cb16cf21caddf6a7cd42e661d5ff5bf97843d79681683aacff0053ff93f64b
+DIST sssd-2.9.1.tar.gz 7943540 BLAKE2B 9113b63d54beb40ba85c5b5c75068197317b3b8088119cf6557c6b4aed113d2d67f0bc64fc68fb34f4dbef54cccdb8b32ef44112115930751fdec5ec92e0a09b SHA512 eb7345dcfbbd51f005f67ee5032364d369d24589111ded60701e2dbe09563f0b862d343f231dd2e9d548acd8c560a036c8b88a0601f9aa048a7202da8202cd9b
diff --git a/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch
new file mode 100644
index 000000000000..a8bd397cd063
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch
@@ -0,0 +1,12 @@
+diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
+index a1c0b36..207c010 100644
+--- a/src/providers/krb5/krb5_auth.c
++++ b/src/providers/krb5/krb5_auth.c
+@@ -1037,6 +1037,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
+ case ERR_ACCOUNT_LOCKED:
+ state->pam_status = PAM_PERM_DENIED;
+ state->dp_err = DP_ERR_OK;
++ state->pd->account_locked = true;
+ ret = EOK;
+ goto done;
+
diff --git a/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
new file mode 100644
index 000000000000..c849fe76b446
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
@@ -0,0 +1,31 @@
+From 74d0f4538deb766592079b1abca0d949d6dea105 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Thu, 15 Jun 2023 12:05:03 +0200
+Subject: [PATCH 1/1] BUILD: Accept krb5 1.21 for building the PAC plugin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/external/pac_responder.m4 | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
+index 3cbe3c9cfba03b59e26a8c5c2d73446eead2acea..90727185b574411bddd928f8d87efdc87076eba4 100644
+--- a/src/external/pac_responder.m4
++++ b/src/external/pac_responder.m4
+@@ -22,7 +22,8 @@ then
+ Kerberos\ 5\ release\ 1.17* | \
+ Kerberos\ 5\ release\ 1.18* | \
+ Kerberos\ 5\ release\ 1.19* | \
+- Kerberos\ 5\ release\ 1.20*)
++ Kerberos\ 5\ release\ 1.20* | \
++ Kerberos\ 5\ release\ 1.21*)
+ krb5_version_ok=yes
+ AC_MSG_RESULT([yes])
+ ;;
+--
+2.41.0
+
diff --git a/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
new file mode 100644
index 000000000000..258940bab38e
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
@@ -0,0 +1,87 @@
+From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 19:06:27 +0200
+Subject: [PATCH 3/3] certmap: fix partial string comparison
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the formatting option of the certificate digest/hash function
+contained and additional specifier separated with a '_' the comparison
+of the provided digest name and the available ones was incomplete, the
+last character was ignored and the comparison was successful if even if
+there was only a partial match.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc)
+---
+ src/lib/certmap/sss_certmap_ldap_mapping.c | 9 ++++++++-
+ src/tests/cmocka/test_certmap.c | 22 ++++++++++++++++++++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c
+index 2f16837a1..354b0310b 100644
+--- a/src/lib/certmap/sss_certmap_ldap_mapping.c
++++ b/src/lib/certmap/sss_certmap_ldap_mapping.c
+@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list,
+ bool colon = false;
+ bool reverse = false;
+ char *c;
++ size_t len = 0;
+
+ sep = strchr(inp, '_');
++ if (sep != NULL) {
++ len = sep - inp;
++ }
+
+ for (d = 0; digest_list[d] != NULL; d++) {
+ if (sep == NULL) {
+ cmp = strcasecmp(digest_list[d], inp);
+ } else {
+- cmp = strncasecmp(digest_list[d], inp, (sep - inp -1));
++ if (strlen(digest_list[d]) != len) {
++ continue;
++ }
++ cmp = strncasecmp(digest_list[d], inp, len);
+ }
+
+ if (cmp == 0) {
+diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
+index da312beaf..a15984d60 100644
+--- a/src/tests/cmocka/test_certmap.c
++++ b/src/tests/cmocka/test_certmap.c
+@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state)
+ assert_non_null(ctx);
+ assert_null(ctx->prio_list);
+
++ /* cert!sha */
++ ret = sss_certmap_add_rule(ctx, 91,
++ "KRB5:<ISSUER>.*",
++ "LDAP:rule91={cert!sha}", NULL);
++ assert_int_equal(ret, EINVAL);
++
++ ret = sss_certmap_add_rule(ctx, 91,
++ "KRB5:<ISSUER>.*",
++ "LDAPU1:rule91={cert!sha}", NULL);
++ assert_int_equal(ret, EINVAL);
++
++ /* cert!sha_u */
++ ret = sss_certmap_add_rule(ctx, 90,
++ "KRB5:<ISSUER>.*",
++ "LDAP:rule90={cert!sha_u}", NULL);
++ assert_int_equal(ret, EINVAL);
++
++ ret = sss_certmap_add_rule(ctx, 99,
++ "KRB5:<ISSUER>.*",
++ "LDAPU1:rule90={cert!sha_u}", NULL);
++ assert_int_equal(ret, EINVAL);
++
+ /* cert!sha555 */
+ ret = sss_certmap_add_rule(ctx, 89,
+ "KRB5:<ISSUER>.*",
+--
+2.38.1
+
diff --git a/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch
new file mode 100644
index 000000000000..de46b96c82f9
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch
@@ -0,0 +1,19 @@
+diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
+index b40043d04..dce6b9d36 100644
+--- a/src/tools/analyzer/Makefile.am
++++ b/src/tools/analyzer/Makefile.am
+@@ -5,7 +5,9 @@ dist_sss_analyze_python_SCRIPTS = \
+ $(NULL)
+
+ pkgpythondir = $(python3dir)/sssd
++modulesdir = $(pkgpythondir)/modules
+
++if BUILD_PYTHON_BINDINGS
+ dist_pkgpython_DATA = \
+ __init__.py \
+ source_files.py \
+@@ -20,3 +22,4 @@ dist_modules_DATA = \
+ modules/__init__.py \
+ modules/request.py \
+ $(NULL)
++endif
diff --git a/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
new file mode 100644
index 000000000000..3a724363382b
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
@@ -0,0 +1,39 @@
+From 15d7d34b20219e2fd45c43881088f5d542e9603e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 18:56:35 +0200
+Subject: [PATCH 2/3] sssct: allow cert-show and cert-eval-rule as non-root
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The cert-show and cert-eval-rule sub-commands do not need root access and
+do not require SSSD to be configured on the host.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 8466f0e4d0c6cd2b98d2789970847b9adc01d7d4)
+---
+ src/tools/sssctl/sssctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index 855260aed..04c41aa9a 100644
+--- a/src/tools/sssctl/sssctl.c
++++ b/src/tools/sssctl/sssctl.c
+@@ -340,9 +340,9 @@ int main(int argc, const char **argv)
+ SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
+ #endif
+ SSS_TOOL_DELIMITER("Certificate related tools:"),
+- SSS_TOOL_COMMAND("cert-show", "Print information about the certificate", 0, sssctl_cert_show),
++ SSS_TOOL_COMMAND_FLAGS("cert-show", "Print information about the certificate", 0, sssctl_cert_show, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+ SSS_TOOL_COMMAND("cert-map", "Show users mapped to the certificate", 0, sssctl_cert_map),
+- SSS_TOOL_COMMAND("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule),
++ SSS_TOOL_COMMAND_FLAGS("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+ #ifdef BUILD_PASSKEY
+ SSS_TOOL_DELIMITER("Passkey related tools:"),
+ SSS_TOOL_COMMAND_FLAGS("passkey-register", "Perform passkey registration", 0, sssctl_passkey_register, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+--
+2.38.1
+
diff --git a/sys-auth/sssd/metadata.xml b/sys-auth/sssd/metadata.xml
index 36a8e6c631a2..628b459ea0a0 100644
--- a/sys-auth/sssd/metadata.xml
+++ b/sys-auth/sssd/metadata.xml
@@ -5,12 +5,22 @@
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
+ <maintainer type="person" proxied="yes">
+ <email>salah.coronya@gmail.com</email>
+ <name>Christopher Byrne</name>
+ </maintainer>
+ <maintainer type="project" proxied="proxy">
+ <email>proxy-maint@gentoo.org</email>
+ <name>Proxy Maintainers</name>
+ </maintainer>
<use>
<flag name="acl"> Build and use the cifsidmap plugin</flag>
<flag name="locator">Install sssd's Kerberos plugin</flag>
<flag name="netlink">Add support for netlink protocol via <pkg>dev-libs/libnl</pkg></flag>
<flag name="nfsv4">Add support for the nfsv4 idmapd plugin provided by <pkg>net-fs/nfs-utils</pkg></flag>
<flag name="pac">Add Privileged Attribute Certificate Support for Kerberos</flag>
+ <flag name="samba">Add Privileged Attribute Certificate Support for Kerberos</flag>
+ <flag name="subid">Support subordinate uid and gid ranges in FreeIPA</flag>
<flag name="sudo">Build helper to let <pkg>app-admin/sudo</pkg> use sssd provided information</flag>
<flag name="systemtap">Enable SystemTAP/DTrace tracing</flag>
</use>
diff --git a/sys-auth/sssd/sssd-2.9.1.ebuild b/sys-auth/sssd/sssd-2.9.1.ebuild
new file mode 100644
index 000000000000..bebb882e63fa
--- /dev/null
+++ b/sys-auth/sssd/sssd-2.9.1.ebuild
@@ -0,0 +1,330 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PLOCALES="ca de es fr ja ko pt_BR ru sv tr uk"
+PLOCALES_BIN="${PLOCALES} bg cs eu fi hu id it ka nb nl pl pt tg zh_TW zh_CN"
+PLOCALE_BACKUP="sv"
+PYTHON_COMPAT=( python3_{10..12} )
+
+inherit autotools linux-info multilib-minimal optfeature plocale \
+ python-single-r1 pam systemd toolchain-funcs
+
+DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
+HOMEPAGE="https://github.com/SSSD/sssd"
+if [[ ${PV} != 9999 ]]; then
+ SRC_URI="https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz"
+else
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SSSD/sssd.git"
+ EGIT_BRANCH="master"
+fi
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+IUSE="acl doc +netlink nfsv4 nls +man python samba selinux subid sudo systemd systemtap test"
+REQUIRED_USE="
+ python? ( ${PYTHON_REQUIRED_USE} )
+ test? ( sudo )"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+ >=app-crypt/mit-krb5-1.19.1[${MULTILIB_USEDEP}]
+ app-crypt/p11-kit
+ >=dev-libs/ding-libs-0.2
+ >=dev-libs/cyrus-sasl-2.1.25-r3[kerberos]
+ dev-libs/jansson:=
+ dev-libs/libpcre2:=
+ dev-libs/libunistring:=
+ >=dev-libs/popt-1.16
+ >=dev-libs/openssl-1.0.2:=
+ >=net-dns/bind-tools-9.9[gssapi]
+ >=net-dns/c-ares-1.10.0-r1:=[${MULTILIB_USEDEP}]
+ >=net-nds/openldap-2.4.30:=[sasl,experimental]
+ >=sys-apps/dbus-1.6
+ >=sys-apps/keyutils-1.5:=
+ >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}]
+ >=sys-libs/talloc-2.0.7
+ >=sys-libs/tdb-1.2.9
+ >=sys-libs/tevent-0.9.16
+ >=sys-libs/ldb-1.1.17-r1:=
+ virtual/libintl
+ acl? ( net-fs/cifs-utils[acl] )
+ netlink? ( dev-libs/libnl:3 )
+ nfsv4? ( >=net-fs/nfs-utils-2.3.1-r2 )
+ nls? ( >=sys-devel/gettext-0.18 )
+ python? (
+ ${PYTHON_DEPS}
+ systemd? (
+ $(python_gen_cond_dep '
+ dev-python/python-systemd[${PYTHON_USEDEP}]
+ ')
+ )
+ )
+ samba? ( >=net-fs/samba-4.10.2[winbind] )
+ selinux? (
+ >=sys-libs/libselinux-2.1.9
+ >=sys-libs/libsemanage-2.1
+ )
+ subid? ( >=sys-apps/shadow-4.9 )
+ systemd? (
+ sys-apps/systemd:=
+ sys-apps/util-linux
+ )
+ systemtap? ( dev-util/systemtap )"
+RDEPEND="${DEPEND}
+ selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )"
+BDEPEND="
+ virtual/pkgconfig
+ ${PYTHON_DEPS}
+ doc? ( app-doc/doxygen )
+ man? (
+ app-text/docbook-xml-dtd:4.4
+ >=dev-libs/libxslt-1.1.26
+ nls? ( app-text/po4a )
+ )
+ nls? ( sys-devel/gettext )
+ test? (
+ dev-libs/check
+ dev-libs/softhsm:2
+ dev-util/cmocka
+ net-libs/gnutls[pkcs11,tools]
+ sys-libs/libfaketime
+ sys-libs/nss_wrapper
+ sys-libs/pam_wrapper
+ sys-libs/uid_wrapper
+ )
+"
+
+CONFIG_CHECK="~KEYS"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-2.8.2-krb5_pw_locked.patch"
+ "${FILESDIR}/${PN}-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch"
+ "${FILESDIR}/${PN}-2.9.1-certmap-fix-partial-string-comparison.patch"
+ "${FILESDIR}/${PN}-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch"
+ "${FILESDIR}/${PN}-2.9.1-conditional-python-install.patch"
+)
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/ipa_hbac.h
+ /usr/include/sss_idmap.h
+ /usr/include/sss_nss_idmap.h
+ # --with-ifp
+ /usr/include/sss_sifp.h
+ /usr/include/sss_sifp_dbus.h
+ # from 1.15.3
+ /usr/include/sss_certmap.h
+)
+
+pkg_setup() {
+ linux-info_pkg_setup
+ python-single-r1_pkg_setup
+}
+
+src_prepare() {
+ default
+
+ plocale_get_locales > src/man/po/LINGUAS || die
+
+ sed -i \
+ -e "/_langs]/ s/ .*//" \
+ src/man/po/po4a.cfg \
+ || die
+ enable_locale() {
+ local locale=${1}
+
+ sed -i \
+ -e "/_langs]/ s/$/ ${locale}/" \
+ src/man/po/po4a.cfg \
+ || die
+ }
+
+ plocale_for_each_locale enable_locale
+
+ PLOCALES="${PLOCALES_BIN}"
+ plocale_get_locales > po/LINGUAS || die
+
+ sed -i \
+ -e 's:/var/run:/run:' \
+ src/examples/logrotate \
+ || die
+
+ # disable flaky test, see https://github.com/SSSD/sssd/issues/5631
+ sed -i \
+ -e '/^\s*pam-srv-tests[ \\]*$/d' \
+ Makefile.am \
+ || die
+
+ eautoreconf
+
+ multilib_copy_sources
+}
+
+src_configure() {
+ local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1 || die)
+
+ multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+ local myconf=()
+
+ myconf+=(
+ --libexecdir="${EPREFIX}"/usr/libexec
+ --localstatedir="${EPREFIX}"/var
+ --runstatedir="${EPREFIX}"/run
+ --sbindir="${EPREFIX}"/usr/sbin
+ --with-pid-path="${EPREFIX}"/run
+ --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
+ --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir)
+ --with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb
+ --with-db-path="${EPREFIX}"/var/lib/sss/db
+ --with-gpo-cache-path="${EPREFIX}"/var/lib/sss/gpo_cache
+ --with-pubconf-path="${EPREFIX}"/var/lib/sss/pubconf
+ --with-pipe-path="${EPREFIX}"/var/lib/sss/pipes
+ --with-mcache-path="${EPREFIX}"/var/lib/sss/mc
+ --with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets
+ --with-log-path="${EPREFIX}"/var/log/sssd
+ --with-kcm
+ --enable-kcm-renewal
+ --with-os=gentoo
+ --disable-rpath
+ --disable-static
+ # Valgrind is only used for tests
+ --disable-valgrind
+ $(use_with samba)
+ --with-smb-idmap-interface-version=6
+ $(multilib_native_use_enable acl cifs-idmap-plugin)
+ $(multilib_native_use_with selinux)
+ $(multilib_native_use_with selinux semanage)
+ --enable-krb5-locator-plugin
+ $(use_enable samba pac-responder)
+ $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin)
+ $(use_enable nls)
+ $(multilib_native_use_with netlink libnl)
+ $(multilib_native_use_with man manpages)
+ $(multilib_native_use_with sudo)
+ $(multilib_native_with autofs)
+ $(multilib_native_with ssh)
+ --without-oidc-child
+ --without-passkey
+ $(use_with subid)
+ $(use_enable systemtap)
+ --without-python2-bindings
+ $(multilib_native_use_with python python3-bindings)
+ # Annoyingly configure requires that you pick systemd XOR sysv
+ --with-initscript=$(usex systemd systemd sysv)
+ )
+
+ use systemd && myconf+=(
+ --with-systemdunitdir=$(systemd_get_systemunitdir)
+ )
+
+ if ! multilib_is_native_abi; then
+ # work-around all the libraries that are used for CLI and server
+ myconf+=(
+ {POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' '
+ # ldb headers are fine since native needs it
+ # ldb lib fails... but it does not seem to bother
+ {DHASH,UNISTRING,INI_CONFIG_V{0,1,1_1,1_3}}_{CFLAGS,LIBS}=' '
+ {PCRE,CARES,SYSTEMD_LOGIN,SASL,DBUS,CRYPTO,P11_KIT}_{CFLAGS,LIBS}=' '
+ {NDR_NBT,SAMBA_UTIL,SMBCLIENT,NDR_KRB5PAC,JANSSON}_{CFLAGS,LIBS}=' '
+
+ # use native include path for dbus (needed for build)
+ DBUS_CFLAGS="${native_dbus_cflags}"
+
+ # non-pkgconfig checks
+ ac_cv_lib_ldap_ldap_search=yes
+ --without-kcm
+ --without-manpages
+ )
+ fi
+
+ econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+ if multilib_is_native_abi; then
+ default
+ use doc && emake docs
+ else
+ emake libnss_sss.la pam_sss.la pam_sss_gss.la
+ emake sssd_krb5_locator_plugin.la
+ use samba && emake sssd_pac_plugin.la
+ fi
+}
+
+multilib_src_test() {
+ if multilib_is_native_abi; then
+ local -x CK_TIMEOUT_MULTIPLIER=10
+ emake check VERBOSE=yes
+ fi
+}
+
+multilib_src_install() {
+ if multilib_is_native_abi; then
+ emake -j1 DESTDIR="${D}" install
+ if use python; then
+ python_fix_shebang "${ED}"
+ python_optimize
+ fi
+ else
+ # easier than playing with automake...
+ dopammod .libs/pam_sss.so
+ dopammod .libs/pam_sss_gss.so
+
+ into /
+ dolib.so .libs/libnss_sss.so*
+
+ exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5
+ doexe .libs/sssd_krb5_locator_plugin.so
+
+ if use samba; then
+ exeinto /usr/$(get_libdir)/krb5/plugins/authdata
+ doexe .libs/sssd_pac_plugin.so
+ fi
+ fi
+}
+
+multilib_src_install_all() {
+ einstalldocs
+
+ insinto /etc/sssd
+ insopts -m600
+ doins src/examples/sssd-example.conf
+
+ insinto /etc/logrotate.d
+ insopts -m644
+ newins src/examples/logrotate sssd
+
+ newconfd "${FILESDIR}"/sssd.conf sssd
+
+ keepdir /var/lib/sss/db
+ keepdir /var/lib/sss/deskprofile
+ keepdir /var/lib/sss/gpo_cache
+ keepdir /var/lib/sss/keytabs
+ keepdir /var/lib/sss/mc
+ keepdir /var/lib/sss/pipes/private
+ keepdir /var/lib/sss/pubconf/krb5.include.d
+ keepdir /var/lib/sss/secrets
+ keepdir /var/log/sssd
+
+ # strip empty dirs
+ if ! use doc; then
+ rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die
+ rm -r "${ED}"/usr/share/doc/"${PF}"/{hbac,idmap,nss_idmap}_doc || die
+ fi
+
+ rm -r "${ED}"/run || die
+ find "${ED}" -type f -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+ elog "You must set up sssd.conf (default installed into /etc/sssd)"
+ elog "and (optionally) configuration in /etc/pam.d in order to use SSSD"
+ elog "features."
+ optfeature "Kerberos keytab renew (see krb5_renew_interval)" app-crypt/adcli
+}