diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/Manifest index 8cb22a3997..ea7605714c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/Manifest @@ -1 +1 @@ -DIST sssd-1.16.3.tar.gz 6217114 BLAKE2B eefaf8de466d0d76e9a4b60aefef6eb63c17a55b9a1f2e07e973a61d71cbe5432e92357656a1eb353d45bbc2fa92290cef45898d0b315d4a4c4074652ff25a23 SHA512 6165923f652f624bbe3ddc625ae682c4867eb7a20652d0cf74bbb8dda2307c917d3189ede26fd21a4fb5fd5926149271a65fa09f3affe928029ed99e6422b728 +DIST sssd-2.3.1.tar.gz 7186526 BLAKE2B 6d630fe75b9b426ef54adbe1704fde8e01fc34df7861028c07ce2985db8a151ce743d633061386fea6460fe8eabb89242b816d4bac87975bb9b7b2064ad1d547 SHA512 6aeb52d5222c5992d581296996749327bcaf276e4eb4413a6a32ea6529343432cfe413006aca4245c19b38b515be1c4c2ef88a157c617d889274179253355bc6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch new file mode 100644 index 0000000000..b84df9a91c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch @@ -0,0 +1,32 @@ +From fc79d035ccc4c1a5da26bbd780aeb7e0a0afebf5 Mon Sep 17 00:00:00 2001 +From: Matt Turner +Date: Fri, 14 Aug 2020 13:36:30 -0700 +Subject: [PATCH] test_ca: Look for libsofthsm2.so in /usr/${libdir}/softhsm + too + +Signed-off-by: Matt Turner +--- + src/external/test_ca.m4 | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4 +index 4d45a5a16..d318789bc 100644 +--- a/src/external/test_ca.m4 ++++ b/src/external/test_ca.m4 +@@ -33,9 +33,10 @@ AC_DEFUN([AM_CHECK_TEST_CA], + AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$CERTUTIL" -a -x "$PK12UTIL"]) + else + +- for p in /usr/lib64/pkcs11/libsofthsm2.so /usr/lib/pkcs11/libsofthsm2.so /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so; do +- if test -f "${p}"; then +- SOFTHSM2_PATH="${p}" ++ for p in /usr/lib{64,}/{softhsm,pkcs11} /usr/lib/x86_64-linux-gnu/softhsm; do ++ f="${p}/libsofthsm2.so" ++ if test -f "${f}"; then ++ SOFTHSM2_PATH="${f}" + break; + fi + done +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-curl-macros.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-curl-macros.patch deleted file mode 100644 index 91e71e8378..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-curl-macros.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d3cdf9cbfbace4874c6e5c96f1e5ef5b342c813e Mon Sep 17 00:00:00 2001 -From: Mikle Kolyada -Date: Sun, 16 Dec 2018 20:42:39 +0300 -Subject: [PATCH] tev_curl.c: remove case duplication - -CURLE_SSL_CACERT and CURLE_PEER_FAILED_VERIFICATION macros are provided -by net-misc/curl-7.62.0 and older ---- - tev_curl.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/tev_curl.c b/tev_curl.c -index 6a7a580..ce6fdba 100644 ---- a/src/util/tev_curl.c -+++ b/src/util/tev_curl.c -@@ -97,7 +97,6 @@ static errno_t curl_code2errno(CURLcode crv) - return ETIMEDOUT; - case CURLE_SSL_ISSUER_ERROR: - case CURLE_SSL_CACERT_BADFILE: -- case CURLE_SSL_CACERT: - case CURLE_SSL_CERTPROBLEM: - return ERR_INVALID_CERT; - -@@ -110,8 +109,6 @@ static errno_t curl_code2errno(CURLcode crv) - case CURLE_SSL_ENGINE_NOTFOUND: - case CURLE_SSL_CONNECT_ERROR: - return ERR_SSL_FAILURE; -- case CURLE_PEER_FAILED_VERIFICATION: -- return ERR_UNABLE_TO_VERIFY_PEER; - case CURLE_COULDNT_RESOLVE_HOST: - return ERR_UNABLE_TO_RESOLVE_HOST; - default: --- -2.19.2 \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch deleted file mode 100644 index 87db45fd24..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 28792523a01a7d21bcc8931794164f253e691a68 Mon Sep 17 00:00:00 2001 -From: Tomas Halman -Date: Mon, 3 Dec 2018 14:11:31 +0100 -Subject: [PATCH] nss: sssd returns '/' for emtpy home directories - -For empty home directory in passwd file sssd returns "/". Sssd -should respect system behaviour and return the same as nsswitch -"files" module - return empty string. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3901 - -Reviewed-by: Simo Sorce -Reviewed-by: Jakub Hrozek -(cherry picked from commit 90f32399b4100ce39cf665649fde82d215e5eb49) ---- - src/confdb/confdb.c | 9 +++++++++ - src/man/include/ad_modified_defaults.xml | 19 +++++++++++++++++++ - src/responder/nss/nss_protocol_pwent.c | 2 +- - src/tests/intg/test_files_provider.py | 2 +- - 4 files changed, 30 insertions(+), 2 deletions(-) - -diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c -index a3eb9c66d9..17bb4f8274 100644 ---- a/src/confdb/confdb.c -+++ b/src/confdb/confdb.c -@@ -1301,6 +1301,15 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, - ret = ENOMEM; - goto done; - } -+ } else { -+ if (strcasecmp(domain->provider, "ad") == 0) { -+ /* ad provider default */ -+ domain->fallback_homedir = talloc_strdup(domain, "/home/%d/%u"); -+ if (!domain->fallback_homedir) { -+ ret = ENOMEM; -+ goto done; -+ } -+ } - } - - tmp = ldb_msg_find_attr_as_string(res->msgs[0], -diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml -index 818a2bf787..425b7e8ee0 100644 ---- a/src/man/include/ad_modified_defaults.xml -+++ b/src/man/include/ad_modified_defaults.xml -@@ -76,4 +76,23 @@ - - - -+ -+ NSS configuration -+ -+ -+ -+ fallback_homedir = /home/%d/%u -+ -+ -+ The AD provider automatically sets -+ "fallback_homedir = /home/%d/%u" to provide personal -+ home directories for users without the homeDirectory -+ attribute. If your AD Domain is properly -+ populated with Posix attributes, and you want to avoid -+ this fallback behavior, you can explicitly -+ set "fallback_homedir = %o". -+ -+ -+ -+ - -diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c -index af9e74fc86..86fa4ec465 100644 ---- a/src/responder/nss/nss_protocol_pwent.c -+++ b/src/responder/nss/nss_protocol_pwent.c -@@ -118,7 +118,7 @@ nss_get_homedir(TALLOC_CTX *mem_ctx, - - homedir = nss_get_homedir_override(mem_ctx, msg, nss_ctx, domain, &hd_ctx); - if (homedir == NULL) { -- return "/"; -+ return ""; - } - - return homedir; -diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py -index ead1cc4c34..4761f1bd15 100644 ---- a/src/tests/intg/test_files_provider.py -+++ b/src/tests/intg/test_files_provider.py -@@ -678,7 +678,7 @@ def test_user_no_dir(setup_pw_with_canary, files_domain_only): - Test that resolving a user without a homedir defined works and returns - a fallback value - """ -- check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '/')) -+ check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '')) - - - def test_user_no_gecos(setup_pw_with_canary, files_domain_only): diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service index a6afb4682c..1821089a60 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service @@ -1,10 +1,15 @@ [Unit] Description=System Security Services Daemon -After=nscd.service +# SSSD will not be started until syslog is +After=syslog.target [Service] -ExecStart=/usr/sbin/sssd -i +ExecStart=/usr/sbin/sssd -D -f +# These two should be used with traditional UNIX forking daemons +# consult systemd.service(5) for more details +Type=forking PIDFile=/run/sssd.pid [Install] WantedBy=multi-user.target + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf deleted file mode 100644 index f8074a4332..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf +++ /dev/null @@ -1,13 +0,0 @@ -d /etc/sssd 0700 root root - - -C /etc/sssd/sssd.conf 0600 root root - /usr/share/sssd/sssd-example.conf -d /var/lib/sss - root root - - -d /var/lib/sss/deskprofile 0755 root root - - -d /var/lib/sss/db 0700 root root - - -d /var/lib/sss/gpo_cache 0755 root root - - -d /var/lib/sss/keytabs 0700 root root - - -d /var/lib/sss/mc 0700 root root - - -d /var/lib/sss/pipes - root root - - -d /var/lib/sss/pipes/private 0700 root root - - -d /var/lib/sss/pubconf 0700 root root - - -d /var/lib/sss/pubconf/krb5.include.d 0700 root root - - -d /var/lib/sss/secrets 0755 root root - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/metadata.xml index 5b5f4a6f7a..5b808c16ef 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/metadata.xml @@ -1,21 +1,29 @@ + + base-system@gentoo.org + Gentoo Base System + alexxy@gentoo.org Alexey Shvetsov Build and use the cifsidmap plugin + Build helper to let net-fs/autofs use sssd provided information Install sssd's Kerberos plugin + Build man pages with dev-libs/libxslt + Build man pages with dev-libs/libxslt Add support for netlink protocol via dev-libs/libnl Add support for the nfsv4 idmapd plugin provided by net-libs/libnfsidmap - Build man pages with dev-libs/libxslt - Build helper to let net-fs/autofs use sssd provided information + Add Privileged Attribute Certificate Support for Kerberos Build helper to let net-misc/openssh use sssd provided information Build helper to let app-admin/sudo use sssd provided information + Depend on dev-util/valgrind for test suite - cpe:/a:fedorahosted:sssd + cpe:/a:fedoraproject:sssd + SSSD/sssd diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-1.16.3-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-1.16.3-r3.ebuild deleted file mode 100644 index 089931addb..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-1.16.3-r3.ebuild +++ /dev/null @@ -1,233 +0,0 @@ -# Flatcar modifications: -# - changed files/sssd.service -# - added files/tmpfiles.d/sssd.conf -# - other ebuild modifications marked below -# -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit autotools flag-o-matic linux-info multilib-minimal pam systemd toolchain-funcs - -DESCRIPTION="System Security Services Daemon provides access to identity and authentication" -HOMEPAGE="https://pagure.io/SSSD/sssd" -SRC_URI="http://releases.pagure.org/SSSD/${PN}/${P}.tar.gz" -# Flatcar: stabilize arm64 -KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" - -LICENSE="GPL-3" -SLOT="0" -IUSE="acl autofs +locator +netlink nfsv4 nls +manpages samba selinux sudo ssh test" -RESTRICT="!test? ( test )" - -# Flatcar: don't force gssapi for >=net-dns/bind-tools-9.9 -COMMON_DEP=" - >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}] - >=dev-libs/popt-1.16 - dev-libs/glib:2 - >=dev-libs/ding-libs-0.2 - >=sys-libs/talloc-2.0.7 - >=sys-libs/tdb-1.2.9 - >=sys-libs/tevent-0.9.16 - >=sys-libs/ldb-1.1.17-r1:= - >=net-nds/openldap-2.4.30[sasl] - net-libs/http-parser - >=dev-libs/libpcre-8.30 - >=app-crypt/mit-krb5-1.10.3 - dev-libs/jansson - net-misc/curl - locator? ( - >=app-crypt/mit-krb5-1.12.2[${MULTILIB_USEDEP}] - >=net-dns/c-ares-1.10.0-r1[${MULTILIB_USEDEP}] - ) - >=sys-apps/keyutils-1.5:= - >=net-dns/c-ares-1.7.4 - >=dev-libs/nss-3.12.9 - selinux? ( - >=sys-libs/libselinux-2.1.9 - >=sys-libs/libsemanage-2.1 - ) - >=net-dns/bind-tools-9.9 - >=dev-libs/cyrus-sasl-2.1.25-r3[kerberos] - >=sys-apps/dbus-1.6 - acl? ( net-fs/cifs-utils[acl] ) - nfsv4? ( || ( >=net-fs/nfs-utils-2.3.1-r2 net-libs/libnfsidmap ) ) - nls? ( >=sys-devel/gettext-0.18 ) - virtual/libintl - netlink? ( dev-libs/libnl:3 ) - samba? ( >=net-fs/samba-4.5 ) - " - -RDEPEND="${COMMON_DEP} - >=sys-libs/glibc-2.17[nscd] - selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 ) - " -DEPEND="${COMMON_DEP} - test? ( dev-libs/check ) - manpages? ( - >=dev-libs/libxslt-1.1.26 - app-text/docbook-xml-dtd:4.4 - )" - -CONFIG_CHECK="~KEYS" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/ipa_hbac.h - /usr/include/sss_idmap.h - /usr/include/sss_nss_idmap.h - /usr/include/wbclient_sssd.h - # --with-ifp - /usr/include/sss_sifp.h - /usr/include/sss_sifp_dbus.h - # from 1.15.3 - /usr/include/sss_certmap.h -) - -pkg_setup() { - linux-info_pkg_setup -} - -src_prepare() { - sed -i 's:#!/sbin/runscript:#!/sbin/openrc-run:' \ - "${S}"/src/sysv/gentoo/sssd.in || die "sed sssd.in" - - eapply "${FILESDIR}"/${PN}-curl-macros.patch - eapply "${FILESDIR}"/${PN}-fix-CVE-2019-3811.patch - - default - eautoreconf - multilib_copy_sources -} - -src_configure() { - local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1) - - multilib-minimal_src_configure -} - -multilib_src_configure() { - # Flatcar: delete, use systemd and not sysv - - #Work around linker dependency problem. - append-ldflags "-Wl,--allow-shlib-undefined" - - myconf+=( - --localstatedir="${EPREFIX}"/var - --enable-nsslibdir="${EPREFIX}"/$(get_libdir) - --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd - --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) - --with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb - --with-os=gentoo - --with-nscd - --with-unicode-lib="glib2" - --disable-rpath - # Flatcar: make nss lookups succeed when not running - --enable-sss-default-nss-plugin - # Flatcar: prevent cross-compilation error - # when autotools does not want to compile and run the test - $(use_with samba smb-idmap-interface-version=6) - # - --sbindir=/usr/sbin - --without-kcm - $(use_with samba libwbclient) - --with-secrets - $(multilib_native_use_with samba) - $(multilib_native_use_enable acl cifs-idmap-plugin) - $(multilib_native_use_with selinux) - $(multilib_native_use_with selinux semanage) - $(use_enable locator krb5-locator-plugin) - $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin) - $(use_enable nls ) - $(multilib_native_use_with netlink libnl) - $(multilib_native_use_with manpages) - $(multilib_native_use_with sudo) - $(multilib_native_use_with autofs) - $(multilib_native_use_with ssh) - --with-crypto="nss" - --with-initscript="sysv" - --without-python2-bindings - --without-python3-bindings - # Flatcar: delete, fix krb5-config detection - ) - - if ! multilib_is_native_abi; then - # work-around all the libraries that are used for CLI and server - myconf+=( - {POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' ' - # ldb headers are fine since native needs it - # ldb lib fails... but it does not seem to bother - {DHASH,COLLECTION,INI_CONFIG_V{0,1,1_1}}_{CFLAGS,LIBS}=' ' - {PCRE,CARES,SYSTEMD_LOGIN,SASL,GLIB2,DBUS,CRYPTO}_{CFLAGS,LIBS}=' ' - - # use native include path for dbus (needed for build) - DBUS_CFLAGS="${native_dbus_cflags}" - - # non-pkgconfig checks - ac_cv_lib_ldap_ldap_search=yes - --without-secrets - --without-libwbclient - --without-kcm - --with-crypto="" - ) - - use locator || myconf+=( - KRB5_CONFIG=/bin/true - ) - fi - - econf "${myconf[@]}" -} - -multilib_src_compile() { - if multilib_is_native_abi; then - default - else - emake libnss_sss.la pam_sss.la - use locator && emake sssd_krb5_locator_plugin.la - fi -} - -multilib_src_install() { - if multilib_is_native_abi; then - # Flatcar: add sysconfdir - emake -j1 DESTDIR="${D}" sysconfdir="/usr/share" "${_at_args[@]}" install - else - # easier than playing with automake... - dopammod .libs/pam_sss.so - - into / - dolib.so .libs/libnss_sss.so* - - if use locator; then - exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5 - doexe .libs/sssd_krb5_locator_plugin.so - fi - fi -} - -multilib_src_install_all() { - einstalldocs - find "${ED}" -type f -name '*.la' -delete || die - - # Flatcar: store on /usr - insinto /usr/share/sssd - doins "${S}"/src/examples/sssd-example.conf - - # Flatcar: delete, remove /var files taken care of by tmpfiles - - systemd_dounit "${FILESDIR}/${PN}.service" - # Flatcar: add tmpfile directive and remove /etc/rc.d - systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/sssd.conf" - rm -rf "${D}/etc/rc.d" -} - -multilib_src_test() { - default -} - -pkg_postinst() { - elog "You must set up sssd.conf (default installed into /etc/sssd)" - elog "and (optionally) configuration in /etc/pam.d in order to use SSSD" - elog "features. Please see howto in https://docs.pagure.org/SSSD.sssd/design_pages/index.html#implemented-in-1-16-x" -} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild new file mode 100644 index 0000000000..c5c20e6794 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild @@ -0,0 +1,291 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_7 ) + +inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs + +DESCRIPTION="System Security Services Daemon provides access to identity and authentication" +HOMEPAGE="https://github.com/SSSD/sssd" +SRC_URI="https://github.com/SSSD/sssd/releases/download/${PN}-${PV//./_}/${P}.tar.gz" +KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" + +LICENSE="GPL-3" +SLOT="0" +IUSE="acl doc +locator +netlink nfsv4 nls +man pac python samba selinux sudo systemd test valgrind" +RESTRICT="!test? ( test )" + +REQUIRED_USE="pac? ( samba ) + python? ( ${PYTHON_REQUIRED_USE} )" + +DEPEND=" + >=app-crypt/mit-krb5-1.10.3 + app-crypt/p11-kit + >=dev-libs/ding-libs-0.2 + dev-libs/glib:2 + >=dev-libs/cyrus-sasl-2.1.25-r3[kerberos] + >=dev-libs/libpcre-8.30:= + >=dev-libs/popt-1.16 + >=dev-libs/openssl-1.0.2:0= + >=net-dns/bind-tools-9.9[gssapi] + >=net-dns/c-ares-1.7.4 + >=net-nds/openldap-2.4.30[sasl] + >=sys-apps/dbus-1.6 + >=sys-apps/keyutils-1.5:= + >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}] + >=sys-libs/talloc-2.0.7 + >=sys-libs/tdb-1.2.9 + >=sys-libs/tevent-0.9.16 + >=sys-libs/ldb-1.1.17-r1:= + virtual/libintl + locator? ( + >=app-crypt/mit-krb5-1.12.2[${MULTILIB_USEDEP}] + >=net-dns/c-ares-1.10.0-r1[${MULTILIB_USEDEP}] + ) + acl? ( net-fs/cifs-utils[acl] ) + netlink? ( dev-libs/libnl:3 ) + nfsv4? ( || ( >=net-fs/nfs-utils-2.3.1-r2 net-libs/libnfsidmap ) ) + nls? ( >=sys-devel/gettext-0.18 ) + pac? ( + app-crypt/mit-krb5[${MULTILIB_USEDEP}] + net-fs/samba + ) + python? ( ${PYTHON_DEPS} ) + samba? ( >=net-fs/samba-4.10.2[winbind] ) + selinux? ( + >=sys-libs/libselinux-2.1.9 + >=sys-libs/libsemanage-2.1 + ) + systemd? ( + dev-libs/jansson:0= + net-libs/http-parser:0= + net-misc/curl:0= + ) + " + +RDEPEND="${DEPEND} + >=sys-libs/glibc-2.17[nscd] + selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 ) + " +BDEPEND="${DEPEND} + >=sys-devel/autoconf-2.69-r5 + doc? ( app-doc/doxygen ) + test? ( + dev-libs/check + dev-libs/softhsm:2 + dev-util/cmocka + net-libs/gnutls[pkcs11,tools] + sys-libs/libfaketime + sys-libs/nss_wrapper + sys-libs/pam_wrapper + sys-libs/uid_wrapper + valgrind? ( dev-util/valgrind ) + ) + man? ( + app-text/docbook-xml-dtd:4.4 + >=dev-libs/libxslt-1.1.26 + nls? ( app-text/po4a ) + )" + +CONFIG_CHECK="~KEYS" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/ipa_hbac.h + /usr/include/sss_idmap.h + /usr/include/sss_nss_idmap.h + # --with-ifp + /usr/include/sss_sifp.h + /usr/include/sss_sifp_dbus.h + # from 1.15.3 + /usr/include/sss_certmap.h +) + +PATCHES=( + "${FILESDIR}"/${P}-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch +) + +pkg_setup() { + linux-info_pkg_setup +} + +src_prepare() { + sed -i 's:/var/run:/run:' \ + "${S}"/src/examples/logrotate || die + + default + eautoreconf + multilib_copy_sources + if use python && multilib_is_native_abi; then + python_setup + fi +} + +src_configure() { + local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1) + + multilib-minimal_src_configure +} + +multilib_src_configure() { + local myconf=() + + myconf+=( + --localstatedir="${EPREFIX}"/var + --runstatedir="${EPREFIX}"/run + --with-pid-path="${EPREFIX}"/run + --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd + --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) + --with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb + --with-db-path="${EPREFIX}"/var/lib/sss/db + --with-gpo-cache-path="${EPREFIX}"/var/lib/sss/gpo_cache + --with-pubconf-path="${EPREFIX}"/var/lib/sss/pubconf + --with-pipe-path="${EPREFIX}"/var/lib/sss/pipes + --with-mcache-path="${EPREFIX}"/var/lib/sss/mc + --with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets + --with-log-path="${EPREFIX}"/var/log/sssd + --with-os=gentoo + --with-nscd="${EPREFIX}"/usr/sbin/nscd + --with-unicode-lib="glib2" + --disable-rpath + --sbindir=/usr/sbin + --with-crypto="libcrypto" + --enable-local-provider + $(multilib_native_use_with systemd kcm) + $(multilib_native_use_with systemd secrets) + $(use_with samba) + --with-smb-idmap-interface-version=6 + $(multilib_native_use_enable acl cifs-idmap-plugin) + $(multilib_native_use_with selinux) + $(multilib_native_use_with selinux semanage) + $(use_enable locator krb5-locator-plugin) + $(use_enable pac pac-responder) + $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin) + $(use_enable nls) + $(multilib_native_use_with netlink libnl) + $(multilib_native_use_with man manpages) + $(multilib_native_use_with sudo) + $(multilib_native_with autofs) + $(multilib_native_with ssh) + $(use_enable valgrind) + --without-python2-bindings + $(multilib_native_use_with python python3-bindings) + ) + + # Annoyingly configure requires that you pick systemd XOR sysv + if use systemd; then + myconf+=( + --with-initscript="systemd" + --with-systemdunitdir=$(systemd_get_systemunitdir) + ) + else + myconf+=(--with-initscript="sysv") + fi + + if ! multilib_is_native_abi; then + # work-around all the libraries that are used for CLI and server + myconf+=( + {POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' ' + # ldb headers are fine since native needs it + # ldb lib fails... but it does not seem to bother + {DHASH,COLLECTION,INI_CONFIG_V{0,1,1_1,1_3}}_{CFLAGS,LIBS}=' ' + {PCRE,CARES,SYSTEMD_LOGIN,SASL,GLIB2,DBUS,CRYPTO,P11_KIT}_{CFLAGS,LIBS}=' ' + {NDR_NBT,SMBCLIENT,NDR_KRB5PAC}_{CFLAGS,LIBS}=' ' + + # use native include path for dbus (needed for build) + DBUS_CFLAGS="${native_dbus_cflags}" + + # non-pkgconfig checks + ac_cv_lib_ldap_ldap_search=yes + --without-secrets + --without-kcm + ) + fi + + econf "${myconf[@]}" +} + +multilib_src_compile() { + if multilib_is_native_abi; then + default + use doc && emake docs + if use man || use nls; then + emake update-po + fi + else + emake libnss_sss.la pam_sss.la + use locator && emake sssd_krb5_locator_plugin.la + use pac && emake sssd_pac_plugin.la + fi +} + +multilib_src_install() { + if multilib_is_native_abi; then + emake -j1 DESTDIR="${D}" "${_at_args[@]}" install + if use python; then + python_optimize + python_fix_shebang "${ED}" + fi + + else + # easier than playing with automake... + dopammod .libs/pam_sss.so + + into / + dolib.so .libs/libnss_sss.so* + + if use locator; then + exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5 + doexe .libs/sssd_krb5_locator_plugin.so + fi + + if use pac; then + exeinto /usr/$(get_libdir)/krb5/plugins/authdata + doexe .libs/sssd_pac_plugin.so + fi + fi +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + + insinto /etc/sssd + insopts -m600 + doins "${S}"/src/examples/sssd-example.conf + + insinto /etc/logrotate.d + insopts -m644 + newins "${S}"/src/examples/logrotate sssd + + newconfd "${FILESDIR}"/sssd.conf sssd + + keepdir /var/lib/sss/db + keepdir /var/lib/sss/deskprofile + keepdir /var/lib/sss/gpo_cache + keepdir /var/lib/sss/keytabs + keepdir /var/lib/sss/mc + keepdir /var/lib/sss/pipes/private + keepdir /var/lib/sss/pubconf/krb5.include.d + keepdir /var/lib/sss/secrets + keepdir /var/log/sssd + + # strip empty dirs + if ! use doc ; then + rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die + rm -r "${ED}"/usr/share/doc/"${PF}"/{hbac,idmap,nss_idmap,sss_simpleifp}_doc || die + fi + + rm -r "${ED}"/run || die +} + +multilib_src_test() { + multilib_is_native_abi && emake check +} + +pkg_postinst() { + elog "You must set up sssd.conf (default installed into /etc/sssd)" + elog "and (optionally) configuration in /etc/pam.d in order to use SSSD" + elog "features. Please see howto in https://sssd.io/docs/design_pages/smartcard_authentication_require.html" +}