gentoo auto-resync : 06:09:2023 - 10:25:44

author: V3n3RiX <venerix@koprulu.sector> 2023-09-06 10:25:44 +0100
committer: V3n3RiX <venerix@koprulu.sector> 2023-09-06 10:25:44 +0100
commit: 64b277f858d171900cba8a53e675ef8c3ff893fc (patch)
tree: 7a19533ece87b58d4bbcc04d91701aaf888b0d99 /sys-auth
parent: ededf7351b15c0df4d166af8fc7928bd1a0b2c8e (diff)
9 files changed, 536 insertions, 1 deletions
diff --git a/sys-auth/Manifest.gz b/sys-auth/Manifest.gz
index bdf0512f6a6e..38031f43f2d8 100644
--- a/sys-auth/Manifest.gz
+++ b/sys-auth/Manifest.gz
diff --git a/sys-auth/sssd/Manifest b/sys-auth/sssd/Manifest
index a8253201d472..4856953cbae4 100644
--- a/sys-auth/sssd/Manifest
+++ b/sys-auth/sssd/Manifest
@@ -1,5 +1,12 @@
 AUX sssd-2.6.0-conditional-python-install.patch 418 BLAKE2B 47f3653982c551bc99d547daa998422a94fac132b3c6ce5a9db9ae64ef3d7426b3ded0426d969ad7eef27b942985404d413cc415332b0bd83acdf7f2c9adbad2 SHA512 12ba5a0adb8bc9227216e7f3ebe5805917d155b9064d13becdfb40555d416892c7d101f208bde75a87f4b70862f3dcdc242ee3f1593ebd452fcefba6c5b47a1c
+AUX sssd-2.8.2-krb5_pw_locked.patch 453 BLAKE2B 7aed1dd32f0743381b704444ac36dcffa76535d58cd39d307d370290b9b5ad634ef9b90f4d076c7b91b41113792b0d24cf04b63bcd1e1220aa3e790f9c9a23c0 SHA512 e3c210032d6f65ebffa14aa7c398ca929b7bb17d9aa9ef30c2a1522311bc0bf278214d008d7dbac47e8565245b35e00f7143f5c7d0d24f99d64a92486ec50e45
+AUX sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch 1104 BLAKE2B ef4f781ed437183147bc9fb657d830e510fbde21b92a0edc577ae407ac6384e5a5b936bc4b065ad6c7676180b0d3e84c9e0df3894744a10bd282874d04f88f05 SHA512 8f0d4bb5ed403c122d392cf98c7a37d9ecd8eb63b7dc190d5349747ff656c5618b42c0b0b64db1c6a51847e80cf007e96f1ce2d295407c32848861aab2bb1103
+AUX sssd-2.9.1-certmap-fix-partial-string-comparison.patch 3182 BLAKE2B 1e4a41d82fcf7654d5f8ec6f1c41e47b28f05faefd3e14cf5861c198d1efbae8b87ec0e3a5a9eef037b7a69ad59b8291e8238a81d18a1fda14afcbd49f06471e SHA512 ed2ba0f0cdc2aea524f73d1aa73ae14a7c535b12e511c29042c23c34a801b004ed19609c351ea587254fa9c18e1ad527fb77cc997b8e7d82704da17c503c87a9
+AUX sssd-2.9.1-conditional-python-install.patch 533 BLAKE2B ce076e4e00bd1b3e8a18427fde385b6a65fbbc65f28a542f575d3b77b8e7d277ebc829a7d43fdbced51475b69553de4fd6e564d52d06c6a83edcae7fa8a2a53a SHA512 4348577c16ab96717e0b92dcae00e955e76e9be6c58a6f6c4435f2315c8393336396e7a0ccdd05f50b97233a956ef674fd64589780500159748ac47c65edb623
+AUX sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch 2137 BLAKE2B 58207d28ab800ae880aa7df1ac90055a9750bef31dcdef2a1152c0108797f82419aa3d26b6ab645e52449cff507f946e750ed261cf767b7181217dd979160bec SHA512 ca2794f7484b1b845184acbcb68dfa09dc582e0f6bd9a15b6c9929027414eb6a7fac7b77ba83585c12924dc9c70c3875e43dd6a71d4f83bc7aabef2506685f54
 AUX sssd.conf 124 BLAKE2B b6f9c016a014510f97b036d23d5f50e1e13085220fe82b0e6ef7a3ceeb114e59af935f39e66e4ad60a46f43983930e5d381b16b0ed31ba4349abe38c4b509367 SHA512 f16908c44b213edbf6b0c6e8d49df92e8c06fc623279037074fe51e49b8aca7dc18f5ed83f71909fc8209df80dfc150583edb1687f88e61588bdf9d1fbf6ed5a
 DIST sssd-2.6.0.tar.gz 7440969 BLAKE2B 6b05fcea09ef10a5b2f373dc6a66032edc4c4f46f65f42fdc9ffb5b676025095e16de4a86b3088351c22746e062829d1d68fa7e960cccb7c5a77d960e6d38e2a SHA512 0b9e169424cbadfa6132a3e5e9789facf82f04cce94cb5344b8ff49370ae8817c2cb16cf21caddf6a7cd42e661d5ff5bf97843d79681683aacff0053ff93f64b
+DIST sssd-2.9.1.tar.gz 7943540 BLAKE2B 9113b63d54beb40ba85c5b5c75068197317b3b8088119cf6557c6b4aed113d2d67f0bc64fc68fb34f4dbef54cccdb8b32ef44112115930751fdec5ec92e0a09b SHA512 eb7345dcfbbd51f005f67ee5032364d369d24589111ded60701e2dbe09563f0b862d343f231dd2e9d548acd8c560a036c8b88a0601f9aa048a7202da8202cd9b
 EBUILD sssd-2.6.0-r2.ebuild 7490 BLAKE2B 0ea58c35d8d257197510b7be61b960729d00ce48388d22ae47e9ab625cd80adb89dcc3b24ba8a75e38866e2c3b7548b995d5ec8f9e9fb2fd143a104cacc50c66 SHA512 5c78c5a8d3fdc6be8c8d80a8809263c839f008ce0befc40673d7519cc50c425967ef80a33ba27be116964085246a6d33382e0a917a64147044d6a08d9f894d38
-MISC metadata.xml 984 BLAKE2B 504d2c1331e380de9fb6a566bffad9be3e6ee92a00d74c387764b059be68d26482be30e2b8da6e24e509c2aabcd101916f379f9bff3b5915273d8e726b3f3e98 SHA512 1e1bf2afd3faff736673ae73971254a77e3c2051b1413347fbda0d5ab12999c1b88a7d0f1fa92e328029dc78aa2e743b3e9c5aed110a2ffc6350a5cd24c93fa2
+EBUILD sssd-2.9.1.ebuild 8471 BLAKE2B 82be5ed9f0eb38ca24a34545c4bcede05dc8a51608f5fedc46d30bafdb381122693cb1540d56d5ea8820d1c7185133608d340eb709cb3cc31fbbd9851f2f0d19 SHA512 efd7997e4e1faf119ba6d40a9e2e1a555bf72fb6416a3c6ccd4175842ebdc5bbf9101c55cdf552b17ccea02d0b4c669da4d4ae2fa5119f3c1780d8cb88e08ce4
+MISC metadata.xml 1412 BLAKE2B e5a565890defc1f33790851bb52a750107ca9348660f47ec735784140f51c13203acce4cda53355b858669822cbb50683615224f893570f443e84f4aa8f84057 SHA512 26c210ab796fd63e5bcd2f8563002f5f48796cd0241631e56fcc5c9aba0afc94334665768f1c89b25ef28830c88bfd9cf24dff5e9df16efe330b377348f9a314
diff --git a/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch
new file mode 100644
index 000000000000..a8bd397cd063
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch
@@ -0,0 +1,12 @@
+diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
+index a1c0b36..207c010 100644
+--- a/src/providers/krb5/krb5_auth.c
++++ b/src/providers/krb5/krb5_auth.c
+@@ -1037,6 +1037,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
+     case ERR_ACCOUNT_LOCKED:
+         state->pam_status = PAM_PERM_DENIED;
+         state->dp_err = DP_ERR_OK;
++        state->pd->account_locked = true;
+         ret = EOK;
+         goto done;
+
diff --git a/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
new file mode 100644
index 000000000000..c849fe76b446
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
@@ -0,0 +1,31 @@
+From 74d0f4538deb766592079b1abca0d949d6dea105 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Thu, 15 Jun 2023 12:05:03 +0200
+Subject: [PATCH 1/1] BUILD: Accept krb5 1.21 for building the PAC plugin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/external/pac_responder.m4 | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
+index 3cbe3c9cfba03b59e26a8c5c2d73446eead2acea..90727185b574411bddd928f8d87efdc87076eba4 100644
+--- a/src/external/pac_responder.m4
++++ b/src/external/pac_responder.m4
+@@ -22,7 +22,8 @@ then
+         Kerberos\ 5\ release\ 1.17* | \
+         Kerberos\ 5\ release\ 1.18* | \
+         Kerberos\ 5\ release\ 1.19* | \
+-        Kerberos\ 5\ release\ 1.20*)
++        Kerberos\ 5\ release\ 1.20* | \
++        Kerberos\ 5\ release\ 1.21*)
+             krb5_version_ok=yes
+             AC_MSG_RESULT([yes])
+             ;;
+-- 
+2.41.0
+
diff --git a/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
new file mode 100644
index 000000000000..258940bab38e
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
@@ -0,0 +1,87 @@
+From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 19:06:27 +0200
+Subject: [PATCH 3/3] certmap: fix partial string comparison
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the formatting option of the certificate digest/hash function
+contained and additional specifier separated with a '_' the comparison
+of the provided digest name and the available ones was incomplete, the
+last character was ignored and the comparison was successful if even if
+there was only a partial match.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc)
+---
+ src/lib/certmap/sss_certmap_ldap_mapping.c |  9 ++++++++-
+ src/tests/cmocka/test_certmap.c            | 22 ++++++++++++++++++++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c
+index 2f16837a1..354b0310b 100644
+--- a/src/lib/certmap/sss_certmap_ldap_mapping.c
++++ b/src/lib/certmap/sss_certmap_ldap_mapping.c
+@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list,
+     bool colon = false;
+     bool reverse = false;
+     char *c;
++    size_t len = 0;
+ 
+     sep = strchr(inp, '_');
++    if (sep != NULL) {
++        len = sep - inp;
++    }
+ 
+     for (d = 0; digest_list[d] != NULL; d++) {
+         if (sep == NULL) {
+             cmp = strcasecmp(digest_list[d], inp);
+         } else {
+-            cmp = strncasecmp(digest_list[d], inp, (sep - inp -1));
++            if (strlen(digest_list[d]) != len) {
++                continue;
++            }
++            cmp = strncasecmp(digest_list[d], inp, len);
+         }
+ 
+         if (cmp == 0) {
+diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
+index da312beaf..a15984d60 100644
+--- a/src/tests/cmocka/test_certmap.c
++++ b/src/tests/cmocka/test_certmap.c
+@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state)
+     assert_non_null(ctx);
+     assert_null(ctx->prio_list);
+ 
++    /* cert!sha */
++    ret = sss_certmap_add_rule(ctx, 91,
++                            "KRB5:<ISSUER>.*",
++                            "LDAP:rule91={cert!sha}", NULL);
++    assert_int_equal(ret, EINVAL);
++
++    ret = sss_certmap_add_rule(ctx, 91,
++                            "KRB5:<ISSUER>.*",
++                            "LDAPU1:rule91={cert!sha}", NULL);
++    assert_int_equal(ret, EINVAL);
++
++    /* cert!sha_u */
++    ret = sss_certmap_add_rule(ctx, 90,
++                            "KRB5:<ISSUER>.*",
++                            "LDAP:rule90={cert!sha_u}", NULL);
++    assert_int_equal(ret, EINVAL);
++
++    ret = sss_certmap_add_rule(ctx, 99,
++                            "KRB5:<ISSUER>.*",
++                            "LDAPU1:rule90={cert!sha_u}", NULL);
++    assert_int_equal(ret, EINVAL);
++
+     /* cert!sha555 */
+     ret = sss_certmap_add_rule(ctx, 89,
+                             "KRB5:<ISSUER>.*",
+-- 
+2.38.1
+
diff --git a/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch
new file mode 100644
index 000000000000..de46b96c82f9
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch
@@ -0,0 +1,19 @@
+diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
+index b40043d04..dce6b9d36 100644
+--- a/src/tools/analyzer/Makefile.am
++++ b/src/tools/analyzer/Makefile.am
+@@ -5,7 +5,9 @@ dist_sss_analyze_python_SCRIPTS = \
+     $(NULL)
+ 
+ pkgpythondir = $(python3dir)/sssd
++modulesdir = $(pkgpythondir)/modules
+ 
++if BUILD_PYTHON_BINDINGS
+ dist_pkgpython_DATA = \
+     __init__.py \
+     source_files.py \
+@@ -20,3 +22,4 @@ dist_modules_DATA = \
+     modules/__init__.py \
+     modules/request.py \
+     $(NULL)
++endif
diff --git a/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
new file mode 100644
index 000000000000..3a724363382b
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
@@ -0,0 +1,39 @@
+From 15d7d34b20219e2fd45c43881088f5d542e9603e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 18:56:35 +0200
+Subject: [PATCH 2/3] sssct: allow cert-show and cert-eval-rule as non-root
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The cert-show and cert-eval-rule sub-commands do not need root access and
+do not require SSSD to be configured on the host.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 8466f0e4d0c6cd2b98d2789970847b9adc01d7d4)
+---
+ src/tools/sssctl/sssctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index 855260aed..04c41aa9a 100644
+--- a/src/tools/sssctl/sssctl.c
++++ b/src/tools/sssctl/sssctl.c
+@@ -340,9 +340,9 @@ int main(int argc, const char **argv)
+         SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
+ #endif
+         SSS_TOOL_DELIMITER("Certificate related tools:"),
+-        SSS_TOOL_COMMAND("cert-show", "Print information about the certificate", 0, sssctl_cert_show),
++        SSS_TOOL_COMMAND_FLAGS("cert-show", "Print information about the certificate", 0, sssctl_cert_show, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+         SSS_TOOL_COMMAND("cert-map", "Show users mapped to the certificate", 0, sssctl_cert_map),
+-        SSS_TOOL_COMMAND("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule),
++        SSS_TOOL_COMMAND_FLAGS("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+ #ifdef BUILD_PASSKEY
+         SSS_TOOL_DELIMITER("Passkey related tools:"),
+         SSS_TOOL_COMMAND_FLAGS("passkey-register", "Perform passkey registration", 0, sssctl_passkey_register, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+-- 
+2.38.1
+
diff --git a/sys-auth/sssd/metadata.xml b/sys-auth/sssd/metadata.xml
index 36a8e6c631a2..628b459ea0a0 100644
--- a/sys-auth/sssd/metadata.xml
+++ b/sys-auth/sssd/metadata.xml
@@ -5,12 +5,22 @@
 		<email>base-system@gentoo.org</email>
 		<name>Gentoo Base System</name>
 	</maintainer>
+	<maintainer type="person" proxied="yes">
+		<email>salah.coronya@gmail.com</email>
+		<name>Christopher Byrne</name>
+	</maintainer>
+	<maintainer type="project" proxied="proxy">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
 	<use>
 		<flag name="acl"> Build and use the cifsidmap plugin</flag>
 		<flag name="locator">Install sssd's Kerberos plugin</flag>
 		<flag name="netlink">Add support for netlink protocol via <pkg>dev-libs/libnl</pkg></flag>
 		<flag name="nfsv4">Add support for the nfsv4 idmapd plugin provided by <pkg>net-fs/nfs-utils</pkg></flag>
 		<flag name="pac">Add Privileged Attribute Certificate Support for Kerberos</flag>
+		<flag name="samba">Add Privileged Attribute Certificate Support for Kerberos</flag>
+		<flag name="subid">Support subordinate uid and gid ranges in FreeIPA</flag>
 		<flag name="sudo">Build helper to let <pkg>app-admin/sudo</pkg> use sssd provided information</flag>
 		<flag name="systemtap">Enable SystemTAP/DTrace tracing</flag>
 	</use>
diff --git a/sys-auth/sssd/sssd-2.9.1.ebuild b/sys-auth/sssd/sssd-2.9.1.ebuild
new file mode 100644
index 000000000000..bebb882e63fa
--- /dev/null
+++ b/sys-auth/sssd/sssd-2.9.1.ebuild
@@ -0,0 +1,330 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PLOCALES="ca de es fr ja ko pt_BR ru sv tr uk"
+PLOCALES_BIN="${PLOCALES} bg cs eu fi hu id it ka nb nl pl pt tg zh_TW zh_CN"
+PLOCALE_BACKUP="sv"
+PYTHON_COMPAT=( python3_{10..12} )
+
+inherit autotools linux-info multilib-minimal optfeature plocale \
+	python-single-r1 pam systemd toolchain-funcs
+
+DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
+HOMEPAGE="https://github.com/SSSD/sssd"
+if [[ ${PV} != 9999 ]]; then
+	SRC_URI="https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz"
+else
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/SSSD/sssd.git"
+	EGIT_BRANCH="master"
+fi
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+IUSE="acl doc +netlink nfsv4 nls +man python samba selinux subid sudo systemd systemtap test"
+REQUIRED_USE="
+	python? ( ${PYTHON_REQUIRED_USE} )
+	test? ( sudo )"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+	>=app-crypt/mit-krb5-1.19.1[${MULTILIB_USEDEP}]
+	app-crypt/p11-kit
+	>=dev-libs/ding-libs-0.2
+	>=dev-libs/cyrus-sasl-2.1.25-r3[kerberos]
+	dev-libs/jansson:=
+	dev-libs/libpcre2:=
+	dev-libs/libunistring:=
+	>=dev-libs/popt-1.16
+	>=dev-libs/openssl-1.0.2:=
+	>=net-dns/bind-tools-9.9[gssapi]
+	>=net-dns/c-ares-1.10.0-r1:=[${MULTILIB_USEDEP}]
+	>=net-nds/openldap-2.4.30:=[sasl,experimental]
+	>=sys-apps/dbus-1.6
+	>=sys-apps/keyutils-1.5:=
+	>=sys-libs/pam-0-r1[${MULTILIB_USEDEP}]
+	>=sys-libs/talloc-2.0.7
+	>=sys-libs/tdb-1.2.9
+	>=sys-libs/tevent-0.9.16
+	>=sys-libs/ldb-1.1.17-r1:=
+	virtual/libintl
+	acl? ( net-fs/cifs-utils[acl] )
+	netlink? ( dev-libs/libnl:3 )
+	nfsv4? ( >=net-fs/nfs-utils-2.3.1-r2 )
+	nls? ( >=sys-devel/gettext-0.18 )
+	python? (
+		${PYTHON_DEPS}
+		systemd? (
+			$(python_gen_cond_dep '
+				dev-python/python-systemd[${PYTHON_USEDEP}]
+			')
+		)
+	)
+	samba? ( >=net-fs/samba-4.10.2[winbind] )
+	selinux? (
+		>=sys-libs/libselinux-2.1.9
+		>=sys-libs/libsemanage-2.1
+	)
+	subid? ( >=sys-apps/shadow-4.9 )
+	systemd? (
+		sys-apps/systemd:=
+		sys-apps/util-linux
+	)
+	systemtap? ( dev-util/systemtap )"
+RDEPEND="${DEPEND}
+	selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )"
+BDEPEND="
+	virtual/pkgconfig
+	${PYTHON_DEPS}
+	doc? ( app-doc/doxygen )
+	man? (
+		app-text/docbook-xml-dtd:4.4
+		>=dev-libs/libxslt-1.1.26
+		nls? ( app-text/po4a )
+	)
+	nls? ( sys-devel/gettext )
+	test? (
+		dev-libs/check
+		dev-libs/softhsm:2
+		dev-util/cmocka
+		net-libs/gnutls[pkcs11,tools]
+		sys-libs/libfaketime
+		sys-libs/nss_wrapper
+		sys-libs/pam_wrapper
+		sys-libs/uid_wrapper
+	)
+"
+
+CONFIG_CHECK="~KEYS"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-2.8.2-krb5_pw_locked.patch"
+	"${FILESDIR}/${PN}-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch"
+	"${FILESDIR}/${PN}-2.9.1-certmap-fix-partial-string-comparison.patch"
+	"${FILESDIR}/${PN}-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch"
+	"${FILESDIR}/${PN}-2.9.1-conditional-python-install.patch"
+)
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/ipa_hbac.h
+	/usr/include/sss_idmap.h
+	/usr/include/sss_nss_idmap.h
+	# --with-ifp
+	/usr/include/sss_sifp.h
+	/usr/include/sss_sifp_dbus.h
+	# from 1.15.3
+	/usr/include/sss_certmap.h
+)
+
+pkg_setup() {
+	linux-info_pkg_setup
+	python-single-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	plocale_get_locales > src/man/po/LINGUAS || die
+
+	sed -i \
+		-e "/_langs]/ s/ .*//" \
+		src/man/po/po4a.cfg \
+		|| die
+	enable_locale() {
+		local locale=${1}
+
+		sed -i \
+			-e "/_langs]/ s/$/ ${locale}/" \
+			src/man/po/po4a.cfg \
+			|| die
+	}
+
+	plocale_for_each_locale enable_locale
+
+	PLOCALES="${PLOCALES_BIN}"
+	plocale_get_locales > po/LINGUAS || die
+
+	sed -i \
+		-e 's:/var/run:/run:' \
+		src/examples/logrotate \
+		|| die
+
+	# disable flaky test, see https://github.com/SSSD/sssd/issues/5631
+	sed -i \
+		-e '/^\s*pam-srv-tests[ \\]*$/d' \
+		Makefile.am \
+		|| die
+
+	eautoreconf
+
+	multilib_copy_sources
+}
+
+src_configure() {
+	local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1 || die)
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	local myconf=()
+
+	myconf+=(
+		--libexecdir="${EPREFIX}"/usr/libexec
+		--localstatedir="${EPREFIX}"/var
+		--runstatedir="${EPREFIX}"/run
+		--sbindir="${EPREFIX}"/usr/sbin
+		--with-pid-path="${EPREFIX}"/run
+		--with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
+		--enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir)
+		--with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb
+		--with-db-path="${EPREFIX}"/var/lib/sss/db
+		--with-gpo-cache-path="${EPREFIX}"/var/lib/sss/gpo_cache
+		--with-pubconf-path="${EPREFIX}"/var/lib/sss/pubconf
+		--with-pipe-path="${EPREFIX}"/var/lib/sss/pipes
+		--with-mcache-path="${EPREFIX}"/var/lib/sss/mc
+		--with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets
+		--with-log-path="${EPREFIX}"/var/log/sssd
+		--with-kcm
+		--enable-kcm-renewal
+		--with-os=gentoo
+		--disable-rpath
+		--disable-static
+		# Valgrind is only used for tests
+		--disable-valgrind
+		$(use_with samba)
+		--with-smb-idmap-interface-version=6
+		$(multilib_native_use_enable acl cifs-idmap-plugin)
+		$(multilib_native_use_with selinux)
+		$(multilib_native_use_with selinux semanage)
+		--enable-krb5-locator-plugin
+		$(use_enable samba pac-responder)
+		$(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin)
+		$(use_enable nls)
+		$(multilib_native_use_with netlink libnl)
+		$(multilib_native_use_with man manpages)
+		$(multilib_native_use_with sudo)
+		$(multilib_native_with autofs)
+		$(multilib_native_with ssh)
+		--without-oidc-child
+		--without-passkey
+		$(use_with subid)
+		$(use_enable systemtap)
+		--without-python2-bindings
+		$(multilib_native_use_with python python3-bindings)
+		# Annoyingly configure requires that you pick systemd XOR sysv
+		--with-initscript=$(usex systemd systemd sysv)
+	)
+
+	use systemd && myconf+=(
+		--with-systemdunitdir=$(systemd_get_systemunitdir)
+	)
+
+	if ! multilib_is_native_abi; then
+		# work-around all the libraries that are used for CLI and server
+		myconf+=(
+			{POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' '
+			# ldb headers are fine since native needs it
+			# ldb lib fails... but it does not seem to bother
+			{DHASH,UNISTRING,INI_CONFIG_V{0,1,1_1,1_3}}_{CFLAGS,LIBS}=' '
+			{PCRE,CARES,SYSTEMD_LOGIN,SASL,DBUS,CRYPTO,P11_KIT}_{CFLAGS,LIBS}=' '
+			{NDR_NBT,SAMBA_UTIL,SMBCLIENT,NDR_KRB5PAC,JANSSON}_{CFLAGS,LIBS}=' '
+
+			# use native include path for dbus (needed for build)
+			DBUS_CFLAGS="${native_dbus_cflags}"
+
+			# non-pkgconfig checks
+			ac_cv_lib_ldap_ldap_search=yes
+			--without-kcm
+			--without-manpages
+		)
+	fi
+
+	econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi; then
+		default
+		use doc && emake docs
+	else
+		emake libnss_sss.la pam_sss.la pam_sss_gss.la
+		emake sssd_krb5_locator_plugin.la
+		use samba && emake sssd_pac_plugin.la
+	fi
+}
+
+multilib_src_test() {
+	if multilib_is_native_abi; then
+		local -x CK_TIMEOUT_MULTIPLIER=10
+		emake check VERBOSE=yes
+	fi
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi; then
+		emake -j1 DESTDIR="${D}" install
+		if use python; then
+			python_fix_shebang "${ED}"
+			python_optimize
+		fi
+	else
+		# easier than playing with automake...
+		dopammod .libs/pam_sss.so
+		dopammod .libs/pam_sss_gss.so
+
+		into /
+		dolib.so .libs/libnss_sss.so*
+
+		exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5
+		doexe .libs/sssd_krb5_locator_plugin.so
+
+		if use samba; then
+			exeinto /usr/$(get_libdir)/krb5/plugins/authdata
+			doexe .libs/sssd_pac_plugin.so
+		fi
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+
+	insinto /etc/sssd
+	insopts -m600
+	doins src/examples/sssd-example.conf
+
+	insinto /etc/logrotate.d
+	insopts -m644
+	newins src/examples/logrotate sssd
+
+	newconfd "${FILESDIR}"/sssd.conf sssd
+
+	keepdir /var/lib/sss/db
+	keepdir /var/lib/sss/deskprofile
+	keepdir /var/lib/sss/gpo_cache
+	keepdir /var/lib/sss/keytabs
+	keepdir /var/lib/sss/mc
+	keepdir /var/lib/sss/pipes/private
+	keepdir /var/lib/sss/pubconf/krb5.include.d
+	keepdir /var/lib/sss/secrets
+	keepdir /var/log/sssd
+
+	# strip empty dirs
+	if ! use doc; then
+		rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die
+		rm -r "${ED}"/usr/share/doc/"${PF}"/{hbac,idmap,nss_idmap}_doc || die
+	fi
+
+	rm -r "${ED}"/run || die
+	find "${ED}" -type f -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+	elog "You must set up sssd.conf (default installed into /etc/sssd)"
+	elog "and (optionally) configuration in /etc/pam.d in order to use SSSD"
+	elog "features."
+	optfeature "Kerberos keytab renew (see krb5_renew_interval)" app-crypt/adcli
+}
author	V3n3RiX <venerix@koprulu.sector>	2023-09-06 10:25:44 +0100
committer	V3n3RiX <venerix@koprulu.sector>	2023-09-06 10:25:44 +0100
commit	64b277f858d171900cba8a53e675ef8c3ff893fc (patch)
tree	7a19533ece87b58d4bbcc04d91701aaf888b0d99 /sys-auth
parent	ededf7351b15c0df4d166af8fc7928bd1a0b2c8e (diff)