commit: 1e446ceef146a87ec68f2629ea69674a8393dc43 Author: Christopher Byrne <salah.coronya <AT> gmail <DOT> com> AuthorDate: Wed Sep 6 08:29:13 2023 +0000 Commit: David Seifert <soap <AT> gentoo <DOT> org> CommitDate: Wed Sep 6 08:29:13 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e446cee
sys-auth/sssd: add 2.9.1 Closes: https://bugs.gentoo.org/499578 Closes: https://bugs.gentoo.org/542324 Closes: https://bugs.gentoo.org/592402 Closes: https://bugs.gentoo.org/640760 Closes: https://bugs.gentoo.org/752978 Closes: https://bugs.gentoo.org/878177 Closes: https://bugs.gentoo.org/880097 Closes: https://bugs.gentoo.org/904280 Closes: https://bugs.gentoo.org/906292 Closes: https://github.com/gentoo/gentoo/pull/32466 Signed-off-by: Christopher Byrne <salah.coronya <AT> gmail.com> Signed-off-by: David Seifert <soap <AT> gentoo.org> sys-auth/sssd/Manifest | 1 + .../sssd/files/sssd-2.8.2-krb5_pw_locked.patch | 12 + ...ept-krb5-1.21-for-building-the-PAC-plugin.patch | 31 ++ ...9.1-certmap-fix-partial-string-comparison.patch | 87 ++++++ .../sssd-2.9.1-conditional-python-install.patch | 19 ++ ...-cert-show-and-cert-eval-rule-as-non-root.patch | 39 +++ sys-auth/sssd/metadata.xml | 10 + sys-auth/sssd/sssd-2.9.1.ebuild | 330 +++++++++++++++++++++ 8 files changed, 529 insertions(+) diff --git a/sys-auth/sssd/Manifest b/sys-auth/sssd/Manifest index ae3ce6acb21c..e2f173e39988 100644 --- a/sys-auth/sssd/Manifest +++ b/sys-auth/sssd/Manifest @@ -1 +1,2 @@ DIST sssd-2.6.0.tar.gz 7440969 BLAKE2B 6b05fcea09ef10a5b2f373dc6a66032edc4c4f46f65f42fdc9ffb5b676025095e16de4a86b3088351c22746e062829d1d68fa7e960cccb7c5a77d960e6d38e2a SHA512 0b9e169424cbadfa6132a3e5e9789facf82f04cce94cb5344b8ff49370ae8817c2cb16cf21caddf6a7cd42e661d5ff5bf97843d79681683aacff0053ff93f64b +DIST sssd-2.9.1.tar.gz 7943540 BLAKE2B 9113b63d54beb40ba85c5b5c75068197317b3b8088119cf6557c6b4aed113d2d67f0bc64fc68fb34f4dbef54cccdb8b32ef44112115930751fdec5ec92e0a09b SHA512 eb7345dcfbbd51f005f67ee5032364d369d24589111ded60701e2dbe09563f0b862d343f231dd2e9d548acd8c560a036c8b88a0601f9aa048a7202da8202cd9b diff --git a/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch new file mode 100644 index 000000000000..a8bd397cd063 --- /dev/null +++ b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch @@ -0,0 +1,12 @@ +diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c +index a1c0b36..207c010 100644 +--- a/src/providers/krb5/krb5_auth.c ++++ b/src/providers/krb5/krb5_auth.c +@@ -1037,6 +1037,7 @@ static void krb5_auth_done(struct tevent_req *subreq) + case ERR_ACCOUNT_LOCKED: + state->pam_status = PAM_PERM_DENIED; + state->dp_err = DP_ERR_OK; ++ state->pd->account_locked = true; + ret = EOK; + goto done; + diff --git a/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch new file mode 100644 index 000000000000..c849fe76b446 --- /dev/null +++ b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch @@ -0,0 +1,31 @@ +From 74d0f4538deb766592079b1abca0d949d6dea105 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov <[email protected]> +Date: Thu, 15 Jun 2023 12:05:03 +0200 +Subject: [PATCH 1/1] BUILD: Accept krb5 1.21 for building the PAC plugin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Alejandro López <[email protected]> +Reviewed-by: Sumit Bose <[email protected]> +--- + src/external/pac_responder.m4 | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4 +index 3cbe3c9cfba03b59e26a8c5c2d73446eead2acea..90727185b574411bddd928f8d87efdc87076eba4 100644 +--- a/src/external/pac_responder.m4 ++++ b/src/external/pac_responder.m4 +@@ -22,7 +22,8 @@ then + Kerberos\ 5\ release\ 1.17* | \ + Kerberos\ 5\ release\ 1.18* | \ + Kerberos\ 5\ release\ 1.19* | \ +- Kerberos\ 5\ release\ 1.20*) ++ Kerberos\ 5\ release\ 1.20* | \ ++ Kerberos\ 5\ release\ 1.21*) + krb5_version_ok=yes + AC_MSG_RESULT([yes]) + ;; +-- +2.41.0 + diff --git a/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch new file mode 100644 index 000000000000..258940bab38e --- /dev/null +++ b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch @@ -0,0 +1,87 @@ +From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001 +From: Sumit Bose <[email protected]> +Date: Tue, 4 Jul 2023 19:06:27 +0200 +Subject: [PATCH 3/3] certmap: fix partial string comparison +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the formatting option of the certificate digest/hash function +contained and additional specifier separated with a '_' the comparison +of the provided digest name and the available ones was incomplete, the +last character was ignored and the comparison was successful if even if +there was only a partial match. + +Resolves: https://github.com/SSSD/sssd/issues/6802 + +Reviewed-by: Alejandro López <[email protected]> +Reviewed-by: Alexey Tikhonov <[email protected]> +(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc) +--- + src/lib/certmap/sss_certmap_ldap_mapping.c | 9 ++++++++- + src/tests/cmocka/test_certmap.c | 22 ++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c +index 2f16837a1..354b0310b 100644 +--- a/src/lib/certmap/sss_certmap_ldap_mapping.c ++++ b/src/lib/certmap/sss_certmap_ldap_mapping.c +@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list, + bool colon = false; + bool reverse = false; + char *c; ++ size_t len = 0; + + sep = strchr(inp, '_'); ++ if (sep != NULL) { ++ len = sep - inp; ++ } + + for (d = 0; digest_list[d] != NULL; d++) { + if (sep == NULL) { + cmp = strcasecmp(digest_list[d], inp); + } else { +- cmp = strncasecmp(digest_list[d], inp, (sep - inp -1)); ++ if (strlen(digest_list[d]) != len) { ++ continue; ++ } ++ cmp = strncasecmp(digest_list[d], inp, len); + } + + if (cmp == 0) { +diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c +index da312beaf..a15984d60 100644 +--- a/src/tests/cmocka/test_certmap.c ++++ b/src/tests/cmocka/test_certmap.c +@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state) + assert_non_null(ctx); + assert_null(ctx->prio_list); + ++ /* cert!sha */ ++ ret = sss_certmap_add_rule(ctx, 91, ++ "KRB5:<ISSUER>.*", ++ "LDAP:rule91={cert!sha}", NULL); ++ assert_int_equal(ret, EINVAL); ++ ++ ret = sss_certmap_add_rule(ctx, 91, ++ "KRB5:<ISSUER>.*", ++ "LDAPU1:rule91={cert!sha}", NULL); ++ assert_int_equal(ret, EINVAL); ++ ++ /* cert!sha_u */ ++ ret = sss_certmap_add_rule(ctx, 90, ++ "KRB5:<ISSUER>.*", ++ "LDAP:rule90={cert!sha_u}", NULL); ++ assert_int_equal(ret, EINVAL); ++ ++ ret = sss_certmap_add_rule(ctx, 99, ++ "KRB5:<ISSUER>.*", ++ "LDAPU1:rule90={cert!sha_u}", NULL); ++ assert_int_equal(ret, EINVAL); ++ + /* cert!sha555 */ + ret = sss_certmap_add_rule(ctx, 89, + "KRB5:<ISSUER>.*", +-- +2.38.1 + diff --git a/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch new file mode 100644 index 000000000000..de46b96c82f9 --- /dev/null +++ b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch @@ -0,0 +1,19 @@ +diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am +index b40043d04..dce6b9d36 100644 +--- a/src/tools/analyzer/Makefile.am ++++ b/src/tools/analyzer/Makefile.am +@@ -5,7 +5,9 @@ dist_sss_analyze_python_SCRIPTS = \ + $(NULL) + + pkgpythondir = $(python3dir)/sssd ++modulesdir = $(pkgpythondir)/modules + ++if BUILD_PYTHON_BINDINGS + dist_pkgpython_DATA = \ + __init__.py \ + source_files.py \ +@@ -20,3 +22,4 @@ dist_modules_DATA = \ + modules/__init__.py \ + modules/request.py \ + $(NULL) ++endif diff --git a/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch new file mode 100644 index 000000000000..3a724363382b --- /dev/null +++ b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch @@ -0,0 +1,39 @@ +From 15d7d34b20219e2fd45c43881088f5d542e9603e Mon Sep 17 00:00:00 2001 +From: Sumit Bose <[email protected]> +Date: Tue, 4 Jul 2023 18:56:35 +0200 +Subject: [PATCH 2/3] sssct: allow cert-show and cert-eval-rule as non-root +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The cert-show and cert-eval-rule sub-commands do not need root access and +do not require SSSD to be configured on the host. + +Resolves: https://github.com/SSSD/sssd/issues/6802 + +Reviewed-by: Alejandro López <[email protected]> +Reviewed-by: Alexey Tikhonov <[email protected]> +(cherry picked from commit 8466f0e4d0c6cd2b98d2789970847b9adc01d7d4) +--- + src/tools/sssctl/sssctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c +index 855260aed..04c41aa9a 100644 +--- a/src/tools/sssctl/sssctl.c ++++ b/src/tools/sssctl/sssctl.c +@@ -340,9 +340,9 @@ int main(int argc, const char **argv) + SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT), + #endif + SSS_TOOL_DELIMITER("Certificate related tools:"), +- SSS_TOOL_COMMAND("cert-show", "Print information about the certificate", 0, sssctl_cert_show), ++ SSS_TOOL_COMMAND_FLAGS("cert-show", "Print information about the certificate", 0, sssctl_cert_show, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK), + SSS_TOOL_COMMAND("cert-map", "Show users mapped to the certificate", 0, sssctl_cert_map), +- SSS_TOOL_COMMAND("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule), ++ SSS_TOOL_COMMAND_FLAGS("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK), + #ifdef BUILD_PASSKEY + SSS_TOOL_DELIMITER("Passkey related tools:"), + SSS_TOOL_COMMAND_FLAGS("passkey-register", "Perform passkey registration", 0, sssctl_passkey_register, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK), +-- +2.38.1 + diff --git a/sys-auth/sssd/metadata.xml b/sys-auth/sssd/metadata.xml index 36a8e6c631a2..628b459ea0a0 100644 --- a/sys-auth/sssd/metadata.xml +++ b/sys-auth/sssd/metadata.xml @@ -5,12 +5,22 @@ <email>[email protected]</email> <name>Gentoo Base System</name> </maintainer> + <maintainer type="person" proxied="yes"> + <email>[email protected]</email> + <name>Christopher Byrne</name> + </maintainer> + <maintainer type="project" proxied="proxy"> + <email>[email protected]</email> + <name>Proxy Maintainers</name> + </maintainer> <use> <flag name="acl"> Build and use the cifsidmap plugin</flag> <flag name="locator">Install sssd's Kerberos plugin</flag> <flag name="netlink">Add support for netlink protocol via <pkg>dev-libs/libnl</pkg></flag> <flag name="nfsv4">Add support for the nfsv4 idmapd plugin provided by <pkg>net-fs/nfs-utils</pkg></flag> <flag name="pac">Add Privileged Attribute Certificate Support for Kerberos</flag> + <flag name="samba">Add Privileged Attribute Certificate Support for Kerberos</flag> + <flag name="subid">Support subordinate uid and gid ranges in FreeIPA</flag> <flag name="sudo">Build helper to let <pkg>app-admin/sudo</pkg> use sssd provided information</flag> <flag name="systemtap">Enable SystemTAP/DTrace tracing</flag> </use> diff --git a/sys-auth/sssd/sssd-2.9.1.ebuild b/sys-auth/sssd/sssd-2.9.1.ebuild new file mode 100644 index 000000000000..bebb882e63fa --- /dev/null +++ b/sys-auth/sssd/sssd-2.9.1.ebuild @@ -0,0 +1,330 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PLOCALES="ca de es fr ja ko pt_BR ru sv tr uk" +PLOCALES_BIN="${PLOCALES} bg cs eu fi hu id it ka nb nl pl pt tg zh_TW zh_CN" +PLOCALE_BACKUP="sv" +PYTHON_COMPAT=( python3_{10..12} ) + +inherit autotools linux-info multilib-minimal optfeature plocale \ + python-single-r1 pam systemd toolchain-funcs + +DESCRIPTION="System Security Services Daemon provides access to identity and authentication" +HOMEPAGE="https://github.com/SSSD/sssd"; +if [[ ${PV} != 9999 ]]; then + SRC_URI="https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz"; +else + inherit git-r3 + EGIT_REPO_URI="https://github.com/SSSD/sssd.git"; + EGIT_BRANCH="master" +fi + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" +IUSE="acl doc +netlink nfsv4 nls +man python samba selinux subid sudo systemd systemtap test" +REQUIRED_USE=" + python? ( ${PYTHON_REQUIRED_USE} ) + test? ( sudo )" +RESTRICT="!test? ( test )" + +DEPEND=" + >=app-crypt/mit-krb5-1.19.1[${MULTILIB_USEDEP}] + app-crypt/p11-kit + >=dev-libs/ding-libs-0.2 + >=dev-libs/cyrus-sasl-2.1.25-r3[kerberos] + dev-libs/jansson:= + dev-libs/libpcre2:= + dev-libs/libunistring:= + >=dev-libs/popt-1.16 + >=dev-libs/openssl-1.0.2:= + >=net-dns/bind-tools-9.9[gssapi] + >=net-dns/c-ares-1.10.0-r1:=[${MULTILIB_USEDEP}] + >=net-nds/openldap-2.4.30:=[sasl,experimental] + >=sys-apps/dbus-1.6 + >=sys-apps/keyutils-1.5:= + >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}] + >=sys-libs/talloc-2.0.7 + >=sys-libs/tdb-1.2.9 + >=sys-libs/tevent-0.9.16 + >=sys-libs/ldb-1.1.17-r1:= + virtual/libintl + acl? ( net-fs/cifs-utils[acl] ) + netlink? ( dev-libs/libnl:3 ) + nfsv4? ( >=net-fs/nfs-utils-2.3.1-r2 ) + nls? ( >=sys-devel/gettext-0.18 ) + python? ( + ${PYTHON_DEPS} + systemd? ( + $(python_gen_cond_dep ' + dev-python/python-systemd[${PYTHON_USEDEP}] + ') + ) + ) + samba? ( >=net-fs/samba-4.10.2[winbind] ) + selinux? ( + >=sys-libs/libselinux-2.1.9 + >=sys-libs/libsemanage-2.1 + ) + subid? ( >=sys-apps/shadow-4.9 ) + systemd? ( + sys-apps/systemd:= + sys-apps/util-linux + ) + systemtap? ( dev-util/systemtap )" +RDEPEND="${DEPEND} + selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )" +BDEPEND=" + virtual/pkgconfig + ${PYTHON_DEPS} + doc? ( app-doc/doxygen ) + man? ( + app-text/docbook-xml-dtd:4.4 + >=dev-libs/libxslt-1.1.26 + nls? ( app-text/po4a ) + ) + nls? ( sys-devel/gettext ) + test? ( + dev-libs/check + dev-libs/softhsm:2 + dev-util/cmocka + net-libs/gnutls[pkcs11,tools] + sys-libs/libfaketime + sys-libs/nss_wrapper + sys-libs/pam_wrapper + sys-libs/uid_wrapper + ) +" + +CONFIG_CHECK="~KEYS" + +PATCHES=( + "${FILESDIR}/${PN}-2.8.2-krb5_pw_locked.patch" + "${FILESDIR}/${PN}-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch" + "${FILESDIR}/${PN}-2.9.1-certmap-fix-partial-string-comparison.patch" + "${FILESDIR}/${PN}-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch" + "${FILESDIR}/${PN}-2.9.1-conditional-python-install.patch" +) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/ipa_hbac.h + /usr/include/sss_idmap.h + /usr/include/sss_nss_idmap.h + # --with-ifp + /usr/include/sss_sifp.h + /usr/include/sss_sifp_dbus.h + # from 1.15.3 + /usr/include/sss_certmap.h +) + +pkg_setup() { + linux-info_pkg_setup + python-single-r1_pkg_setup +} + +src_prepare() { + default + + plocale_get_locales > src/man/po/LINGUAS || die + + sed -i \ + -e "/_langs]/ s/ .*//" \ + src/man/po/po4a.cfg \ + || die + enable_locale() { + local locale=${1} + + sed -i \ + -e "/_langs]/ s/$/ ${locale}/" \ + src/man/po/po4a.cfg \ + || die + } + + plocale_for_each_locale enable_locale + + PLOCALES="${PLOCALES_BIN}" + plocale_get_locales > po/LINGUAS || die + + sed -i \ + -e 's:/var/run:/run:' \ + src/examples/logrotate \ + || die + + # disable flaky test, see https://github.com/SSSD/sssd/issues/5631 + sed -i \ + -e '/^\s*pam-srv-tests[ \\]*$/d' \ + Makefile.am \ + || die + + eautoreconf + + multilib_copy_sources +} + +src_configure() { + local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1 || die) + + multilib-minimal_src_configure +} + +multilib_src_configure() { + local myconf=() + + myconf+=( + --libexecdir="${EPREFIX}"/usr/libexec + --localstatedir="${EPREFIX}"/var + --runstatedir="${EPREFIX}"/run + --sbindir="${EPREFIX}"/usr/sbin + --with-pid-path="${EPREFIX}"/run + --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd + --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) + --with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb + --with-db-path="${EPREFIX}"/var/lib/sss/db + --with-gpo-cache-path="${EPREFIX}"/var/lib/sss/gpo_cache + --with-pubconf-path="${EPREFIX}"/var/lib/sss/pubconf + --with-pipe-path="${EPREFIX}"/var/lib/sss/pipes + --with-mcache-path="${EPREFIX}"/var/lib/sss/mc + --with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets + --with-log-path="${EPREFIX}"/var/log/sssd + --with-kcm + --enable-kcm-renewal + --with-os=gentoo + --disable-rpath + --disable-static + # Valgrind is only used for tests + --disable-valgrind + $(use_with samba) + --with-smb-idmap-interface-version=6 + $(multilib_native_use_enable acl cifs-idmap-plugin) + $(multilib_native_use_with selinux) + $(multilib_native_use_with selinux semanage) + --enable-krb5-locator-plugin + $(use_enable samba pac-responder) + $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin) + $(use_enable nls) + $(multilib_native_use_with netlink libnl) + $(multilib_native_use_with man manpages) + $(multilib_native_use_with sudo) + $(multilib_native_with autofs) + $(multilib_native_with ssh) + --without-oidc-child + --without-passkey + $(use_with subid) + $(use_enable systemtap) + --without-python2-bindings + $(multilib_native_use_with python python3-bindings) + # Annoyingly configure requires that you pick systemd XOR sysv + --with-initscript=$(usex systemd systemd sysv) + ) + + use systemd && myconf+=( + --with-systemdunitdir=$(systemd_get_systemunitdir) + ) + + if ! multilib_is_native_abi; then + # work-around all the libraries that are used for CLI and server + myconf+=( + {POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' ' + # ldb headers are fine since native needs it + # ldb lib fails... but it does not seem to bother + {DHASH,UNISTRING,INI_CONFIG_V{0,1,1_1,1_3}}_{CFLAGS,LIBS}=' ' + {PCRE,CARES,SYSTEMD_LOGIN,SASL,DBUS,CRYPTO,P11_KIT}_{CFLAGS,LIBS}=' ' + {NDR_NBT,SAMBA_UTIL,SMBCLIENT,NDR_KRB5PAC,JANSSON}_{CFLAGS,LIBS}=' ' + + # use native include path for dbus (needed for build) + DBUS_CFLAGS="${native_dbus_cflags}" + + # non-pkgconfig checks + ac_cv_lib_ldap_ldap_search=yes + --without-kcm + --without-manpages + ) + fi + + econf "${myconf[@]}" +} + +multilib_src_compile() { + if multilib_is_native_abi; then + default + use doc && emake docs + else + emake libnss_sss.la pam_sss.la pam_sss_gss.la + emake sssd_krb5_locator_plugin.la + use samba && emake sssd_pac_plugin.la + fi +} + +multilib_src_test() { + if multilib_is_native_abi; then + local -x CK_TIMEOUT_MULTIPLIER=10 + emake check VERBOSE=yes + fi +} + +multilib_src_install() { + if multilib_is_native_abi; then + emake -j1 DESTDIR="${D}" install + if use python; then + python_fix_shebang "${ED}" + python_optimize + fi + else + # easier than playing with automake... + dopammod .libs/pam_sss.so + dopammod .libs/pam_sss_gss.so + + into / + dolib.so .libs/libnss_sss.so* + + exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5 + doexe .libs/sssd_krb5_locator_plugin.so + + if use samba; then + exeinto /usr/$(get_libdir)/krb5/plugins/authdata + doexe .libs/sssd_pac_plugin.so + fi + fi +} + +multilib_src_install_all() { + einstalldocs + + insinto /etc/sssd + insopts -m600 + doins src/examples/sssd-example.conf + + insinto /etc/logrotate.d + insopts -m644 + newins src/examples/logrotate sssd + + newconfd "${FILESDIR}"/sssd.conf sssd + + keepdir /var/lib/sss/db + keepdir /var/lib/sss/deskprofile + keepdir /var/lib/sss/gpo_cache + keepdir /var/lib/sss/keytabs + keepdir /var/lib/sss/mc + keepdir /var/lib/sss/pipes/private + keepdir /var/lib/sss/pubconf/krb5.include.d + keepdir /var/lib/sss/secrets + keepdir /var/log/sssd + + # strip empty dirs + if ! use doc; then + rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die + rm -r "${ED}"/usr/share/doc/"${PF}"/{hbac,idmap,nss_idmap}_doc || die + fi + + rm -r "${ED}"/run || die + find "${ED}" -type f -name '*.la' -delete || die +} + +pkg_postinst() { + elog "You must set up sssd.conf (default installed into /etc/sssd)" + elog "and (optionally) configuration in /etc/pam.d in order to use SSSD" + elog "features." + optfeature "Kerberos keytab renew (see krb5_renew_interval)" app-crypt/adcli +}
