[gentoo-commits] repo/gentoo:master commit in: sys-auth/sssd/, sys-auth/sssd/files/

["David Seifert" <soap@gentoo.org>]

commit:     1e446ceef146a87ec68f2629ea69674a8393dc43
Author:     Christopher Byrne <salah.coronya <AT> gmail <DOT> com>
AuthorDate: Wed Sep  6 08:29:13 2023 +0000
Commit:     David Seifert <soap <AT> gentoo <DOT> org>
CommitDate: Wed Sep  6 08:29:13 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e446cee

sys-auth/sssd: add 2.9.1

Closes: https://bugs.gentoo.org/499578
Closes: https://bugs.gentoo.org/542324
Closes: https://bugs.gentoo.org/592402
Closes: https://bugs.gentoo.org/640760
Closes: https://bugs.gentoo.org/752978
Closes: https://bugs.gentoo.org/878177
Closes: https://bugs.gentoo.org/880097
Closes: https://bugs.gentoo.org/904280
Closes: https://bugs.gentoo.org/906292
Closes: https://github.com/gentoo/gentoo/pull/32466
Signed-off-by: Christopher Byrne <salah.coronya <AT> gmail.com>
Signed-off-by: David Seifert <soap <AT> gentoo.org>

 sys-auth/sssd/Manifest                             |   1 +
 .../sssd/files/sssd-2.8.2-krb5_pw_locked.patch     |  12 +
 ...ept-krb5-1.21-for-building-the-PAC-plugin.patch |  31 ++
 ...9.1-certmap-fix-partial-string-comparison.patch |  87 ++++++
 .../sssd-2.9.1-conditional-python-install.patch    |  19 ++
 ...-cert-show-and-cert-eval-rule-as-non-root.patch |  39 +++
 sys-auth/sssd/metadata.xml                         |  10 +
 sys-auth/sssd/sssd-2.9.1.ebuild                    | 330 +++++++++++++++++++++
 8 files changed, 529 insertions(+)

diff --git a/sys-auth/sssd/Manifest b/sys-auth/sssd/Manifest
index ae3ce6acb21c..e2f173e39988 100644
--- a/sys-auth/sssd/Manifest
+++ b/sys-auth/sssd/Manifest
@@ -1 +1,2 @@
 DIST sssd-2.6.0.tar.gz 7440969 BLAKE2B 6b05fcea09ef10a5b2f373dc6a66032edc4c4f46f65f42fdc9ffb5b676025095e16de4a86b3088351c22746e062829d1d68fa7e960cccb7c5a77d960e6d38e2a SHA512 0b9e169424cbadfa6132a3e5e9789facf82f04cce94cb5344b8ff49370ae8817c2cb16cf21caddf6a7cd42e661d5ff5bf97843d79681683aacff0053ff93f64b
+DIST sssd-2.9.1.tar.gz 7943540 BLAKE2B 9113b63d54beb40ba85c5b5c75068197317b3b8088119cf6557c6b4aed113d2d67f0bc64fc68fb34f4dbef54cccdb8b32ef44112115930751fdec5ec92e0a09b SHA512 eb7345dcfbbd51f005f67ee5032364d369d24589111ded60701e2dbe09563f0b862d343f231dd2e9d548acd8c560a036c8b88a0601f9aa048a7202da8202cd9b

diff --git a/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch
new file mode 100644
index 000000000000..a8bd397cd063
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch
@@ -0,0 +1,12 @@
+diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
+index a1c0b36..207c010 100644
+--- a/src/providers/krb5/krb5_auth.c
++++ b/src/providers/krb5/krb5_auth.c
+@@ -1037,6 +1037,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
+     case ERR_ACCOUNT_LOCKED:
+         state->pam_status = PAM_PERM_DENIED;
+         state->dp_err = DP_ERR_OK;
++        state->pd->account_locked = true;
+         ret = EOK;
+         goto done;
+

diff --git a/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
new file mode 100644
index 000000000000..c849fe76b446
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
@@ -0,0 +1,31 @@
+From 74d0f4538deb766592079b1abca0d949d6dea105 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Thu, 15 Jun 2023 12:05:03 +0200
+Subject: [PATCH 1/1] BUILD: Accept krb5 1.21 for building the PAC plugin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/external/pac_responder.m4 | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
+index 3cbe3c9cfba03b59e26a8c5c2d73446eead2acea..90727185b574411bddd928f8d87efdc87076eba4 100644
+--- a/src/external/pac_responder.m4
++++ b/src/external/pac_responder.m4
+@@ -22,7 +22,8 @@ then
+         Kerberos\ 5\ release\ 1.17* | \
+         Kerberos\ 5\ release\ 1.18* | \
+         Kerberos\ 5\ release\ 1.19* | \
+-        Kerberos\ 5\ release\ 1.20*)
++        Kerberos\ 5\ release\ 1.20* | \
++        Kerberos\ 5\ release\ 1.21*)
+             krb5_version_ok=yes
+             AC_MSG_RESULT([yes])
+             ;;
+-- 
+2.41.0
+

diff --git a/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
new file mode 100644
index 000000000000..258940bab38e
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
@@ -0,0 +1,87 @@
+From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 19:06:27 +0200
+Subject: [PATCH 3/3] certmap: fix partial string comparison
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the formatting option of the certificate digest/hash function
+contained and additional specifier separated with a '_' the comparison
+of the provided digest name and the available ones was incomplete, the
+last character was ignored and the comparison was successful if even if
+there was only a partial match.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc)
+---
+ src/lib/certmap/sss_certmap_ldap_mapping.c |  9 ++++++++-
+ src/tests/cmocka/test_certmap.c            | 22 ++++++++++++++++++++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c
+index 2f16837a1..354b0310b 100644
+--- a/src/lib/certmap/sss_certmap_ldap_mapping.c
++++ b/src/lib/certmap/sss_certmap_ldap_mapping.c
+@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list,
+     bool colon = false;
+     bool reverse = false;
+     char *c;
++    size_t len = 0;
+ 
+     sep = strchr(inp, '_');
++    if (sep != NULL) {
++        len = sep - inp;
++    }
+ 
+     for (d = 0; digest_list[d] != NULL; d++) {
+         if (sep == NULL) {
+             cmp = strcasecmp(digest_list[d], inp);
+         } else {
+-            cmp = strncasecmp(digest_list[d], inp, (sep - inp -1));
++            if (strlen(digest_list[d]) != len) {
++                continue;
++            }
++            cmp = strncasecmp(digest_list[d], inp, len);
+         }
+ 
+         if (cmp == 0) {
+diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
+index da312beaf..a15984d60 100644
+--- a/src/tests/cmocka/test_certmap.c
++++ b/src/tests/cmocka/test_certmap.c
+@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state)
+     assert_non_null(ctx);
+     assert_null(ctx->prio_list);
+ 
++    /* cert!sha */
++    ret = sss_certmap_add_rule(ctx, 91,
++                            "KRB5:<ISSUER>.*",
++                            "LDAP:rule91={cert!sha}", NULL);
++    assert_int_equal(ret, EINVAL);
++
++    ret = sss_certmap_add_rule(ctx, 91,
++                            "KRB5:<ISSUER>.*",
++                            "LDAPU1:rule91={cert!sha}", NULL);
++    assert_int_equal(ret, EINVAL);
++
++    /* cert!sha_u */
++    ret = sss_certmap_add_rule(ctx, 90,
++                            "KRB5:<ISSUER>.*",
++                            "LDAP:rule90={cert!sha_u}", NULL);
++    assert_int_equal(ret, EINVAL);
++
++    ret = sss_certmap_add_rule(ctx, 99,
++                            "KRB5:<ISSUER>.*",
++                            "LDAPU1:rule90={cert!sha_u}", NULL);
++    assert_int_equal(ret, EINVAL);
++
+     /* cert!sha555 */
+     ret = sss_certmap_add_rule(ctx, 89,
+                             "KRB5:<ISSUER>.*",
+-- 
+2.38.1
+

diff --git a/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch
new file mode 100644
index 000000000000..de46b96c82f9
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch
@@ -0,0 +1,19 @@
+diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
+index b40043d04..dce6b9d36 100644
+--- a/src/tools/analyzer/Makefile.am
++++ b/src/tools/analyzer/Makefile.am
+@@ -5,7 +5,9 @@ dist_sss_analyze_python_SCRIPTS = \
+     $(NULL)
+ 
+ pkgpythondir = $(python3dir)/sssd
++modulesdir = $(pkgpythondir)/modules
+ 
++if BUILD_PYTHON_BINDINGS
+ dist_pkgpython_DATA = \
+     __init__.py \
+     source_files.py \
+@@ -20,3 +22,4 @@ dist_modules_DATA = \
+     modules/__init__.py \
+     modules/request.py \
+     $(NULL)
++endif

diff --git a/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
new file mode 100644
index 000000000000..3a724363382b
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
@@ -0,0 +1,39 @@
+From 15d7d34b20219e2fd45c43881088f5d542e9603e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 18:56:35 +0200
+Subject: [PATCH 2/3] sssct: allow cert-show and cert-eval-rule as non-root
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The cert-show and cert-eval-rule sub-commands do not need root access and
+do not require SSSD to be configured on the host.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 8466f0e4d0c6cd2b98d2789970847b9adc01d7d4)
+---
+ src/tools/sssctl/sssctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index 855260aed..04c41aa9a 100644
+--- a/src/tools/sssctl/sssctl.c
++++ b/src/tools/sssctl/sssctl.c
+@@ -340,9 +340,9 @@ int main(int argc, const char **argv)
+         SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
+ #endif
+         SSS_TOOL_DELIMITER("Certificate related tools:"),
+-        SSS_TOOL_COMMAND("cert-show", "Print information about the certificate", 0, sssctl_cert_show),
++        SSS_TOOL_COMMAND_FLAGS("cert-show", "Print information about the certificate", 0, sssctl_cert_show, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+         SSS_TOOL_COMMAND("cert-map", "Show users mapped to the certificate", 0, sssctl_cert_map),
+-        SSS_TOOL_COMMAND("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule),
++        SSS_TOOL_COMMAND_FLAGS("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+ #ifdef BUILD_PASSKEY
+         SSS_TOOL_DELIMITER("Passkey related tools:"),
+         SSS_TOOL_COMMAND_FLAGS("passkey-register", "Perform passkey registration", 0, sssctl_passkey_register, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+-- 
+2.38.1
+

diff --git a/sys-auth/sssd/metadata.xml b/sys-auth/sssd/metadata.xml
index 36a8e6c631a2..628b459ea0a0 100644
--- a/sys-auth/sssd/metadata.xml
+++ b/sys-auth/sssd/metadata.xml
@@ -5,12 +5,22 @@
 		<email>base-system@gentoo.org</email>
 		<name>Gentoo Base System</name>
 	</maintainer>
+	<maintainer type="person" proxied="yes">
+		<email>salah.coronya@gmail.com</email>
+		<name>Christopher Byrne</name>
+	</maintainer>
+	<maintainer type="project" proxied="proxy">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
 	<use>
 		<flag name="acl"> Build and use the cifsidmap plugin</flag>
 		<flag name="locator">Install sssd's Kerberos plugin</flag>
 		<flag name="netlink">Add support for netlink protocol via <pkg>dev-libs/libnl</pkg></flag>
 		<flag name="nfsv4">Add support for the nfsv4 idmapd plugin provided by <pkg>net-fs/nfs-utils</pkg></flag>
 		<flag name="pac">Add Privileged Attribute Certificate Support for Kerberos</flag>
+		<flag name="samba">Add Privileged Attribute Certificate Support for Kerberos</flag>
+		<flag name="subid">Support subordinate uid and gid ranges in FreeIPA</flag>
 		<flag name="sudo">Build helper to let <pkg>app-admin/sudo</pkg> use sssd provided information</flag>
 		<flag name="systemtap">Enable SystemTAP/DTrace tracing</flag>
 	</use>

diff --git a/sys-auth/sssd/sssd-2.9.1.ebuild b/sys-auth/sssd/sssd-2.9.1.ebuild
new file mode 100644
index 000000000000..bebb882e63fa
--- /dev/null
+++ b/sys-auth/sssd/sssd-2.9.1.ebuild
@@ -0,0 +1,330 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PLOCALES="ca de es fr ja ko pt_BR ru sv tr uk"
+PLOCALES_BIN="${PLOCALES} bg cs eu fi hu id it ka nb nl pl pt tg zh_TW zh_CN"
+PLOCALE_BACKUP="sv"
+PYTHON_COMPAT=( python3_{10..12} )
+
+inherit autotools linux-info multilib-minimal optfeature plocale \
+	python-single-r1 pam systemd toolchain-funcs
+
+DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
+HOMEPAGE="https://github.com/SSSD/sssd"
+if [[ ${PV} != 9999 ]]; then
+	SRC_URI="https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz"
+else
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/SSSD/sssd.git"
+	EGIT_BRANCH="master"
+fi
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+IUSE="acl doc +netlink nfsv4 nls +man python samba selinux subid sudo systemd systemtap test"
+REQUIRED_USE="
+	python? ( ${PYTHON_REQUIRED_USE} )
+	test? ( sudo )"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+	>=app-crypt/mit-krb5-1.19.1[${MULTILIB_USEDEP}]
+	app-crypt/p11-kit
+	>=dev-libs/ding-libs-0.2
+	>=dev-libs/cyrus-sasl-2.1.25-r3[kerberos]
+	dev-libs/jansson:=
+	dev-libs/libpcre2:=
+	dev-libs/libunistring:=
+	>=dev-libs/popt-1.16
+	>=dev-libs/openssl-1.0.2:=
+	>=net-dns/bind-tools-9.9[gssapi]
+	>=net-dns/c-ares-1.10.0-r1:=[${MULTILIB_USEDEP}]
+	>=net-nds/openldap-2.4.30:=[sasl,experimental]
+	>=sys-apps/dbus-1.6
+	>=sys-apps/keyutils-1.5:=
+	>=sys-libs/pam-0-r1[${MULTILIB_USEDEP}]
+	>=sys-libs/talloc-2.0.7
+	>=sys-libs/tdb-1.2.9
+	>=sys-libs/tevent-0.9.16
+	>=sys-libs/ldb-1.1.17-r1:=
+	virtual/libintl
+	acl? ( net-fs/cifs-utils[acl] )
+	netlink? ( dev-libs/libnl:3 )
+	nfsv4? ( >=net-fs/nfs-utils-2.3.1-r2 )
+	nls? ( >=sys-devel/gettext-0.18 )
+	python? (
+		${PYTHON_DEPS}
+		systemd? (
+			$(python_gen_cond_dep '
+				dev-python/python-systemd[${PYTHON_USEDEP}]
+			')
+		)
+	)
+	samba? ( >=net-fs/samba-4.10.2[winbind] )
+	selinux? (
+		>=sys-libs/libselinux-2.1.9
+		>=sys-libs/libsemanage-2.1
+	)
+	subid? ( >=sys-apps/shadow-4.9 )
+	systemd? (
+		sys-apps/systemd:=
+		sys-apps/util-linux
+	)
+	systemtap? ( dev-util/systemtap )"
+RDEPEND="${DEPEND}
+	selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )"
+BDEPEND="
+	virtual/pkgconfig
+	${PYTHON_DEPS}
+	doc? ( app-doc/doxygen )
+	man? (
+		app-text/docbook-xml-dtd:4.4
+		>=dev-libs/libxslt-1.1.26
+		nls? ( app-text/po4a )
+	)
+	nls? ( sys-devel/gettext )
+	test? (
+		dev-libs/check
+		dev-libs/softhsm:2
+		dev-util/cmocka
+		net-libs/gnutls[pkcs11,tools]
+		sys-libs/libfaketime
+		sys-libs/nss_wrapper
+		sys-libs/pam_wrapper
+		sys-libs/uid_wrapper
+	)
+"
+
+CONFIG_CHECK="~KEYS"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-2.8.2-krb5_pw_locked.patch"
+	"${FILESDIR}/${PN}-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch"
+	"${FILESDIR}/${PN}-2.9.1-certmap-fix-partial-string-comparison.patch"
+	"${FILESDIR}/${PN}-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch"
+	"${FILESDIR}/${PN}-2.9.1-conditional-python-install.patch"
+)
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/ipa_hbac.h
+	/usr/include/sss_idmap.h
+	/usr/include/sss_nss_idmap.h
+	# --with-ifp
+	/usr/include/sss_sifp.h
+	/usr/include/sss_sifp_dbus.h
+	# from 1.15.3
+	/usr/include/sss_certmap.h
+)
+
+pkg_setup() {
+	linux-info_pkg_setup
+	python-single-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	plocale_get_locales > src/man/po/LINGUAS || die
+
+	sed -i \
+		-e "/_langs]/ s/ .*//" \
+		src/man/po/po4a.cfg \
+		|| die
+	enable_locale() {
+		local locale=${1}
+
+		sed -i \
+			-e "/_langs]/ s/$/ ${locale}/" \
+			src/man/po/po4a.cfg \
+			|| die
+	}
+
+	plocale_for_each_locale enable_locale
+
+	PLOCALES="${PLOCALES_BIN}"
+	plocale_get_locales > po/LINGUAS || die
+
+	sed -i \
+		-e 's:/var/run:/run:' \
+		src/examples/logrotate \
+		|| die
+
+	# disable flaky test, see https://github.com/SSSD/sssd/issues/5631
+	sed -i \
+		-e '/^\s*pam-srv-tests[ \\]*$/d' \
+		Makefile.am \
+		|| die
+
+	eautoreconf
+
+	multilib_copy_sources
+}
+
+src_configure() {
+	local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1 || die)
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	local myconf=()
+
+	myconf+=(
+		--libexecdir="${EPREFIX}"/usr/libexec
+		--localstatedir="${EPREFIX}"/var
+		--runstatedir="${EPREFIX}"/run
+		--sbindir="${EPREFIX}"/usr/sbin
+		--with-pid-path="${EPREFIX}"/run
+		--with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
+		--enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir)
+		--with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb
+		--with-db-path="${EPREFIX}"/var/lib/sss/db
+		--with-gpo-cache-path="${EPREFIX}"/var/lib/sss/gpo_cache
+		--with-pubconf-path="${EPREFIX}"/var/lib/sss/pubconf
+		--with-pipe-path="${EPREFIX}"/var/lib/sss/pipes
+		--with-mcache-path="${EPREFIX}"/var/lib/sss/mc
+		--with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets
+		--with-log-path="${EPREFIX}"/var/log/sssd
+		--with-kcm
+		--enable-kcm-renewal
+		--with-os=gentoo
+		--disable-rpath
+		--disable-static
+		# Valgrind is only used for tests
+		--disable-valgrind
+		$(use_with samba)
+		--with-smb-idmap-interface-version=6
+		$(multilib_native_use_enable acl cifs-idmap-plugin)
+		$(multilib_native_use_with selinux)
+		$(multilib_native_use_with selinux semanage)
+		--enable-krb5-locator-plugin
+		$(use_enable samba pac-responder)
+		$(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin)
+		$(use_enable nls)
+		$(multilib_native_use_with netlink libnl)
+		$(multilib_native_use_with man manpages)
+		$(multilib_native_use_with sudo)
+		$(multilib_native_with autofs)
+		$(multilib_native_with ssh)
+		--without-oidc-child
+		--without-passkey
+		$(use_with subid)
+		$(use_enable systemtap)
+		--without-python2-bindings
+		$(multilib_native_use_with python python3-bindings)
+		# Annoyingly configure requires that you pick systemd XOR sysv
+		--with-initscript=$(usex systemd systemd sysv)
+	)
+
+	use systemd && myconf+=(
+		--with-systemdunitdir=$(systemd_get_systemunitdir)
+	)
+
+	if ! multilib_is_native_abi; then
+		# work-around all the libraries that are used for CLI and server
+		myconf+=(
+			{POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' '
+			# ldb headers are fine since native needs it
+			# ldb lib fails... but it does not seem to bother
+			{DHASH,UNISTRING,INI_CONFIG_V{0,1,1_1,1_3}}_{CFLAGS,LIBS}=' '
+			{PCRE,CARES,SYSTEMD_LOGIN,SASL,DBUS,CRYPTO,P11_KIT}_{CFLAGS,LIBS}=' '
+			{NDR_NBT,SAMBA_UTIL,SMBCLIENT,NDR_KRB5PAC,JANSSON}_{CFLAGS,LIBS}=' '
+
+			# use native include path for dbus (needed for build)
+			DBUS_CFLAGS="${native_dbus_cflags}"
+
+			# non-pkgconfig checks
+			ac_cv_lib_ldap_ldap_search=yes
+			--without-kcm
+			--without-manpages
+		)
+	fi
+
+	econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi; then
+		default
+		use doc && emake docs
+	else
+		emake libnss_sss.la pam_sss.la pam_sss_gss.la
+		emake sssd_krb5_locator_plugin.la
+		use samba && emake sssd_pac_plugin.la
+	fi
+}
+
+multilib_src_test() {
+	if multilib_is_native_abi; then
+		local -x CK_TIMEOUT_MULTIPLIER=10
+		emake check VERBOSE=yes
+	fi
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi; then
+		emake -j1 DESTDIR="${D}" install
+		if use python; then
+			python_fix_shebang "${ED}"
+			python_optimize
+		fi
+	else
+		# easier than playing with automake...
+		dopammod .libs/pam_sss.so
+		dopammod .libs/pam_sss_gss.so
+
+		into /
+		dolib.so .libs/libnss_sss.so*
+
+		exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5
+		doexe .libs/sssd_krb5_locator_plugin.so
+
+		if use samba; then
+			exeinto /usr/$(get_libdir)/krb5/plugins/authdata
+			doexe .libs/sssd_pac_plugin.so
+		fi
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+
+	insinto /etc/sssd
+	insopts -m600
+	doins src/examples/sssd-example.conf
+
+	insinto /etc/logrotate.d
+	insopts -m644
+	newins src/examples/logrotate sssd
+
+	newconfd "${FILESDIR}"/sssd.conf sssd
+
+	keepdir /var/lib/sss/db
+	keepdir /var/lib/sss/deskprofile
+	keepdir /var/lib/sss/gpo_cache
+	keepdir /var/lib/sss/keytabs
+	keepdir /var/lib/sss/mc
+	keepdir /var/lib/sss/pipes/private
+	keepdir /var/lib/sss/pubconf/krb5.include.d
+	keepdir /var/lib/sss/secrets
+	keepdir /var/log/sssd
+
+	# strip empty dirs
+	if ! use doc; then
+		rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die
+		rm -r "${ED}"/usr/share/doc/"${PF}"/{hbac,idmap,nss_idmap}_doc || die
+	fi
+
+	rm -r "${ED}"/run || die
+	find "${ED}" -type f -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+	elog "You must set up sssd.conf (default installed into /etc/sssd)"
+	elog "and (optionally) configuration in /etc/pam.d in order to use SSSD"
+	elog "features."
+	optfeature "Kerberos keytab renew (see krb5_renew_interval)" app-crypt/adcli
+}