diff --git a/sdk_container/src/third_party/portage-stable/sys-auth/sssd/Manifest b/sdk_container/src/third_party/portage-stable/sys-auth/sssd/Manifest
index ad117012ec..18fefe6b85 100644
--- a/sdk_container/src/third_party/portage-stable/sys-auth/sssd/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/sssd/Manifest
@@ -1,5 +1,7 @@
 DIST sssd-2.12.0.tar.gz 9739617 BLAKE2B d5629a24ee6db3e0a7a205a387acb01d0cc102b6bfc1131a208ea03c609941dd5ccfefd790ca1dc10f6e57d698828ff38364be9c8f6a7f7aeaec4b8a07346494 SHA512 3bd90a88a43019b00d3f0a674ef4d2473bf6895e749a54bec8ac1661e7d289083e0cbd64846dacc8bdd4b2447f171dddb2d0ba108962dbd862bce86c2247b038
 DIST sssd-2.12.0.tar.gz.asc 833 BLAKE2B ffb95b672fd5b63f6147b4c4e85ee04c260eb2fa01c90ed52e04bb5c8e1bba76fead5dca1343a1d8c53d69d36c1145378c18f01fe86896f52dd64a1ed7c1d973 SHA512 b4a7696969f2c0a034ef01eaa50282556e3c07c0be53088d9ce5cb3f24e2dc5428fe8ad2f2f6aca7903a16e2d39591f32b04ca76b16662d24ae64cea15658684
+DIST sssd-2.13.0.tar.gz 9127914 BLAKE2B d180c53dfaf74137b3208ecba1e8b58ae6fa8bf5fd122ceb362ab382bd34904871857dbbc8f7b1fef858c9220772495d1262c7348c11beae432985c368900334 SHA512 3d900d7a5538114b888c57a5f5a555f6200cf077881c02b4d9b9af33d590bfd71fa296513e38343ad7d96447f5fe2ed69562ccd9a80bb3eed0dec890461da777
+DIST sssd-2.13.0.tar.gz.asc 833 BLAKE2B 08f13c3634ffb2ef30f8cf8ca3302e2c98bc8f9894141886f17762c3744e8efaeb9ee9d4e51d3c20afc00e0210c73b22b0a822f698313762bfe54bbfc8e8e23c SHA512 c12839860d444f223ee0a55d135cb49725287463f7aa12e6f854fd3565f2ce750b1526a8275e5399b64aa1ef59f0668b3a5ec745b786cc9265c58f77fa059464
 DIST sssd-2.9.7.tar.gz 9161891 BLAKE2B 1658f3a6447c58665fccf144292deda759a72e1dbe0913e49f510fa8342e0fa09569319a40293a63c360c17ede0e8051c93b81e488549ed8e3bbeff37ce86389 SHA512 ba2bcab28491971e420b8bb8769574e88af4059cad5cec5320668cabf31c11314fce6dcab45b097d7b0876dfebe1cad22a0104c0856c80cdc07c21b19a95a3f2
 DIST sssd-2.9.7.tar.gz.asc 833 BLAKE2B 2d0b2417a38b99b6014e20abcc121e7eb1b6028c9e8292ca998099ae6eaa6e47cb3c1ab42864ffcc2f1566c20c27c9d65d7b5a801403aff23ca952fda6ecfdb2 SHA512 74117dca7a5cf62400358769757485bb304e200e29fef9613c92e8d30770b0fe54d5c95b4053ac32005f665a6cef247c639a2b14df132a7e82a8b92d527dbba3
 DIST sssd-2.9.8.tar.gz 9330244 BLAKE2B f5f88287b4bf7936e56e44c9ba7eba728c8546663304f9c6881d5bb427ff5f3dfb635536110f198439b41b481a7b9a2980138acd0d90d7334d439559425d9170 SHA512 9b10cb5e343d32402a437dab3304c16596e9eb7b51a452ca3e2b3fea4aa8dc879abe06a57ccc716bece8024847211abf5affa83e1d2ca2cac101132133a6619a
diff --git a/sdk_container/src/third_party/portage-stable/sys-auth/sssd/files/sssd-2.9.8-r1-pam_fix_out-of-bounds_read_in_pam_passkey_child_read_data.patch b/sdk_container/src/third_party/portage-stable/sys-auth/sssd/files/sssd-2.9.8-r1-pam_fix_out-of-bounds_read_in_pam_passkey_child_read_data.patch
new file mode 100644
index 0000000000..a0c98e1be9
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/sssd/files/sssd-2.9.8-r1-pam_fix_out-of-bounds_read_in_pam_passkey_child_read_data.patch
@@ -0,0 +1,117 @@
+From 73e53fbe95435569ee8620f651f8936b519098ae Mon Sep 17 00:00:00 2001
+From: Xu Raoqing <609179072@qq.com>
+Date: Tue, 21 Apr 2026 16:49:05 +0800
+Subject: [PATCH 1/2] pam: fix out-of-bounds read in
+ pam_passkey_child_read_data
+
+The pam_passkey_child_read_data() function failed to properly handle
+raw bytes received from a pipe. The data was treated as a NUL-terminated
+C string without explicit termination, resulting in an out-of-bounds read
+when processed by snprintf() with %s format.
+
+Fix by using memcpy instead of snprintf and explicitly NUL-terminating
+the buffer. Add checks for buf_len == 0 or buf == NULL to avoid undefined
+behavior. Check the return value of sss_authtok_set_passkey_reply and
+propagate errors properly.
+
+Fixes: CVE-2026-6245
+
+:relnote: Security fix for CVE-2026-6245: out-of-bounds read in PAM passkey responder
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 550b08cabe4dd5508c7ea74f634869374204d63f)
+---
+ src/responder/pam/pamsrv_passkey.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/responder/pam/pamsrv_passkey.c b/src/responder/pam/pamsrv_passkey.c
+index ab8da72eee0..d1446868440 100644
+--- a/src/responder/pam/pamsrv_passkey.c
++++ b/src/responder/pam/pamsrv_passkey.c
+@@ -814,16 +814,26 @@ static void pam_passkey_child_read_data(struct tevent_req *subreq)
+         return;
+     }
+ 
+-    str = malloc(sizeof(char) * buf_len);
+-    if (str == NULL) {
++    if (buf_len == 0 || buf == NULL) {
++        tevent_req_error(req, EINVAL);
+         return;
+     }
+ 
+-    snprintf(str, buf_len, "%s", buf);
++    str = malloc(buf_len + 1);
++    if (str == NULL) {
++        tevent_req_error(req, ENOMEM);
++        return;
++    }
+ 
+-    sss_authtok_set_passkey_reply(state->pd->authtok, str, 0);
++    memcpy(str, buf, buf_len);
++    str[buf_len] = '\0';
+ 
++    ret = sss_authtok_set_passkey_reply(state->pd->authtok, str, 0);
+     free(str);
++    if (ret != EOK) {
++        tevent_req_error(req, ret);
++        return;
++    }
+ 
+     tevent_req_done(req);
+     return;
+
+From 50436ace215bf46ccbfcb070fd3565a19ea223bc Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 22 Apr 2026 13:03:48 +0200
+Subject: [PATCH 2/2] PAM/PASSKEY: avoid unnecessary memcpy
+
+`sss_authtok_set_passkey_reply()` -> `sss_authtok_set_string()` handles
+non NULL-terminated buffer correctly.
+
+Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 3b0b16e96728b3d2f8ddd8c0ee67b92ec210d44f)
+---
+ src/responder/pam/pamsrv_passkey.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+diff --git a/src/responder/pam/pamsrv_passkey.c b/src/responder/pam/pamsrv_passkey.c
+index d1446868440..57f37110c8d 100644
+--- a/src/responder/pam/pamsrv_passkey.c
++++ b/src/responder/pam/pamsrv_passkey.c
+@@ -801,7 +801,6 @@ static void pam_passkey_child_read_data(struct tevent_req *subreq)
+ {
+     uint8_t *buf;
+     ssize_t buf_len;
+-    char *str;
+     struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                       struct tevent_req);
+     struct pam_passkey_auth_send_state *state = tevent_req_data(req, struct pam_passkey_auth_send_state);
+@@ -814,22 +813,13 @@ static void pam_passkey_child_read_data(struct tevent_req *subreq)
+         return;
+     }
+ 
+-    if (buf_len == 0 || buf == NULL) {
++    if (buf_len <= 0 || buf == NULL) {
+         tevent_req_error(req, EINVAL);
+         return;
+     }
+ 
+-    str = malloc(buf_len + 1);
+-    if (str == NULL) {
+-        tevent_req_error(req, ENOMEM);
+-        return;
+-    }
+-
+-    memcpy(str, buf, buf_len);
+-    str[buf_len] = '\0';
+-
+-    ret = sss_authtok_set_passkey_reply(state->pd->authtok, str, 0);
+-    free(str);
++    ret = sss_authtok_set_passkey_reply(state->pd->authtok,
++                                        (const char*)buf, (size_t)buf_len);
+     if (ret != EOK) {
+         tevent_req_error(req, ret);
+         return;
diff --git a/sdk_container/src/third_party/portage-stable/sys-auth/sssd/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-auth/sssd/metadata.xml
index a0489f6627..e0d916e966 100644
--- a/sdk_container/src/third_party/portage-stable/sys-auth/sssd/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/sssd/metadata.xml
@@ -17,6 +17,7 @@
 		<flag name="acl"> Build and use the cifsidmap plugin</flag>
 		<flag name="netlink">Add support for netlink protocol via <pkg>dev-libs/libnl</pkg></flag>
 		<flag name="nfsv4">Add support for the nfsv4 idmapd plugin provided by <pkg>net-fs/nfs-utils</pkg></flag>
+		<flag name="openid">Add support for login via OpenID Connect, such as Keycloak</flag>
 		<flag name="passkey">Add support for FIDO2 passkeys"</flag>
 		<flag name="samba">Add Privileged Attribute Certificate Support for Kerberos</flag>
 		<flag name="systemtap">Enable SystemTap/DTrace tracing</flag>
diff --git a/sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.12.0-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.12.0-r2.ebuild
similarity index 94%
rename from sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.12.0-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.12.0-r2.ebuild
index 99212ff16b..817ce3a2b7 100644
--- a/sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.12.0-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.12.0-r2.ebuild
@@ -10,7 +10,7 @@ PLOCALES_BIN="${PLOCALES} bg cs eu fi hu id it ka nb nl pl pt tg zh_TW zh_CN"
 PLOCALE_BACKUP="sv"
 PYTHON_COMPAT=( python3_{11..14} )
 
-inherit autotools linux-info multilib-minimal optfeature plocale \
+inherit autotools fcaps linux-info multilib-minimal optfeature plocale \
 	python-single-r1 pam systemd tmpfiles udev toolchain-funcs verify-sig
 
 DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
@@ -18,7 +18,7 @@ HOMEPAGE="https://github.com/SSSD/sssd"
 if [[ ${PV} != 9999 ]]; then
 	SRC_URI="https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz
 		https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz.asc"
-	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+	KEYWORDS="amd64 ~arm ~arm64 ~hppa ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc x86"
 else
 	inherit git-r3
 	EGIT_REPO_URI="https://github.com/SSSD/sssd.git"
@@ -128,6 +128,16 @@ MULTILIB_WRAPPED_HEADERS=(
 	/usr/include/sss_certmap.h
 )
 
+# mimic upstream's setcap here, they're liable to get lost
+# https://github.com/SSSD/sssd/blob/a6d0f0cf484aeeead535b7138d1334b309c61a4e/Makefile.am#L5567
+FILECAPS=(
+	cap_dac_read_search=p "usr/libexec/sssd/ldap_child"
+	--
+	cap_dac_read_search,cap_setuid,cap_setgid=p "usr/libexec/sssd/krb5_child"
+	--
+	cap_dac_read_search=p "usr/libexec/sssd/sssd_pam"
+)
+
 pkg_setup() {
 	linux-info_pkg_setup
 	python-single-r1_pkg_setup
@@ -241,6 +251,7 @@ multilib_src_configure() {
 
 	use systemd && myconf+=(
 		--with-systemdunitdir=$(systemd_get_systemunitdir)
+		--with-syslog=$(usex systemd journald syslog)
 	)
 
 	if ! multilib_is_native_abi; then
@@ -345,6 +356,7 @@ multilib_src_install_all() {
 }
 
 pkg_postinst() {
+	fcaps_pkg_postinst
 	udev_reload
 	tmpfiles_process sssd-tmpfiles.conf
 	echo
diff --git a/sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.12.0.ebuild b/sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.13.0.ebuild
similarity index 86%
rename from sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.12.0.ebuild
rename to sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.13.0.ebuild
index 9cd07b712e..59e81b318c 100644
--- a/sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.12.0.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.13.0.ebuild
@@ -3,14 +3,12 @@
 
 EAPI=8
 
-# Ukrainian translation causes compile failure, so skip it for now
-#PLOCALES="ca de es fr ja ko pt_BR ru sv tr uk"
 PLOCALES="ca de es fr ja ko pt_BR ru sv tr"
 PLOCALES_BIN="${PLOCALES} bg cs eu fi hu id it ka nb nl pl pt tg zh_TW zh_CN"
 PLOCALE_BACKUP="sv"
 PYTHON_COMPAT=( python3_{11..14} )
 
-inherit autotools linux-info multilib-minimal optfeature plocale \
+inherit autotools fcaps linux-info multilib-minimal optfeature plocale \
 	python-single-r1 pam systemd tmpfiles udev toolchain-funcs verify-sig
 
 DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
@@ -18,7 +16,7 @@ HOMEPAGE="https://github.com/SSSD/sssd"
 if [[ ${PV} != 9999 ]]; then
 	SRC_URI="https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz
 		https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz.asc"
-	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+	KEYWORDS="amd64 ~arm ~arm64 ~ppc64 ~sparc x86"
 else
 	inherit git-r3
 	EGIT_REPO_URI="https://github.com/SSSD/sssd.git"
@@ -27,7 +25,7 @@ fi
 
 LICENSE="GPL-3"
 SLOT="0"
-IUSE="doc +netlink nfsv4 nls passkey python samba selinux systemd systemtap test"
+IUSE="doc +netlink nfsv4 nls openid passkey python samba selinux systemd systemtap test"
 REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
 RESTRICT="!test? ( test )"
 
@@ -57,6 +55,10 @@ DEPEND="
 	netlink? ( dev-libs/libnl:3 )
 	nfsv4? ( >=net-fs/nfs-utils-2.3.1-r2 )
 	nls? ( >=sys-devel/gettext-0.18 )
+	openid? (
+		dev-libs/jose
+		net-misc/curl
+	)
 	passkey? ( dev-libs/libfido2:= )
 	python? (
 		${PYTHON_DEPS}
@@ -79,7 +81,6 @@ DEPEND="
 RDEPEND="${DEPEND}
 	acct-user/sssd
 	acct-group/sssd
-	passkey? ( sys-apps/pcsc-lite[policykit] )
 	selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )"
 DEPEND+="
 	sys-apps/shadow"
@@ -93,6 +94,7 @@ BDEPEND="
 	nls? (	app-text/po4a
 		sys-devel/gettext )
 	test? (
+		app-alternatives/bc
 		dev-libs/check
 		dev-libs/softhsm:2
 		dev-util/cmocka
@@ -128,41 +130,19 @@ MULTILIB_WRAPPED_HEADERS=(
 	/usr/include/sss_certmap.h
 )
 
-sssd_migrate_files() {
-	if has_version "<=sys-auth/sssd-2.9.9999"
-	then
-		einfo "Checking if sssd is running"
-		if [ -f /run/sssd.pid ]
-		then
-			elog "Please stop sssd after installing before"
-			elog "performing the migration process"
-		fi
-		einfo "Checking if /var/lib/sss ownership"
-		if [ -d /var/lib/sss ] && [ $(stat -c "%U:%G" /var/lib/sss) != "sssd:sssd" ]
-		then
-			elog "After installing, please execute"
-			elog "chown -R sssd:sssd /var/lib/sss"
-		fi
-		einfo "Checking if /var/log/sssd ownership"
-		if [ -d /var/log/sssd ] && [ $(stat -c "%U:%G" /var/log/sssd) != "sssd:sssd" ]
-		then
-			elog "After installing, please execute"
-			elog "chown -R sssd:sssd /var/log/sssd"
-		fi
-		einfo "Checking if /etc/sssd ownership"
-		if ! use systemd && [ -d /etc/sssd ] && [ $(stat -c "%U:%G" /etc/sssd) != "root:sssd" ]
-		then
-			elog "After installing, please execute"
-			elog "chown -R root:sssd /etc/sssd"
-		fi
-	fi
-}
+# mimic upstream's setcap here, they're liable to get lost
+# https://github.com/SSSD/sssd/blob/a6d0f0cf484aeeead535b7138d1334b309c61a4e/Makefile.am#L5567
+FILECAPS=(
+	cap_dac_read_search=p "usr/libexec/sssd/ldap_child"
+	--
+	cap_dac_read_search,cap_setuid,cap_setgid=p "usr/libexec/sssd/krb5_child"
+	--
+	cap_dac_read_search=p "usr/libexec/sssd/sssd_pam"
+)
 
 pkg_setup() {
 	linux-info_pkg_setup
 	python-single-r1_pkg_setup
-
-	sssd_migrate_files
 }
 
 src_prepare() {
@@ -258,7 +238,7 @@ multilib_src_configure() {
 		--with-sudo
 		$(multilib_native_with autofs)
 		$(multilib_native_with ssh)
-		--without-oidc-child
+		$(use_with openid oidc-child)
 		$(multilib_native_with passkey)
 		--with-subid
 		$(use_enable systemtap)
@@ -273,6 +253,7 @@ multilib_src_configure() {
 
 	use systemd && myconf+=(
 		--with-systemdunitdir=$(systemd_get_systemunitdir)
+		--with-syslog=$(usex systemd journald syslog)
 	)
 
 	if ! multilib_is_native_abi; then
@@ -377,6 +358,8 @@ multilib_src_install_all() {
 }
 
 pkg_postinst() {
+	fcaps_pkg_postinst
+	udev_reload
 	tmpfiles_process sssd-tmpfiles.conf
 	echo
 	elog "You must set up sssd.conf (default installed into /etc/sssd)"
@@ -390,3 +373,7 @@ pkg_postinst() {
 		ewarn "sssctl analyze will not work because the python USE flag is disabled."
 	fi
 }
+
+pkg_postrm() {
+	udev_reload
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.9.8-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.9.8-r1.ebuild
new file mode 100644
index 0000000000..8f8e6a6c42
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-auth/sssd/sssd-2.9.8-r1.ebuild
@@ -0,0 +1,345 @@
+# Copyright 1999-2026 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PLOCALES="ca de es fr ja ko pt_BR ru sv tr uk"
+PLOCALES_BIN="${PLOCALES} bg cs eu fi hu id it ka nb nl pl pt tg zh_TW zh_CN"
+PLOCALE_BACKUP="sv"
+PYTHON_COMPAT=( python3_{11..14} )
+
+inherit autotools linux-info multilib-minimal optfeature plocale \
+	python-single-r1 pam systemd toolchain-funcs verify-sig
+
+DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
+HOMEPAGE="https://github.com/SSSD/sssd"
+if [[ ${PV} != 9999 ]]; then
+	SRC_URI="https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz
+		https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz.asc"
+	KEYWORDS="amd64 ~arm ~arm64 ~hppa ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc x86"
+else
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/SSSD/sssd.git"
+	EGIT_BRANCH="master"
+fi
+
+LICENSE="GPL-3"
+SLOT="0"
+IUSE="acl doc +netlink nfsv4 nls passkey python samba selinux systemd systemtap test"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+	>=app-crypt/mit-krb5-1.19.1[${MULTILIB_USEDEP}]
+	app-crypt/p11-kit
+	>=dev-libs/ding-libs-0.2
+	>=dev-libs/cyrus-sasl-2.1.25-r3[kerberos]
+	dev-libs/jansson:=
+	dev-libs/libpcre2:=
+	dev-libs/libunistring:=[${MULTILIB_USEDEP}]
+	>=dev-libs/popt-1.16
+	>=dev-libs/openssl-1.0.2:=
+	>=net-dns/bind-9.9[gssapi]
+	>=net-dns/c-ares-1.10.0-r1:=[${MULTILIB_USEDEP}]
+	>=net-nds/openldap-2.4.30:=[sasl,experimental]
+	>=sys-apps/dbus-1.6
+	>=sys-apps/keyutils-1.5:=
+	>=sys-libs/pam-0-r1[${MULTILIB_USEDEP}]
+	>=sys-libs/talloc-2.0.7
+	>=sys-libs/tdb-1.2.9
+	>=sys-libs/tevent-0.9.16
+	virtual/ldb:=
+	virtual/libintl
+	acl? ( net-fs/cifs-utils[acl] )
+	netlink? ( dev-libs/libnl:3 )
+	nfsv4? ( >=net-fs/nfs-utils-2.3.1-r2 )
+	nls? ( >=sys-devel/gettext-0.18 )
+	passkey? ( dev-libs/libfido2:= )
+	python? (
+		${PYTHON_DEPS}
+		systemd? (
+			$(python_gen_cond_dep '
+				dev-python/python-systemd[${PYTHON_USEDEP}]
+			')
+		)
+	)
+	samba? ( >=net-fs/samba-4.10.2[winbind] )
+	selinux? (
+		>=sys-libs/libselinux-2.1.9
+		>=sys-libs/libsemanage-2.1
+	)
+	systemd? (
+		sys-apps/systemd:=
+		sys-apps/util-linux
+	)
+	systemtap? ( dev-debug/systemtap )"
+RDEPEND="${DEPEND}
+	selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )"
+DEPEND+="
+	sys-apps/shadow"
+BDEPEND="
+	virtual/pkgconfig
+	app-text/docbook-xml-dtd:4.4
+	>=dev-libs/libxslt-1.1.26
+	${PYTHON_DEPS}
+	doc? ( app-text/doxygen )
+	nls? ( sys-devel/gettext
+	       app-text/po4a )
+	test? (
+		dev-libs/check
+		dev-libs/softhsm:2
+		dev-util/cmocka
+		net-libs/gnutls[pkcs11,tools]
+		sys-libs/libfaketime
+		sys-libs/nss_wrapper
+		sys-libs/pam_wrapper
+		sys-libs/uid_wrapper
+	)
+	verify-sig? ( sec-keys/openpgp-keys-sssd )
+"
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sssd.asc
+
+CONFIG_CHECK="~KEYS"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-2.8.2-krb5_pw_locked.patch"
+	"${FILESDIR}/${PN}-2.9.6-conditional-python-install.patch"
+	"${FILESDIR}/${PN}-2.9.7-kerberos-1-22.patch"
+	"${FILESDIR}/${PN}-2.9.8-r1-pam_fix_out-of-bounds_read_in_pam_passkey_child_read_data.patch"
+)
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/ipa_hbac.h
+	/usr/include/sss_idmap.h
+	/usr/include/sss_nss_idmap.h
+	# --with-ifp
+	/usr/include/sss_sifp.h
+	/usr/include/sss_sifp_dbus.h
+	# from 1.15.3
+	/usr/include/sss_certmap.h
+)
+
+pkg_setup() {
+	linux-info_pkg_setup
+	python-single-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	plocale_get_locales > src/man/po/LINGUAS || die
+
+	sed -i \
+		-e "/_langs]/ s/ .*//" \
+		src/man/po/po4a.cfg \
+		|| die
+	enable_locale() {
+		local locale=${1}
+
+		sed -i \
+			-e "/_langs]/ s/$/ ${locale}/" \
+			src/man/po/po4a.cfg \
+			|| die
+	}
+
+	plocale_for_each_locale enable_locale
+
+	PLOCALES="${PLOCALES_BIN}"
+	plocale_get_locales > po/LINGUAS || die
+
+	sed -i \
+		-e 's:/var/run:/run:' \
+		src/examples/logrotate \
+		|| die
+
+	# disable flaky test, see https://github.com/SSSD/sssd/issues/5631
+	sed -i \
+		-e '/^\s*pam-srv-tests[ \\]*$/d' \
+		Makefile.am \
+		|| die
+
+	eautoreconf
+
+	multilib_copy_sources
+}
+
+src_configure() {
+	local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1 || die)
+
+	# Workaround for bug #938302
+	if use systemtap && has_version "dev-debug/systemtap[-dtrace-symlink(+)]" ; then
+		export DTRACE="${BROOT}"/usr/bin/stap-dtrace
+	fi
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	local myconf=()
+
+	myconf+=(
+		--libexecdir="${EPREFIX}"/usr/libexec
+		--localstatedir="${EPREFIX}"/var
+		--runstatedir="${EPREFIX}"/run
+		--sbindir="${EPREFIX}"/usr/sbin
+		--with-pid-path="${EPREFIX}"/run
+		--with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
+		--enable-pammoddir="${EPREFIX}$(getpam_mod_dir)"
+		--with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb
+		--with-db-path="${EPREFIX}"/var/lib/sss/db
+		--with-gpo-cache-path="${EPREFIX}"/var/lib/sss/gpo_cache
+		--with-pubconf-path="${EPREFIX}"/var/lib/sss/pubconf
+		--with-pipe-path="${EPREFIX}"/var/lib/sss/pipes
+		--with-mcache-path="${EPREFIX}"/var/lib/sss/mc
+		--with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets
+		--with-log-path="${EPREFIX}"/var/log/sssd
+		--with-kcm
+		--enable-kcm-renewal
+		--with-os=gentoo
+		--disable-rpath
+		--disable-static
+		# Valgrind is only used for tests
+		--disable-valgrind
+		$(use_with samba)
+		--with-smb-idmap-interface-version=6
+		$(multilib_native_use_enable acl cifs-idmap-plugin)
+		$(multilib_native_use_with selinux)
+		$(multilib_native_use_with selinux semanage)
+		--enable-krb5-locator-plugin
+		$(use_enable samba pac-responder)
+		$(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin)
+		$(use_enable nls)
+		$(multilib_native_use_with netlink libnl)
+		--with-manpages
+		--with-sudo
+		$(multilib_native_with autofs)
+		$(multilib_native_with ssh)
+		--without-oidc-child
+		$(multilib_native_with passkey)
+		--with-subid
+		$(use_enable systemtap)
+		--without-python2-bindings
+		$(multilib_native_use_with python python3-bindings)
+		# Annoyingly configure requires that you pick systemd XOR sysv
+		--with-initscript=$(usex systemd systemd sysv)
+		KRB5_CONFIG="${ESYSROOT}"/usr/bin/krb5-config
+		# Needed for Samba 4.21
+		CPPFLAGS="${CPPFLAGS} -I${ESYSROOT}/usr/include/samba-4.0"
+	)
+
+	use systemd && myconf+=(
+		--with-systemdunitdir=$(systemd_get_systemunitdir)
+	)
+
+	if ! multilib_is_native_abi; then
+		# work-around all the libraries that are used for CLI and server
+		myconf+=(
+			{POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' '
+			# ldb headers are fine since native needs it
+			# ldb lib fails... but it does not seem to bother
+			{DHASH,UNISTRING,INI_CONFIG_V{0,1,1_1,1_3}}_{CFLAGS,LIBS}=' '
+			{PCRE,CARES,SYSTEMD_LOGIN,SASL,DBUS,CRYPTO,P11_KIT}_{CFLAGS,LIBS}=' '
+			{NDR_NBT,SAMBA_UTIL,SMBCLIENT,NDR_KRB5PAC,JANSSON}_{CFLAGS,LIBS}=' '
+
+			# use native include path for dbus (needed for build)
+			DBUS_CFLAGS="${native_dbus_cflags}"
+
+			# non-pkgconfig checks
+			ac_cv_lib_ldap_ldap_search=yes
+			--without-kcm
+			--without-manpages
+		)
+	fi
+
+	econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi; then
+		default
+		use doc && emake docs
+	else
+		emake libnss_sss.la pam_sss.la pam_sss_gss.la
+		emake sssd_krb5_locator_plugin.la
+		use samba && emake sssd_pac_plugin.la
+	fi
+}
+
+multilib_src_test() {
+	if multilib_is_native_abi; then
+		local -x CK_TIMEOUT_MULTIPLIER=10
+		emake check VERBOSE=yes
+	fi
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi; then
+		emake -j1 DESTDIR="${D}" install
+		if use python; then
+			python_fix_shebang "${ED}"
+			python_optimize
+		fi
+	else
+		# easier than playing with automake...
+		dopammod .libs/pam_sss.so
+		dopammod .libs/pam_sss_gss.so
+
+		into /
+		dolib.so .libs/libnss_sss.so*
+
+		exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5
+		doexe .libs/sssd_krb5_locator_plugin.so
+
+		if use samba; then
+			exeinto /usr/$(get_libdir)/krb5/plugins/authdata
+			doexe .libs/sssd_pac_plugin.so
+		fi
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+
+	insinto /etc/sssd
+	insopts -m600
+	doins src/examples/sssd-example.conf
+
+	insinto /etc/logrotate.d
+	insopts -m644
+	newins src/examples/logrotate sssd
+
+	newconfd "${FILESDIR}"/sssd.conf sssd
+
+	keepdir /var/lib/sss/db
+	keepdir /var/lib/sss/deskprofile
+	keepdir /var/lib/sss/gpo_cache
+	keepdir /var/lib/sss/keytabs
+	keepdir /var/lib/sss/mc
+	keepdir /var/lib/sss/pipes/private
+	keepdir /var/lib/sss/pubconf/krb5.include.d
+	keepdir /var/lib/sss/secrets
+	keepdir /var/log/sssd
+
+	# strip empty dirs
+	if ! use doc; then
+		rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die
+		rm -r "${ED}"/usr/share/doc/"${PF}"/{hbac,idmap,nss_idmap}_doc || die
+	fi
+
+	rm -r "${ED}"/run || die
+	find "${ED}" -type f -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+	elog "You must set up sssd.conf (default installed into /etc/sssd)"
+	elog "and (optionally) configuration in /etc/pam.d in order to use SSSD"
+	elog "features."
+	echo
+	optfeature "Kerberos keytab renew (see krb5_renew_interval)" app-crypt/adcli
+
+	if ! use python; then
+		echo
+		ewarn "sssctl analyze will not work because the python USE flag is disabled."
+	fi
+}