diff --git a/.cyrus-sasl.metadata b/.cyrus-sasl.metadata
new file mode 100644
index 0000000..9777141
--- /dev/null
+++ b/.cyrus-sasl.metadata
@@ -0,0 +1 @@
+b77ef8bd7e31923bdc7632a4c9a40cc79ec12681 SOURCES/cyrus-sasl-2.1.26-nodlcompatorsrp.tar.gz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..8716f4f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/cyrus-sasl-2.1.26-nodlcompatorsrp.tar.gz
diff --git a/SOURCES/cyrus-sasl-2.1.20-saslauthd.conf-path.patch b/SOURCES/cyrus-sasl-2.1.20-saslauthd.conf-path.patch
new file mode 100644
index 0000000..8e025d2
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.20-saslauthd.conf-path.patch
@@ -0,0 +1,38 @@
+diff -up cyrus-sasl-2.1.25/saslauthd/saslauthd.8.path cyrus-sasl-2.1.25/saslauthd/saslauthd.8
+--- cyrus-sasl-2.1.25/saslauthd/saslauthd.8.path	2012-02-08 17:02:25.143783451 +0100
++++ cyrus-sasl-2.1.25/saslauthd/saslauthd.8	2012-02-08 17:04:31.775795190 +0100
+@@ -177,7 +177,7 @@ NNOOTTEESS
+      anyway.)
+ 
+ FFIILLEESS
+-     /var/run/saslauthd/mux  The default communications socket.
++     /run/saslauthd/mux  The default communications socket.
+ 
+      /usr/local/etc/saslauthd.conf
+                              The default configuration file for ldap support.
+diff -up cyrus-sasl-2.1.25/saslauthd/saslauthd.mdoc.path cyrus-sasl-2.1.25/saslauthd/saslauthd.mdoc
+--- cyrus-sasl-2.1.25/saslauthd/saslauthd.mdoc.path	2009-12-03 20:07:03.000000000 +0100
++++ cyrus-sasl-2.1.25/saslauthd/saslauthd.mdoc	2012-02-08 17:01:39.400986561 +0100
+@@ -216,7 +216,7 @@ instead.
+ .Em (All platforms that support OpenLDAP 2.0 or higher)
+ .Pp
+ Authenticate against an ldap server.  The ldap configuration parameters are
+-read from /usr/local/etc/saslauthd.conf.  The location of this file can be
++read from /etc/saslauthd.conf.  The location of this file can be
+ changed with the -O parameter. See the LDAP_SASLAUTHD file included with the
+ distribution for the list of available parameters.
+ .It Li sia
+@@ -246,10 +246,10 @@ these ticket files can cause serious per
+ servers. (Kerberos
+ was never intended to be used in this manner, anyway.)
+ .Sh FILES
+-.Bl -tag -width "/var/run/saslauthd/mux"
+-.It Pa /var/run/saslauthd/mux
++.Bl -tag -width "/run/saslauthd/mux"
++.It Pa /run/saslauthd/mux
+ The default communications socket.
+-.It Pa /usr/local/etc/saslauthd.conf
++.It Pa /etc/saslauthd.conf
+ The default configuration file for ldap support.
+ .El
+ .Sh SEE ALSO
diff --git a/SOURCES/cyrus-sasl-2.1.21-sizes.patch b/SOURCES/cyrus-sasl-2.1.21-sizes.patch
new file mode 100644
index 0000000..45f1800
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.21-sizes.patch
@@ -0,0 +1,249 @@
+Prefer types in <inttypes.h> to our own, because it removes file content
+conflicts between 32- and 64-bit architectures.  RFEd as #2829.
+
+--- cyrus-sasl-2.1.21/configure.in	2006-05-16 07:37:52.000000000 -0400
++++ cyrus-sasl-2.1.21/configure.in	2006-05-16 07:37:52.000000000 -0400
+@@ -1083,6 +1083,10 @@
+ AC_HEADER_DIRENT
+ AC_HEADER_SYS_WAIT
+ AC_CHECK_HEADERS(des.h dlfcn.h fcntl.h limits.h malloc.h paths.h strings.h sys/file.h sys/time.h syslog.h unistd.h inttypes.h sys/uio.h sys/param.h sysexits.h stdarg.h varargs.h)
++AC_CHECK_TYPES([long long, int8_t, uint8_t, int16_t, uint16_t, int32_t, uint32_t, int64_t, uint64_t],,,[
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif])
+ 
+ IPv6_CHECK_SS_FAMILY()
+ IPv6_CHECK_SA_LEN()
+diff -up cyrus-sasl-2.1.26/configure.sizes cyrus-sasl-2.1.26/configure
+--- cyrus-sasl-2.1.26/configure.sizes	2013-11-13 16:40:44.492792539 +0100
++++ cyrus-sasl-2.1.26/configure	2013-11-13 16:40:47.489777836 +0100
+@@ -18166,6 +18166,124 @@ fi
+ 
+ done
+ 
++ac_fn_c_check_type "$LINENO" "long long" "ac_cv_type_long_long" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_long_long" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_LONG_LONG 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "int8_t" "ac_cv_type_int8_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_int8_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT8_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "uint8_t" "ac_cv_type_uint8_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_uint8_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_UINT8_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "int16_t" "ac_cv_type_int16_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_int16_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT16_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "uint16_t" "ac_cv_type_uint16_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_uint16_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_UINT16_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "int32_t" "ac_cv_type_int32_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_int32_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT32_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_uint32_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_UINT32_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "int64_t" "ac_cv_type_int64_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_int64_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT64_T 1
++_ACEOF
++
++
++fi
++ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++"
++if test "x$ac_cv_type_uint64_t" = xyes; then :
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_UINT64_T 1
++_ACEOF
++
++
++fi
++
+ 
+ 
+ { $as_echo "$as_me:$LINENO: checking whether you have ss_family in struct sockaddr_storage" >&5
+diff -up cyrus-sasl-2.1.26/include/makemd5.c.sizes cyrus-sasl-2.1.26/include/makemd5.c
+--- cyrus-sasl-2.1.26/include/makemd5.c.sizes	2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/include/makemd5.c	2013-11-13 16:22:24.195981512 +0100
+@@ -82,12 +82,19 @@
+  */
+ 
+ 
++#ifdef HAVE_CONFIG_H
++#include "../config.h"
++#endif
+ 
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
+ #include <ctype.h>
+ 
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
+ 
+ static void
+ my_strupr(char *s)
+@@ -122,6 +129,18 @@
+ static void
+ try_signed(FILE *f, int len)
+ {
++#ifdef HAVE_INT8_T
++    BITSIZE(int8_t);
++#endif
++#ifdef HAVE_INT16_T
++    BITSIZE(int16_t);
++#endif
++#ifdef HAVE_INT32_T
++    BITSIZE(int32_t);
++#endif
++#ifdef HAVE_INT64_T
++    BITSIZE(int64_t);
++#endif
+     BITSIZE(signed char);
+     BITSIZE(short);
+     BITSIZE(int);
+@@ -135,6 +154,18 @@
+ static void
+ try_unsigned(FILE *f, int len)
+ {
++#ifdef HAVE_UINT8_T
++    BITSIZE(uint8_t);
++#endif
++#ifdef HAVE_UINT16_T
++    BITSIZE(uint16_t);
++#endif
++#ifdef HAVE_UINT32_T
++    BITSIZE(uint32_t);
++#endif
++#ifdef HAVE_UINT64_T
++    BITSIZE(uint64_t);
++#endif
+     BITSIZE(unsigned char);
+     BITSIZE(unsigned short);
+     BITSIZE(unsigned int);
+@@ -165,6 +196,11 @@
+ 	  "/* POINTER defines a generic pointer type */\n"
+ 	  "typedef unsigned char *POINTER;\n"
+ 	  "\n"
++#ifdef HAVE_INTTYPES_H
++	  "/* We try to define integer types for our use */\n"
++	  "#include <inttypes.h>\n"
++	  "\n"
++#endif
+ 	  );
+   return 1;
+ }
+@@ -212,31 +248,15 @@
+ 
+   print_pre(f);
+ 
+-#ifndef HAVE_INT8_T
+     try_signed (f, 8);
+-#endif /* HAVE_INT8_T */
+-#ifndef HAVE_INT16_T
+     try_signed (f, 16);
+-#endif /* HAVE_INT16_T */
+-#ifndef HAVE_INT32_T
+     try_signed (f, 32);
+-#endif /* HAVE_INT32_T */
+-#ifndef HAVE_INT64_T
+     try_signed (f, 64);
+-#endif /* HAVE_INT64_T */
+ 
+-#ifndef HAVE_U_INT8_T
+     try_unsigned (f, 8);
+-#endif /* HAVE_INT8_T */
+-#ifndef HAVE_U_INT16_T
+     try_unsigned (f, 16);
+-#endif /* HAVE_U_INT16_T */
+-#ifndef HAVE_U_INT32_T
+     try_unsigned (f, 32);
+-#endif /* HAVE_U_INT32_T */
+-#ifndef HAVE_U_INT64_T
+     try_unsigned (f, 64);
+-#endif /* HAVE_U_INT64_T */
+ 
+     print_post(f);
+   
diff --git a/SOURCES/cyrus-sasl-2.1.22-kerberos4.patch b/SOURCES/cyrus-sasl-2.1.22-kerberos4.patch
new file mode 100644
index 0000000..09e23d7
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.22-kerberos4.patch
@@ -0,0 +1,26 @@
+diff -up cyrus-sasl-2.1.22/config/kerberos_v4.m4.krb4 cyrus-sasl-2.1.22/config/kerberos_v4.m4
+--- cyrus-sasl-2.1.22/config/kerberos_v4.m4.krb4	2005-05-07 06:14:55.000000000 +0200
++++ cyrus-sasl-2.1.22/config/kerberos_v4.m4	2008-08-14 23:41:26.000000000 +0200
+@@ -102,7 +102,6 @@ AC_DEFUN([SASL_KERBEROS_V4_CHK], [
+        if test -n "${cyrus_krbinclude}"; then
+          CPPFLAGS="$CPPFLAGS -I${cyrus_krbinclude}"
+        fi
+-       LDFLAGS="$LDFLAGS -L$krb4/lib"
+     fi
+ 
+     if test "$with_des" != no; then
+diff -up cyrus-sasl-2.1.22/plugins/kerberos4.c.krb4 cyrus-sasl-2.1.22/plugins/kerberos4.c
+--- cyrus-sasl-2.1.22/plugins/kerberos4.c.krb4	2005-01-10 08:08:53.000000000 +0100
++++ cyrus-sasl-2.1.22/plugins/kerberos4.c	2008-08-14 23:36:33.000000000 +0200
+@@ -49,11 +49,7 @@
+ #include <krb.h>
+ 
+ #ifdef WITH_DES
+-# ifdef WITH_SSL_DES
+-#  include <openssl/des.h>
+-# else
+ #  include <des.h>
+-# endif /* WITH_SSL_DES */
+ #endif /* WITH_DES */
+ 
+ #ifdef WIN32
diff --git a/SOURCES/cyrus-sasl-2.1.22-ldap-timeout.patch b/SOURCES/cyrus-sasl-2.1.22-ldap-timeout.patch
new file mode 100644
index 0000000..82c6c82
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.22-ldap-timeout.patch
@@ -0,0 +1,25 @@
+commit c9447e1c3ffba88783e5d9396b832be82d3c78fc
+Author: Kazuo Ito <ito.kazuo@oss.ntt.co.jp>
+Date:   Wed Dec 10 12:03:29 2008 +0900
+
+    support for LDAP_OPT_TIMEOUT
+    
+    OpenLDAP since 2.4 implements support for this option in ldap_result(),
+    among other things.
+
+diff --git a/saslauthd/lak.c b/saslauthd/lak.c
+index 803d51f..8714265 100644
+--- a/saslauthd/lak.c
++++ b/saslauthd/lak.c
+@@ -833,6 +833,11 @@ static int lak_connect(
+ 		syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_NETWORK_TIMEOUT %d.%d.", lak->conf->timeout.tv_sec, lak->conf->timeout.tv_usec);
+ 	}
+ 
++	rc = ldap_set_option(lak->ld, LDAP_OPT_TIMEOUT, &(lak->conf->timeout));
++	if (rc != LDAP_OPT_SUCCESS) {
++		syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_TIMEOUT %d.%d.", lak->conf->timeout.tv_sec, lak->conf->timeout.tv_usec);
++	}
++
+ 	rc = ldap_set_option(lak->ld, LDAP_OPT_TIMELIMIT, &(lak->conf->time_limit));
+ 	if (rc != LDAP_OPT_SUCCESS) {
+ 		syslog(LOG_WARNING|LOG_AUTH, "Unable to set LDAP_OPT_TIMELIMIT %d.", lak->conf->time_limit);
diff --git a/SOURCES/cyrus-sasl-2.1.23-man.patch b/SOURCES/cyrus-sasl-2.1.23-man.patch
new file mode 100644
index 0000000..21c63cd
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.23-man.patch
@@ -0,0 +1,24 @@
+diff -up cyrus-sasl-2.1.26/saslauthd/testsaslauthd.8.man cyrus-sasl-2.1.26/saslauthd/testsaslauthd.8
+--- cyrus-sasl-2.1.26/saslauthd/testsaslauthd.8.man	2013-09-03 15:25:26.818042047 +0200
++++ cyrus-sasl-2.1.26/saslauthd/testsaslauthd.8	2013-09-03 15:25:26.818042047 +0200
+@@ -0,0 +1,20 @@
++.\"                                      Hey, EMACS: -*- nroff -*-
++.TH TESTSASLAUTHD 8 "14 October 2006"
++.SH NAME
++testsaslauthd \- test utility for the SASL authentication server
++.SH SYNOPSIS
++.B testsaslauthd
++.RI "[ " \(hyr " " realm " ] [ " \(hys " " servicename " ] [ " \(hyf " " socket " " path " ] [ " \(hyR " " repeatnum " ]"
++.SH DESCRIPTION
++This manual page documents briefly the
++.B testsaslauthd
++command.
++.PP
++.SH SEE ALSO
++.BR saslauthd (8).
++.br
++.SH AUTHOR
++testsaslauthd was written by Carnegie Mellon University.
++.PP
++This manual page was written by Roberto C. Sanchez <roberto@connexer.com>,
++for the Debian project (but may be used by others).
diff --git a/SOURCES/cyrus-sasl-2.1.25-no_rpath.patch b/SOURCES/cyrus-sasl-2.1.25-no_rpath.patch
new file mode 100644
index 0000000..33ed15d
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.25-no_rpath.patch
@@ -0,0 +1,20 @@
+diff -up cyrus-sasl-2.1.25/cmulocal/cyrus.m4.no_rpath cyrus-sasl-2.1.25/cmulocal/cyrus.m4
+--- cyrus-sasl-2.1.25/cmulocal/cyrus.m4.no_rpath	2010-01-22 16:12:01.000000000 +0100
++++ cyrus-sasl-2.1.25/cmulocal/cyrus.m4	2012-12-06 14:59:47.956102057 +0100
+@@ -32,14 +32,5 @@ AC_DEFUN([CMU_ADD_LIBPATH_TO], [
+ dnl runpath initialization
+ AC_DEFUN([CMU_GUESS_RUNPATH_SWITCH], [
+    # CMU GUESS RUNPATH SWITCH
+-  AC_CACHE_CHECK(for runpath switch, andrew_cv_runpath_switch, [
+-    # first, try -R
+-    SAVE_LDFLAGS="${LDFLAGS}"
+-    LDFLAGS="-R /usr/lib"
+-    AC_TRY_LINK([],[],[andrew_cv_runpath_switch="-R"], [
+-  	LDFLAGS="-Wl,-rpath,/usr/lib"
+-    AC_TRY_LINK([],[],[andrew_cv_runpath_switch="-Wl,-rpath,"],
+-    [andrew_cv_runpath_switch="none"])
+-    ])
+-  LDFLAGS="${SAVE_LDFLAGS}"
+-  ])])
++    andrew_runpath_switch="none"
++  ])
diff --git a/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch b/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch
new file mode 100644
index 0000000..939c4c9
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch
@@ -0,0 +1,46 @@
+diff --git a/include/sasl.h b/include/sasl.h
+index 8b8a63f..6ae153f 100755
+--- a/include/sasl.h
++++ b/include/sasl.h
+@@ -179,6 +179,7 @@
+ 				       because of some constrains/policy violation */
+ 
+ #define SASL_BADBINDING -32  /* channel binding failure */
++#define SASL_CONFIGERR -33  /* error when parsing configuration file */
+ 
+ /* max size of a sasl mechanism name */
+ #define SASL_MECHNAMEMAX 20
+diff --git a/lib/common.c b/lib/common.c
+index 672fe2f..de0adfd 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -1362,6 +1362,7 @@ const char *sasl_errstring(int saslerr,
+     case SASL_CONSTRAINT_VIOLAT: return "sasl_setpass can't store a property because "
+ 			        "of a constraint violation";
+     case SASL_BADBINDING: return "channel binding failure";
++    case SASL_CONFIGERR:  return "error when parsing configuration file";
+ 
+     default:   return "undefined error!";
+     }
+diff --git a/lib/config.c b/lib/config.c
+index 7cae302..fde3757 100644
+--- a/lib/config.c
++++ b/lib/config.c
+@@ -91,7 +91,7 @@ int sasl_config_init(const char *filename)
+ 	}
+ 	if (*p != ':') {
+ 	    fclose(infile);
+-	    return SASL_FAIL;
++	    return SASL_CONFIGERR;
+ 	}
+ 	*p++ = '\0';
+ 
+@@ -99,7 +99,7 @@ int sasl_config_init(const char *filename)
+ 	
+ 	if (!*p) {
+ 	    fclose(infile);
+-	    return SASL_FAIL;
++	    return SASL_CONFIGERR;
+ 	}
+ 
+ 	/* Now strip trailing spaces, if any */
diff --git a/SOURCES/cyrus-sasl-2.1.26-gss-spnego.patch b/SOURCES/cyrus-sasl-2.1.26-gss-spnego.patch
new file mode 100644
index 0000000..69ab893
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-gss-spnego.patch
@@ -0,0 +1,139 @@
+From 67ca66685e11acc0f69d5ff8013107d4b172e67f Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 16 Feb 2017 15:25:56 -0500
+Subject: [PATCH] Fix GSS-SPNEGO mechanism's incompatible behavior
+
+The GSS-SPNEGO mechanism has been designed and introduced by Microsoft for use
+by Active Directory clients. It allows to negotiate an underlying
+Security Mechanism like Krb5 or NTLMSSP.
+However, the implementaion in cyrus-sasl is broken and never correctly
+interoperated with Microsoft servers or clients. This patch fixes the
+compatibility issue which is caused by incorrectly trying to negotiate
+SSF layers explicitly instead of using the flags negotiated by GSSAPI
+as required by Microsoft's implementation.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ plugins/gssapi.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 64 insertions(+), 6 deletions(-)
+
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index bfc278d..010c236 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -648,10 +648,62 @@ static void gssapi_common_mech_free(void *global_context __attribute__((unused))
+ #endif
+ }
+ 
++/* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the
++ * flags negotiated by GSSAPI to determine If confidentiality or integrity are
++ * used. These flags are stored in text->qop transalated as layers by the
++ * caller */
++static int gssapi_spnego_ssf(context_t *text, const sasl_utils_t *utils,
++                             sasl_security_properties_t *props,
++                             sasl_out_params_t *oparams)
++{
++    OM_uint32 maj_stat = 0, min_stat = 0;
++    OM_uint32 max_input;
++
++    if (text->qop & LAYER_CONFIDENTIALITY) {
++        oparams->encode = &gssapi_privacy_encode;
++        oparams->decode = &gssapi_decode;
++        oparams->mech_ssf = K5_MAX_SSF;
++    } else if (text->qop & LAYER_INTEGRITY) {
++        oparams->encode = &gssapi_integrity_encode;
++        oparams->decode = &gssapi_decode;
++        oparams->mech_ssf = 1;
++    } else {
++        oparams->encode = NULL;
++        oparams->decode = NULL;
++        oparams->mech_ssf = 0;
++    }
++
++    if (oparams->mech_ssf) {
++        maj_stat = gss_wrap_size_limit(&min_stat,
++                                       text->gss_ctx,
++                                       1,
++                                       GSS_C_QOP_DEFAULT,
++                                       (OM_uint32)oparams->maxoutbuf,
++                                       &max_input);
++
++	if (max_input > oparams->maxoutbuf) {
++	    /* Heimdal appears to get this wrong */
++	    oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
++	} else {
++	    /* This code is actually correct */
++	    oparams->maxoutbuf = max_input;
++	}
++    }
++
++    text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
++
++    /* used by layers */
++    _plug_decode_init(&text->decode_context, text->utils,
++		      (props->maxbufsize > 0xFFFFFF) ? 0xFFFFFF :
++                      props->maxbufsize);
++
++    return SASL_OK;
++}
++
+ /*****************************  Server Section  *****************************/
+ 
+ static int 
+-gssapi_server_mech_new(void *glob_context __attribute__((unused)), 
++gssapi_server_mech_new(void *glob_context,
+ 		       sasl_server_params_t *params,
+ 		       const char *challenge __attribute__((unused)), 
+ 		       unsigned challen __attribute__((unused)),
+@@ -673,6 +725,7 @@ gssapi_server_mech_new(void *glob_context __attribute__((unused)),
+     text->state = SASL_GSSAPI_STATE_AUTHNEG;
+     
+     text->http_mode = (params->flags & SASL_NEED_HTTP);
++    text->mech_type = (gss_OID) glob_context;
+ 
+     *conn_context = text;
+     
+@@ -686,7 +739,7 @@ gssapi_server_mech_authneg(context_t *text,
+ 			   unsigned clientinlen,
+ 			   const char **serverout,
+ 			   unsigned *serveroutlen,
+-			   sasl_out_params_t *oparams __attribute__((unused)))
++			   sasl_out_params_t *oparams)
+ {
+     gss_buffer_t input_token, output_token;
+     gss_buffer_desc real_input_token, real_output_token;
+@@ -965,8 +1018,9 @@ gssapi_server_mech_authneg(context_t *text,
+ 	/* HTTP doesn't do any ssf negotiation */
+ 	text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+ 	ret = SASL_OK;
+-    }
+-    else {
++    } else if (text->mech_type && text->mech_type == &gss_spnego_oid) {
++        ret = gssapi_spnego_ssf(text, params->utils, &params->props, oparams);
++    } else {
+ 	/* Switch to ssf negotiation */
+ 	text->state = SASL_GSSAPI_STATE_SSFCAP;
+ 	ret = SASL_CONTINUE;
+@@ -1391,7 +1445,7 @@ static sasl_server_plug_t gssapi_server_plugins[] =
+ 	| SASL_FEAT_ALLOWS_PROXY
+ 	| SASL_FEAT_DONTUSE_USERPASSWD
+ 	| SASL_FEAT_SUPPORTS_HTTP,	/* features */
+-	NULL,				/* glob_context */
++	&gss_spnego_oid,		/* glob_context */
+ 	&gssapi_server_mech_new,	/* mech_new */
+ 	&gssapi_server_mech_step,	/* mech_step */
+ 	&gssapi_common_mech_dispose,	/* mech_dispose */
+@@ -1769,7 +1823,11 @@ static int gssapi_client_mech_step(void *conn_context,
+ 		text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+ 		oparams->doneflag = 1;
+ 		return SASL_OK;
+-	    }
++	    } else if (text->mech_type && text->mech_type == &gss_spnego_oid) {
++		oparams->doneflag = 1;
++                return gssapi_spnego_ssf(text, params->utils, &params->props,
++                                         oparams);
++            }
+ 
+ 	    /* Switch to ssf negotiation */
+ 	    text->state = SASL_GSSAPI_STATE_SSFCAP;
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-gss-ssf.patch b/SOURCES/cyrus-sasl-2.1.26-gss-ssf.patch
new file mode 100644
index 0000000..72e18b7
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-gss-ssf.patch
@@ -0,0 +1,549 @@
+From 862b60c249c8a51095315062b22c0702a6500d80 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 11 Apr 2017 18:31:46 -0400
+Subject: [PATCH 1/3] Drop unused parameter from gssapi_spnego_ssf()
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ plugins/gssapi.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index 010c236d..3050962e 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -652,7 +652,7 @@ static void gssapi_common_mech_free(void *global_context __attribute__((unused))
+  * flags negotiated by GSSAPI to determine If confidentiality or integrity are
+  * used. These flags are stored in text->qop transalated as layers by the
+  * caller */
+-static int gssapi_spnego_ssf(context_t *text, const sasl_utils_t *utils,
++static int gssapi_spnego_ssf(context_t *text,
+                              sasl_security_properties_t *props,
+                              sasl_out_params_t *oparams)
+ {
+@@ -1019,7 +1019,7 @@ gssapi_server_mech_authneg(context_t *text,
+ 	text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+ 	ret = SASL_OK;
+     } else if (text->mech_type && text->mech_type == &gss_spnego_oid) {
+-        ret = gssapi_spnego_ssf(text, params->utils, &params->props, oparams);
++        ret = gssapi_spnego_ssf(text, &params->props, oparams);
+     } else {
+ 	/* Switch to ssf negotiation */
+ 	text->state = SASL_GSSAPI_STATE_SSFCAP;
+@@ -1825,8 +1825,7 @@ static int gssapi_client_mech_step(void *conn_context,
+ 		return SASL_OK;
+ 	    } else if (text->mech_type && text->mech_type == &gss_spnego_oid) {
+ 		oparams->doneflag = 1;
+-                return gssapi_spnego_ssf(text, params->utils, &params->props,
+-                                         oparams);
++                return gssapi_spnego_ssf(text, &params->props, oparams);
+             }
+ 
+ 	    /* Switch to ssf negotiation */
+
+From 72181257d77bda09afa7d0d640d322c4472f4833 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 10 Apr 2017 18:35:10 -0400
+Subject: [PATCH 2/3] Check return error from gss_wrap_size_limit()
+
+The return error of this function is ignored and potentially
+uninitialized values returned by this function are used.
+
+Fix this by moving the function into a proper helper as it is used in an
+identical way in 3 different places.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ plugins/gssapi.c | 104 +++++++++++++++++++++++++++----------------------------
+ 1 file changed, 51 insertions(+), 53 deletions(-)
+
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index 3050962e..348debe0 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -648,6 +648,32 @@ static void gssapi_common_mech_free(void *global_context __attribute__((unused))
+ #endif
+ }
+ 
++static int gssapi_wrap_sizes(context_t *text, sasl_out_params_t *oparams)
++{
++    OM_uint32 maj_stat = 0, min_stat = 0;
++    OM_uint32 max_input = 0;
++
++    maj_stat = gss_wrap_size_limit(&min_stat,
++                                   text->gss_ctx,
++                                   1,
++                                   GSS_C_QOP_DEFAULT,
++                                   (OM_uint32)oparams->maxoutbuf,
++                                   &max_input);
++   if (maj_stat != GSS_S_COMPLETE) {
++       return SASL_FAIL;
++   }
++
++    if (max_input > oparams->maxoutbuf) {
++        /* Heimdal appears to get this wrong */
++        oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
++    } else {
++        /* This code is actually correct */
++        oparams->maxoutbuf = max_input;
++    }
++
++    return SASL_OK;
++}
++
+ /* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the
+  * flags negotiated by GSSAPI to determine If confidentiality or integrity are
+  * used. These flags are stored in text->qop transalated as layers by the
+@@ -656,8 +682,7 @@ static int gssapi_spnego_ssf(context_t *text,
+                              sasl_security_properties_t *props,
+                              sasl_out_params_t *oparams)
+ {
+-    OM_uint32 maj_stat = 0, min_stat = 0;
+-    OM_uint32 max_input;
++    int ret;
+ 
+     if (text->qop & LAYER_CONFIDENTIALITY) {
+         oparams->encode = &gssapi_privacy_encode;
+@@ -674,20 +699,10 @@ static int gssapi_spnego_ssf(context_t *text,
+     }
+ 
+     if (oparams->mech_ssf) {
+-        maj_stat = gss_wrap_size_limit(&min_stat,
+-                                       text->gss_ctx,
+-                                       1,
+-                                       GSS_C_QOP_DEFAULT,
+-                                       (OM_uint32)oparams->maxoutbuf,
+-                                       &max_input);
+-
+-	if (max_input > oparams->maxoutbuf) {
+-	    /* Heimdal appears to get this wrong */
+-	    oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
+-	} else {
+-	    /* This code is actually correct */
+-	    oparams->maxoutbuf = max_input;
+-	}
++        ret = gssapi_wrap_sizes(text, oparams);
++        if (ret != SASL_OK) {
++            return ret;
++        }
+     }
+ 
+     text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+@@ -1208,7 +1223,6 @@ gssapi_server_mech_ssfreq(context_t *text,
+     gss_buffer_t input_token, output_token;
+     gss_buffer_desc real_input_token, real_output_token;
+     OM_uint32 maj_stat = 0, min_stat = 0;
+-    OM_uint32 max_input;
+     int layerchoice;
+ 	
+     input_token = &real_input_token;
+@@ -1297,27 +1311,20 @@ gssapi_server_mech_ssfreq(context_t *text,
+ 	(((unsigned char *) output_token->value)[2] << 8) |
+ 	(((unsigned char *) output_token->value)[3] << 0);
+ 
+-    if (oparams->mech_ssf) {
+-	maj_stat = gss_wrap_size_limit( &min_stat,
+-					text->gss_ctx,
+-					1,
+-					GSS_C_QOP_DEFAULT,
+-					(OM_uint32) oparams->maxoutbuf,
+-					&max_input);
+-
+-	if(max_input > oparams->maxoutbuf) {
+-	    /* Heimdal appears to get this wrong */
+-	    oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
+-	} else {
+-	    /* This code is actually correct */
+-	    oparams->maxoutbuf = max_input;
+-	}    
+-    }
+-	
+     GSS_LOCK_MUTEX_CTX(params->utils, text);
+     gss_release_buffer(&min_stat, output_token);
+     GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 
++    if (oparams->mech_ssf) {
++        int ret;
++
++        ret = gssapi_wrap_sizes(text, oparams);
++        if (ret != SASL_OK) {
++	    sasl_gss_free_context_contents(text);
++            return ret;
++        }
++    }
++
+     text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+ 
+     /* used by layers */
+@@ -1569,7 +1576,6 @@ static int gssapi_client_mech_step(void *conn_context,
+     gss_buffer_t input_token, output_token;
+     gss_buffer_desc real_input_token, real_output_token;
+     OM_uint32 maj_stat = 0, min_stat = 0;
+-    OM_uint32 max_input;
+     gss_buffer_desc name_token;
+     int ret;
+     OM_uint32 req_flags = 0, out_req_flags = 0;
+@@ -1952,27 +1958,19 @@ static int gssapi_client_mech_step(void *conn_context,
+             (((unsigned char *) output_token->value)[2] << 8) |
+             (((unsigned char *) output_token->value)[3] << 0);
+ 
+-	if (oparams->mech_ssf) {
+-            maj_stat = gss_wrap_size_limit( &min_stat,
+-                                            text->gss_ctx,
+-                                            1,
+-                                            GSS_C_QOP_DEFAULT,
+-                                            (OM_uint32) oparams->maxoutbuf,
+-                                            &max_input);
+-
+-	    if (max_input > oparams->maxoutbuf) {
+-		/* Heimdal appears to get this wrong */
+-		oparams->maxoutbuf -= (max_input - oparams->maxoutbuf);
+-	    } else {
+-		/* This code is actually correct */
+-		oparams->maxoutbuf = max_input;
+-	    }
+-	}
+-	
+ 	GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	gss_release_buffer(&min_stat, output_token);
+ 	GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+-	
++
++	if (oparams->mech_ssf) {
++            int ret;
++
++            ret = gssapi_wrap_sizes(text, oparams);
++            if (ret != SASL_OK) {
++	        sasl_gss_free_context_contents(text);
++                return ret;
++            }
++	}
+ 	/* oparams->user is always set, due to canon_user requirements.
+ 	 * Make sure the client actually requested it though, by checking
+ 	 * if our context was set.
+
+From ff9f9caeb6db6d7513128fff9321f9bd445f58b7 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 10 Apr 2017 19:54:19 -0400
+Subject: [PATCH 3/3] Add support for retrieving the mech_ssf
+
+In the latest MIT Kerberos implementation it is possible to extract
+the calculated SSF wich is based on the encryption type that has been
+used to establish the GSSAPI security context.
+
+Use this method if available or fall back to the old "DES" value.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ cmulocal/sasl2.m4      |  20 +++++++++++
+ plugins/gssapi.c | 102 +++++++++++++++++++++++++++++++++++++++++++++++++------
+ 2 files changed, 111 insertions(+), 11 deletions(-)
+
+diff --git a/cmulocal/sasl2.m4 b/cmulocal/sasl2.m4
+index 66b291b0..686c4bc7 100644
+--- a/cmulocal/sasl2.m4
++++ b/cmulocal/sasl2.m4
+@@ -290,6 +290,26 @@ if test "$gssapi" != no; then
+ 
+   cmu_save_LIBS="$LIBS"
+   LIBS="$LIBS $GSSAPIBASE_LIBS"
++  AC_CHECK_FUNCS(gss_inquire_sec_context_by_oid)
++  if test "$ac_cv_func_gss_inquire_sec_context_by_oid" = no ; then
++    if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then
++      AC_CHECK_DECL(gss_inquire_sec_context_by_oid,
++                    [AC_DEFINE(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID,1,
++                               [Define if your GSSAPI implementation defines gss_inquire_sec_context_by_oid])],,
++                    [
++                    AC_INCLUDES_DEFAULT
++                    #include <gssapi/gssapi_ext.h>
++                    ])
++    fi
++  fi
++  if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then
++    AC_EGREP_HEADER(GSS_C_SEC_CONTEXT_SASL_SSF, gssapi/gssapi_ext.h,
++                    [AC_DEFINE(HAVE_GSS_C_SEC_CONTEXT_SASL_SSF,,
++                               [Define if your GSSAPI implementation defines GSS_C_SEC_CONTEXT_SASL_SSF])])
++  fi
++  cmu_save_LIBS="$LIBS"
++  LIBS="$LIBS $GSSAPIBASE_LIBS"
++
+   AC_MSG_CHECKING([for SPNEGO support in GSSAPI libraries])
+   AC_TRY_RUN([
+ #ifdef HAVE_GSSAPI_H
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index 348debe0..5f554ce3 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -51,6 +51,9 @@
+ #endif
+ 
+ #include <gssapi/gssapi_krb5.h>
++#ifdef HAVE_GSSAPI_GSSAPI_EXT_H
++#include <gssapi/gssapi_ext.h>
++#endif
+ 
+ #ifdef WIN32
+ #  include <winsock2.h>
+@@ -98,18 +103,25 @@ extern gss_OID gss_nt_service_name;
+ /* Check if CyberSafe flag is defined */
+ #ifdef CSF_GSS_C_DES3_FLAG
+ #define K5_MAX_SSF	112
++#define K5_MIN_SSF	112
+ #endif
+ 
+ /* Heimdal and MIT use the following */
+ #ifdef GSS_KRB5_CONF_C_QOP_DES3_KD
+ #define K5_MAX_SSF	112
++#define K5_MIN_SSF	112
+ #endif
+ 
+ #endif
+ 
+ #ifndef K5_MAX_SSF
++/* All modern Kerberos implementations support AES */
++#define K5_MAX_SSF	256
++#endif
++
+ /* All Kerberos implementations support DES */
+-#define K5_MAX_SSF	56
++#ifndef K5_MIN_SSF
++#define K5_MIN_SSF      56
+ #endif
+ 
+ /* GSSAPI SASL Mechanism by Leif Johansson <leifj@matematik.su.se>
+@@ -674,6 +686,47 @@ static int gssapi_wrap_sizes(context_t *text, sasl_out_params_t *oparams)
+     return SASL_OK;
+ }
+ 
++#if !defined(HAVE_GSS_C_SEC_CONTEXT_SASL_SSF)
++gss_OID_desc gss_sasl_ssf = {
++    11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f"
++};
++gss_OID GSS_C_SEC_CONTEXT_SASL_SSF = &gss_sasl_ssf;
++#endif
++
++static int gssapi_get_ssf(context_t *text, sasl_ssf_t *mech_ssf)
++{
++#ifdef HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID
++    OM_uint32 maj_stat = 0, min_stat = 0;
++    gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET;
++    gss_OID ssf_oid = GSS_C_SEC_CONTEXT_SASL_SSF;
++    uint32_t ssf;
++
++    maj_stat = gss_inquire_sec_context_by_oid(&min_stat, text->gss_ctx,
++                                              ssf_oid, &bufset);
++    switch (maj_stat) {
++    case GSS_S_UNAVAILABLE:
++        /* Not supported by the library, fallback to default */
++        goto fallback;
++    case GSS_S_COMPLETE:
++        if ((bufset->count != 1) || (bufset->elements[0].length != 4)) {
++            /* Malformed bufset, fail */
++            (void)gss_release_buffer_set(&min_stat, &bufset);
++            return SASL_FAIL;
++        }
++        memcpy(&ssf, bufset->elements[0].value, 4);
++        (void)gss_release_buffer_set(&min_stat, &bufset);
++        *mech_ssf = ntohl(ssf);
++        return SASL_OK;
++    default:
++        return SASL_FAIL;
++    }
++
++fallback:
++#endif
++    *mech_ssf = K5_MIN_SSF;
++    return SASL_OK;
++}
++
+ /* The GSS-SPNEGO mechanism does not do SSF negotiation, instead it uses the
+  * flags negotiated by GSSAPI to determine If confidentiality or integrity are
+  * used. These flags are stored in text->qop transalated as layers by the
+@@ -687,7 +740,10 @@ static int gssapi_spnego_ssf(context_t *text,
+     if (text->qop & LAYER_CONFIDENTIALITY) {
+         oparams->encode = &gssapi_privacy_encode;
+         oparams->decode = &gssapi_decode;
+-        oparams->mech_ssf = K5_MAX_SSF;
++        ret = gssapi_get_ssf(text, &oparams->mech_ssf);
++        if (ret != SASL_OK) {
++            return ret;
++        }
+     } else if (text->qop & LAYER_INTEGRITY) {
+         oparams->encode = &gssapi_integrity_encode;
+         oparams->decode = &gssapi_decode;
+@@ -1089,6 +1145,7 @@ gssapi_server_mech_ssfcap(context_t *text,
+     gss_buffer_desc real_input_token, real_output_token;
+     OM_uint32 maj_stat = 0, min_stat = 0;
+     unsigned char sasldata[4];
++    sasl_ssf_t mech_ssf;
+     int ret;
+ 
+     input_token = &real_input_token;
+@@ -1149,9 +1206,14 @@ gssapi_server_mech_ssfcap(context_t *text,
+ 	params->props.maxbufsize) {
+ 	sasldata[0] |= LAYER_INTEGRITY;
+     }
++    ret = gssapi_get_ssf(text, &mech_ssf);
++    if (ret != SASL_OK) {
++	sasl_gss_free_context_contents(text);
++        return ret;
++    }
+     if ((text->qop & LAYER_CONFIDENTIALITY) &&
+-	text->requiressf <= K5_MAX_SSF &&
+-	text->limitssf >= K5_MAX_SSF &&
++	text->requiressf <= mech_ssf &&
++	text->limitssf >= mech_ssf &&
+ 	params->props.maxbufsize) {
+ 	sasldata[0] |= LAYER_CONFIDENTIALITY;
+     }
+@@ -1271,10 +1333,18 @@ gssapi_server_mech_ssfreq(context_t *text,
+ 	} else if (/* For compatibility with broken clients setting both bits */
+ 		   (layerchoice & (LAYER_CONFIDENTIALITY | LAYER_INTEGRITY)) &&
+ 	       (text->qop & LAYER_CONFIDENTIALITY)) { /* privacy */
++        int ret;
+ 	oparams->encode = &gssapi_privacy_encode;
+ 	oparams->decode = &gssapi_decode;
+-	/* FIX ME: Need to extract the proper value here */
+-	oparams->mech_ssf = K5_MAX_SSF;
++
++	ret = gssapi_get_ssf(text, &oparams->mech_ssf);
++        if (ret != SASL_OK) {
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
++	    gss_release_buffer(&min_stat, output_token);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
++	    sasl_gss_free_context_contents(text);
++	    return ret;
++	}
+     } else {
+ 	/* not a supported encryption layer */
+ 	SETERROR(text->utils,
+@@ -1845,6 +1915,8 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	unsigned int alen, external = params->external_ssf;
+ 	sasl_ssf_t need, allowed;
+ 	char serverhas, mychoice;
++	sasl_ssf_t mech_ssf;
++	int ret;
+ 	
+ 	real_input_token.value = (void *) serverin;
+ 	real_input_token.length = serverinlen;
+@@ -1879,8 +1951,17 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	    return SASL_FAIL;
+ 	}
+ 
++	ret = gssapi_get_ssf(text, &mech_ssf);
++	if (ret != SASL_OK) {
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
++	    gss_release_buffer(&min_stat, output_token);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
++	    sasl_gss_free_context_contents(text);
++	    return SASL_FAIL;
++	}
++
+ 	/* taken from kerberos.c */
+-	if (secprops->min_ssf > (K5_MAX_SSF + external)) {
++	if (secprops->min_ssf > (mech_ssf + external)) {
+ 	    return SASL_TOOWEAK;
+ 	} else if (secprops->min_ssf > secprops->max_ssf) {
+ 	    return SASL_BADPARAM;
+@@ -1904,8 +1985,8 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	
+ 	/* use the strongest layer available */
+ 	if ((text->qop & LAYER_CONFIDENTIALITY) &&
+-	    allowed >= K5_MAX_SSF &&
+-	    need <= K5_MAX_SSF &&
++	    allowed >= mech_ssf &&
++	    need <= mech_ssf &&
+ 	    (serverhas & LAYER_CONFIDENTIALITY)) {
+ 	    
+ 	    const char *ad_compat;
+@@ -1913,8 +1994,7 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	    /* encryption */
+ 	    oparams->encode = &gssapi_privacy_encode;
+ 	    oparams->decode = &gssapi_decode;
+-	    /* FIX ME: Need to extract the proper value here */
+-	    oparams->mech_ssf = K5_MAX_SSF;
++	    oparams->mech_ssf = mech_ssf;
+ 	    mychoice = LAYER_CONFIDENTIALITY;
+ 
+ 	    if (serverhas & LAYER_INTEGRITY) {
+
+
+
+diff -U3 cyrus-sasl-2.1.26.old/config.h.in cyrus-sasl-2.1.26/config.h.in
+--- cyrus-sasl-2.1.26.old/config.h.in   2012-11-06 20:20:59.000000000 +0100
++++ cyrus-sasl-2.1.26/config.h.in       2017-09-21 10:33:36.225258244 +0200
+@@ -132,6 +135,9 @@
+ /* Define if your GSSAPI implementation defines GSS_C_NT_USER_NAME */
+ #undef HAVE_GSS_C_NT_USER_NAME
+ 
++/* Define if your GSSAPI implementation defines GSS_C_SEC_CONTEXT_SASL_SSF */
++#undef HAVE_GSS_C_SEC_CONTEXT_SASL_SSF
++
+ /* Define to 1 if you have the `gss_decapsulate_token' function. */
+ #undef HAVE_GSS_DECAPSULATE_TOKEN
+ 
+@@ -141,6 +147,10 @@
+ /* Define to 1 if you have the `gss_get_name_attribute' function. */
+ #undef HAVE_GSS_GET_NAME_ATTRIBUTE
+ 
++/* Define if your GSSAPI implementation defines gss_inquire_sec_context_by_oid
++   */
++#undef HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID
++
+ /* Define to 1 if you have the `gss_oid_equal' function. */
+ #undef HAVE_GSS_OID_EQUAL
+ 
+diff -U3 cyrus-sasl-2.1.26.old/configure cyrus-sasl-2.1.26/configure
+--- cyrus-sasl-2.1.26.old/configure     2017-09-21 10:11:30.557021831 +0200
++++ cyrus-sasl-2.1.26/configure 2017-09-21 10:33:40.389277838 +0200
+@@ -13984,6 +13984,50 @@
+ 
+   LIBS="$cmu_save_LIBS"
+ 
++  cmu_save_LIBS="$LIBS"
++  LIBS="$LIBS $GSSAPIBASE_LIBS"
++  for ac_func in gss_inquire_sec_context_by_oid
++do :
++  ac_fn_c_check_func "$LINENO" "gss_inquire_sec_context_by_oid" "ac_cv_func_gss_inquire_sec_context_by_oid"
++if test "x$ac_cv_func_gss_inquire_sec_context_by_oid" = xyes; then :
++  cat >>confdefs.h <<_ACEOF
++#define HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID 1
++_ACEOF
++
++fi
++done
++
++  if test "$ac_cv_func_gss_inquire_sec_context_by_oid" = no ; then
++    if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then
++      ac_fn_c_check_decl "$LINENO" "gss_inquire_sec_context_by_oid" "ac_cv_have_decl_gss_inquire_sec_context_by_oid" "
++                    $ac_includes_default
++                    #include <gssapi/gssapi_ext.h>
++
++"
++if test "x$ac_cv_have_decl_gss_inquire_sec_context_by_oid" = xyes; then :
++
++$as_echo "#define HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID 1" >>confdefs.h
++
++fi
++
++    fi
++  fi
++  if test "$ac_cv_header_gssapi_gssapi_ext_h" = "yes"; then
++    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <gssapi/gssapi_ext.h>
++
++_ACEOF
++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
++  $EGREP "GSS_C_SEC_CONTEXT_SASL_SSF" >/dev/null 2>&1; then :
++
++$as_echo "#define HAVE_GSS_C_SEC_CONTEXT_SASL_SSF /**/" >>confdefs.h
++
++fi
++rm -f conftest*
++
++  fi
++
+   cmu_save_LIBS="$LIBS"
+   LIBS="$LIBS $GSSAPIBASE_LIBS"
+   { $as_echo "$as_me:$LINENO: checking for SPNEGO support in GSSAPI libraries" >&5
diff --git a/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch b/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch
new file mode 100644
index 0000000..b066258
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch
@@ -0,0 +1,28 @@
+diff -up cyrus-sasl-2.1.26/plugins/gssapi.c.gssapi_non_encrypt cyrus-sasl-2.1.26/plugins/gssapi.c
+--- cyrus-sasl-2.1.26/plugins/gssapi.c.gssapi_non_encrypt	2015-05-19 14:57:57.091212254 +0200
++++ cyrus-sasl-2.1.26/plugins/gssapi.c	2015-05-19 15:01:41.681011361 +0200
+@@ -1159,19 +1159,18 @@ gssapi_server_mech_ssfreq(context_t *tex
+     }
+ 
+     layerchoice = (int)(((char *)(output_token->value))[0]);
+-    if (layerchoice == LAYER_NONE &&
+-	(text->qop & LAYER_NONE)) { /* no encryption */
++	if (!(layerchoice & (LAYER_INTEGRITY | LAYER_CONFIDENTIALITY)) &&
++	     (text->qop & LAYER_NONE)) { /* no encryption */
+ 	oparams->encode = NULL;
+ 	oparams->decode = NULL;
+ 	oparams->mech_ssf = 0;
+-    } else if (layerchoice == LAYER_INTEGRITY &&
++	} else if ((layerchoice & LAYER_INTEGRITY) &&
+ 	       (text->qop & LAYER_INTEGRITY)) { /* integrity */
+ 	oparams->encode = &gssapi_integrity_encode;
+ 	oparams->decode = &gssapi_decode;
+ 	oparams->mech_ssf = 1;
+-    } else if ((layerchoice == LAYER_CONFIDENTIALITY ||
+-		/* For compatibility with broken clients setting both bits */
+-		layerchoice == (LAYER_CONFIDENTIALITY|LAYER_INTEGRITY)) &&
++	} else if (/* For compatibility with broken clients setting both bits */
++		   (layerchoice & (LAYER_CONFIDENTIALITY | LAYER_INTEGRITY)) &&
+ 	       (text->qop & LAYER_CONFIDENTIALITY)) { /* privacy */
+ 	oparams->encode = &gssapi_privacy_encode;
+ 	oparams->decode = &gssapi_decode;
diff --git a/SOURCES/cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch b/SOURCES/cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch
new file mode 100644
index 0000000..1b3278b
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch
@@ -0,0 +1,710 @@
+From 70a144cc53d09b56aa088fa1f6d433acea31afa7 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 15 Sep 2015 12:21:22 +0300
+Subject: [PATCH] gssapi: use per-connection mutex where possible
+
+If the same application uses SASL GSSAPI for both client and server operations,
+it may be possible to deadlock in plugins/gssapi.c due to use of a
+global mutex by both client and server code. Multiple outstanding connections should
+be possible, thus introduce per-context locking and use it where it
+makes sense. Note that there are still multiple places where context is
+not available and where a global lock should be in use.
+
+Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1263017
+---
+ plugins/gssapi.c | 225 +++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 126 insertions(+), 99 deletions(-)
+
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index 2fd1b3b..f5d3354 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -126,20 +126,29 @@ extern gss_OID gss_nt_service_name;
+  */
+ 
+ #ifdef GSS_USE_MUTEXES
+-#define GSS_LOCK_MUTEX(utils)  \
+-    if(((sasl_utils_t *)(utils))->mutex_lock(gss_mutex) != 0) { \
++#define GSS_LOCK_MUTEX_EXT(utils, mutex)  \
++    if(((sasl_utils_t *)(utils))->mutex_lock(mutex) != 0) { \
+        return SASL_FAIL; \
+     }
+ 
+-#define GSS_UNLOCK_MUTEX(utils) \
+-    if(((sasl_utils_t *)(utils))->mutex_unlock(gss_mutex) != 0) { \
++#define GSS_UNLOCK_MUTEX_EXT(utils, mutex) \
++    if(((sasl_utils_t *)(utils))->mutex_unlock(mutex) != 0) { \
+         return SASL_FAIL; \
+     }
+ 
++#define GSS_LOCK_MUTEX(utils) GSS_LOCK_MUTEX_EXT(utils, gss_mutex)
++#define GSS_UNLOCK_MUTEX(utils) GSS_UNLOCK_MUTEX_EXT(utils, gss_mutex)
++
++#define GSS_LOCK_MUTEX_CTX(utils, ctx) GSS_LOCK_MUTEX_EXT(utils, (ctx)->ctx_mutex)
++#define GSS_UNLOCK_MUTEX_CTX(utils, ctx) GSS_UNLOCK_MUTEX_EXT(utils, (ctx)->ctx_mutex)
++
++
+ static void *gss_mutex = NULL;
+ #else
+ #define GSS_LOCK_MUTEX(utils)
+ #define GSS_UNLOCK_MUTEX(utils)
++#define GSS_LOCK_MUTEX_CTX(utils, ctx)
++#define GSS_UNLOCK_MUTEX_CTX(utils, ctx)
+ #endif
+ 
+ typedef struct context {
+@@ -176,6 +185,7 @@ typedef struct context {
+     
+     char *authid; /* hold the authid between steps - server */
+     const char *user;   /* hold the userid between steps - client */
++    void *ctx_mutex; /* A per-context mutex */
+ } context_t;
+ 
+ enum {
+@@ -355,7 +365,7 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov,
+     output_token->value = NULL;
+     output_token->length = 0;
+     
+-    GSS_LOCK_MUTEX(text->utils);
++    GSS_LOCK_MUTEX_CTX(text->utils, text);
+     maj_stat = gss_wrap (&min_stat,
+ 			 text->gss_ctx,
+ 			 privacy,
+@@ -363,14 +373,14 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov,
+ 			 input_token,
+ 			 NULL,
+ 			 output_token);
+-    GSS_UNLOCK_MUTEX(text->utils);
++    GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+     
+     if (GSS_ERROR(maj_stat)) {
+ 	sasl_gss_seterror(text->utils, maj_stat, min_stat);
+ 	if (output_token->value) {
+-	    GSS_LOCK_MUTEX(text->utils);
++	    GSS_LOCK_MUTEX_CTX(text->utils, text);
+ 	    gss_release_buffer(&min_stat, output_token);
+-	    GSS_UNLOCK_MUTEX(text->utils);
++	    GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+ 	}
+ 	return SASL_FAIL;
+     }
+@@ -384,9 +394,9 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov,
+ 			      output_token->length + 4);
+ 	
+ 	if (ret != SASL_OK) {
+-	    GSS_LOCK_MUTEX(text->utils);
++	    GSS_LOCK_MUTEX_CTX(text->utils, text);
+ 	    gss_release_buffer(&min_stat, output_token);
+-	    GSS_UNLOCK_MUTEX(text->utils);
++	    GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+ 	    return ret;
+ 	}
+ 
+@@ -407,9 +417,9 @@ sasl_gss_encode(void *context, const struct iovec *invec, unsigned numiov,
+     *output = text->encode_buf;
+     
+     if (output_token->value) {
+-	GSS_LOCK_MUTEX(text->utils);
++	GSS_LOCK_MUTEX_CTX(text->utils, text);
+ 	gss_release_buffer(&min_stat, output_token);
+-	GSS_UNLOCK_MUTEX(text->utils);
++	GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+     }
+ 
+     return SASL_OK;
+@@ -455,21 +465,21 @@ gssapi_decode_packet(void *context,
+     output_token->value = NULL;
+     output_token->length = 0;
+     
+-    GSS_LOCK_MUTEX(text->utils);
++    GSS_LOCK_MUTEX_CTX(text->utils, text);
+     maj_stat = gss_unwrap (&min_stat,
+ 			   text->gss_ctx,
+ 			   input_token,
+ 			   output_token,
+ 			   NULL,
+ 			   NULL);
+-    GSS_UNLOCK_MUTEX(text->utils);
++    GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+     
+     if (GSS_ERROR(maj_stat)) {
+ 	sasl_gss_seterror(text->utils,maj_stat,min_stat);
+ 	if (output_token->value) {
+-	    GSS_LOCK_MUTEX(text->utils);
++	    GSS_LOCK_MUTEX_CTX(text->utils, text);
+ 	    gss_release_buffer(&min_stat, output_token);
+-	    GSS_UNLOCK_MUTEX(text->utils);
++	    GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+ 	}
+ 	return SASL_FAIL;
+     }
+@@ -484,17 +494,17 @@ gssapi_decode_packet(void *context,
+ 				     &text->decode_once_buf_len,
+ 				     *outputlen);
+ 	    if (result != SASL_OK) {
+-		GSS_LOCK_MUTEX(text->utils);
++		GSS_LOCK_MUTEX_CTX(text->utils, text);
+ 		gss_release_buffer(&min_stat, output_token);
+-		GSS_UNLOCK_MUTEX(text->utils);
++		GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+ 		return result;
+ 	    }
+ 	    *output = text->decode_once_buf;
+ 	    memcpy(*output, output_token->value, *outputlen);
+ 	}
+-	GSS_LOCK_MUTEX(text->utils);
++	GSS_LOCK_MUTEX_CTX(text->utils, text);
+ 	gss_release_buffer(&min_stat, output_token);
+-	GSS_UNLOCK_MUTEX(text->utils);
++	GSS_UNLOCK_MUTEX_CTX(text->utils, text);
+     }
+     
+     return SASL_OK;
+@@ -525,7 +535,14 @@ static context_t *sasl_gss_new_context(const sasl_utils_t *utils)
+     
+     memset(ret,0,sizeof(context_t));
+     ret->utils = utils;
+-    
++#ifdef GSS_USE_MUTEXES
++    ret->ctx_mutex = utils->mutex_alloc();
++    if (!ret->ctx_mutex) {
++           utils->free(ret);
++           return NULL;
++    }
++#endif
++
+     return ret;
+ }
+ 
+@@ -535,7 +552,11 @@ static int sasl_gss_free_context_contents(context_t *text)
+     
+     if (!text) return SASL_OK;
+     
+-    GSS_LOCK_MUTEX(text->utils);
++#ifdef GSS_USE_MUTEXES
++    if (text->ctx_mutex) {
++        GSS_LOCK_MUTEX_CTX(text->utils, text);
++    }
++#endif
+ 
+     if (text->gss_ctx != GSS_C_NO_CONTEXT) {
+ 	maj_stat = gss_delete_sec_context(&min_stat,&text->gss_ctx,
+@@ -563,8 +584,6 @@ static int sasl_gss_free_context_contents(context_t *text)
+ 	text->client_creds = GSS_C_NO_CREDENTIAL;
+     }
+ 
+-    GSS_UNLOCK_MUTEX(text->utils);
+-    
+     if (text->out_buf) {
+ 	text->utils->free(text->out_buf);
+ 	text->out_buf = NULL;
+@@ -598,6 +617,14 @@ static int sasl_gss_free_context_contents(context_t *text)
+ 	text->authid = NULL;
+     }
+ 
++#ifdef GSS_USE_MUTEXES
++    if (text->ctx_mutex) {
++        GSS_UNLOCK_MUTEX_CTX(text->utils, text);
++        text->utils->mutex_free(text->ctx_mutex);
++        text->ctx_mutex = NULL;
++    }
++#endif
++
+     return SASL_OK;
+ 
+ }
+@@ -692,12 +719,12 @@ gssapi_server_mech_authneg(context_t *text,
+ 	}
+ 	sprintf(name_token.value,"%s@%s", params->service, params->serverFQDN);
+ 
+-	GSS_LOCK_MUTEX(params->utils);
++	GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	maj_stat = gss_import_name (&min_stat,
+ 				    &name_token,
+ 				    GSS_C_NT_HOSTBASED_SERVICE,
+ 				    &text->server_name);
+-	GSS_UNLOCK_MUTEX(params->utils);
++	GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 
+ 	params->utils->free(name_token.value);
+ 	name_token.value = NULL;
+@@ -709,15 +736,15 @@ gssapi_server_mech_authneg(context_t *text,
+ 	}
+ 
+ 	if ( text->server_creds != GSS_C_NO_CREDENTIAL) {
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    maj_stat = gss_release_cred(&min_stat, &text->server_creds);
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	    text->server_creds = GSS_C_NO_CREDENTIAL;
+ 	}
+ 
+ 	/* If caller didn't provide creds already */
+ 	if ( server_creds == GSS_C_NO_CREDENTIAL) {
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    maj_stat = gss_acquire_cred(&min_stat, 
+ 					text->server_name,
+ 					GSS_C_INDEFINITE, 
+@@ -726,7 +753,7 @@ gssapi_server_mech_authneg(context_t *text,
+ 					&text->server_creds, 
+ 					NULL, 
+ 					NULL);
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 
+ 	    if (GSS_ERROR(maj_stat)) {
+ 		sasl_gss_seterror(text->utils, maj_stat, min_stat);
+@@ -743,7 +770,7 @@ gssapi_server_mech_authneg(context_t *text,
+     }
+ 
+ 
+-    GSS_LOCK_MUTEX(params->utils);
++    GSS_LOCK_MUTEX_CTX(params->utils, text);
+     maj_stat =
+ 	gss_accept_sec_context(&min_stat,
+ 			       &(text->gss_ctx),
+@@ -756,15 +783,15 @@ gssapi_server_mech_authneg(context_t *text,
+ 			       &out_flags,
+ 			       NULL,	/* context validity period */
+ 			       &(text->client_creds));
+-    GSS_UNLOCK_MUTEX(params->utils);
++    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 
+     if (GSS_ERROR(maj_stat)) {
+ 	sasl_gss_log(text->utils, maj_stat, min_stat);
+ 	text->utils->seterror(text->utils->conn, SASL_NOLOG, "GSSAPI Failure: gss_accept_sec_context");
+ 	if (output_token->value) {
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    gss_release_buffer(&min_stat, output_token);
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	}
+ 	sasl_gss_free_context_contents(text);
+ 	return SASL_BADAUTH;
+@@ -778,18 +805,18 @@ gssapi_server_mech_authneg(context_t *text,
+ 	    ret = _plug_buf_alloc(text->utils, &(text->out_buf),
+ 				  &(text->out_buf_len), *serveroutlen);
+ 	    if(ret != SASL_OK) {
+-		GSS_LOCK_MUTEX(params->utils);
++		GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 		gss_release_buffer(&min_stat, output_token);
+-		GSS_UNLOCK_MUTEX(params->utils);
++		GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 		return ret;
+ 	    }
+ 	    memcpy(text->out_buf, output_token->value, *serveroutlen);
+ 	    *serverout = text->out_buf;
+ 	}
+ 
+-	GSS_LOCK_MUTEX(params->utils);
++	GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	gss_release_buffer(&min_stat, output_token);
+-	GSS_UNLOCK_MUTEX(params->utils);
++	GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+     } else {
+ 	/* No output token, send an empty string */
+ 	*serverout = GSSAPI_BLANK_STRING;
+@@ -832,12 +859,12 @@ gssapi_server_mech_authneg(context_t *text,
+ 	    /* continue with authentication */
+ 	}
+ 
+-    GSS_LOCK_MUTEX(params->utils);
++    GSS_LOCK_MUTEX_CTX(params->utils, text);
+     maj_stat = gss_canonicalize_name(&min_stat,
+ 				     text->client_name,
+ 				     mech_type,
+ 				     &client_name_MN);
+-    GSS_UNLOCK_MUTEX(params->utils);
++    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 
+     if (GSS_ERROR(maj_stat)) {
+ 	SETERROR(text->utils, "GSSAPI Failure: gss_canonicalize_name");
+@@ -848,12 +875,12 @@ gssapi_server_mech_authneg(context_t *text,
+     name_token.value = NULL;
+     name_without_realm.value = NULL;
+ 
+-    GSS_LOCK_MUTEX(params->utils);
++    GSS_LOCK_MUTEX_CTX(params->utils, text);
+     maj_stat = gss_display_name (&min_stat,
+ 				 client_name_MN,
+ 				 &name_token,
+ 				 NULL);
+-    GSS_UNLOCK_MUTEX(params->utils);
++    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 
+     if (GSS_ERROR(maj_stat)) {
+ 	SETERROR(text->utils, "GSSAPI Failure: gss_display_name");
+@@ -883,7 +910,7 @@ gssapi_server_mech_authneg(context_t *text,
+ 
+ 	name_without_realm.length = strlen( (char *) name_without_realm.value );
+ 
+-	GSS_LOCK_MUTEX(params->utils);
++	GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	maj_stat = gss_import_name (&min_stat,
+ 				    &name_without_realm,
+ 	    /* Solaris 8/9 gss_import_name doesn't accept GSS_C_NULL_OID here,
+@@ -894,7 +921,7 @@ gssapi_server_mech_authneg(context_t *text,
+ 				    GSS_C_NULL_OID,
+ #endif
+ 				    &without);
+-	GSS_UNLOCK_MUTEX(params->utils);
++	GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 
+ 	if (GSS_ERROR(maj_stat)) {
+ 	    SETERROR(text->utils, "GSSAPI Failure: gss_import_name");
+@@ -903,12 +930,12 @@ gssapi_server_mech_authneg(context_t *text,
+ 	    goto cleanup;
+ 	}
+ 
+-	GSS_LOCK_MUTEX(params->utils);
++	GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	maj_stat = gss_compare_name(&min_stat,
+ 				    client_name_MN,
+ 				    without,
+ 				    &equal);
+-	GSS_UNLOCK_MUTEX(params->utils);
++	GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 
+ 	if (GSS_ERROR(maj_stat)) {
+ 	    SETERROR(text->utils, "GSSAPI Failure: gss_compare_name");
+@@ -1053,7 +1080,7 @@ gssapi_server_mech_ssfcap(context_t *text,
+     real_input_token.value = (void *)sasldata;
+     real_input_token.length = 4;
+ 
+-    GSS_LOCK_MUTEX(params->utils);
++    GSS_LOCK_MUTEX_CTX(params->utils, text);
+     maj_stat = gss_wrap(&min_stat,
+ 			text->gss_ctx,
+ 			0, /* Just integrity checking here */
+@@ -1061,14 +1088,14 @@ gssapi_server_mech_ssfcap(context_t *text,
+ 			input_token,
+ 			NULL,
+ 			output_token);
+-    GSS_UNLOCK_MUTEX(params->utils);
++    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 
+     if (GSS_ERROR(maj_stat)) {
+ 	sasl_gss_seterror(text->utils, maj_stat, min_stat);
+ 	if (output_token->value) {
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    gss_release_buffer(&min_stat, output_token);
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	}
+ 	sasl_gss_free_context_contents(text);
+ 	return SASL_FAIL;
+@@ -1082,18 +1109,18 @@ gssapi_server_mech_ssfcap(context_t *text,
+ 	    ret = _plug_buf_alloc(text->utils, &(text->out_buf),
+ 				  &(text->out_buf_len), *serveroutlen);
+ 	    if(ret != SASL_OK) {
+-		GSS_LOCK_MUTEX(params->utils);
++		GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 		gss_release_buffer(&min_stat, output_token);
+-		GSS_UNLOCK_MUTEX(params->utils);
++		GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 		return ret;
+ 	    }
+ 	    memcpy(text->out_buf, output_token->value, *serveroutlen);
+ 	    *serverout = text->out_buf;
+ 	}
+ 
+-	GSS_LOCK_MUTEX(params->utils);
++	GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	gss_release_buffer(&min_stat, output_token);
+-	GSS_UNLOCK_MUTEX(params->utils);
++	GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+     }
+ 
+     /* Wait for ssf request and authid */
+@@ -1124,14 +1151,14 @@ gssapi_server_mech_ssfreq(context_t *text,
+     real_input_token.value = (void *)clientin;
+     real_input_token.length = clientinlen;
+ 
+-    GSS_LOCK_MUTEX(params->utils);
++    GSS_LOCK_MUTEX_CTX(params->utils, text);
+     maj_stat = gss_unwrap(&min_stat,
+ 			  text->gss_ctx,
+ 			  input_token,
+ 			  output_token,
+ 			  NULL,
+ 			  NULL);
+-    GSS_UNLOCK_MUTEX(params->utils);
++    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 
+     if (GSS_ERROR(maj_stat)) {
+ 	sasl_gss_seterror(text->utils, maj_stat, min_stat);
+@@ -1142,9 +1169,9 @@ gssapi_server_mech_ssfreq(context_t *text,
+     if (output_token->length < 4) {
+ 	SETERROR(text->utils,
+ 		 "token too short");
+-	GSS_LOCK_MUTEX(params->utils);
++	GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	gss_release_buffer(&min_stat, output_token);
+-	GSS_UNLOCK_MUTEX(params->utils);
++	GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	sasl_gss_free_context_contents(text);
+ 	return SASL_FAIL;
+     }
+@@ -1175,9 +1202,9 @@ gssapi_server_mech_ssfreq(context_t *text,
+ 	/* Mark that we attempted negotiation */
+ 	oparams->mech_ssf = 2;
+ 	if (output_token->value) {
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    gss_release_buffer(&min_stat, output_token);
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	}
+ 	sasl_gss_free_context_contents(text);
+ 	return SASL_FAIL;
+@@ -1221,9 +1248,9 @@ gssapi_server_mech_ssfreq(context_t *text,
+ 	}    
+     }
+ 	
+-    GSS_LOCK_MUTEX(params->utils);
++    GSS_LOCK_MUTEX_CTX(params->utils, text);
+     gss_release_buffer(&min_stat, output_token);
+-    GSS_UNLOCK_MUTEX(params->utils);
++    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 
+     text->state = SASL_GSSAPI_STATE_AUTHENTICATED;
+ 
+@@ -1547,12 +1574,12 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	    
+ 	    sprintf(name_token.value,"%s@%s", params->service, params->serverFQDN);
+ 	    
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    maj_stat = gss_import_name (&min_stat,
+ 					&name_token,
+ 					GSS_C_NT_HOSTBASED_SERVICE,
+ 					&text->server_name);
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	    
+ 	    params->utils->free(name_token.value);
+ 	    name_token.value = NULL;
+@@ -1576,9 +1603,9 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	     * and no input from the server.  However, thanks to Imap,
+ 	     * which discards our first output, this happens all the time.
+ 	     * Throw away the context and try again. */
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    maj_stat = gss_delete_sec_context (&min_stat,&text->gss_ctx,GSS_C_NO_BUFFER);
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	    text->gss_ctx = GSS_C_NO_CONTEXT;
+ 	}
+ 
+@@ -1600,7 +1627,7 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	    req_flags = req_flags |  GSS_C_DELEG_FLAG;
+ 	}
+ 
+-	GSS_LOCK_MUTEX(params->utils);
++	GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	maj_stat = gss_init_sec_context(&min_stat,
+ 					client_creds, /* GSS_C_NO_CREDENTIAL */
+ 					&text->gss_ctx,
+@@ -1614,14 +1641,14 @@ static int gssapi_client_mech_step(void *conn_context,
+ 					output_token,
+ 					&out_req_flags,
+ 					NULL);
+-	GSS_UNLOCK_MUTEX(params->utils);
++	GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	
+ 	if (GSS_ERROR(maj_stat)) {
+ 	    sasl_gss_seterror(text->utils, maj_stat, min_stat);
+ 	    if (output_token->value) {
+-		GSS_LOCK_MUTEX(params->utils);
++		GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 		gss_release_buffer(&min_stat, output_token);
+-		GSS_UNLOCK_MUTEX(params->utils);
++		GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	    }
+ 	    sasl_gss_free_context_contents(text);
+ 	    return SASL_FAIL;
+@@ -1652,22 +1679,22 @@ static int gssapi_client_mech_step(void *conn_context,
+ 		ret = _plug_buf_alloc(text->utils, &(text->out_buf),
+ 				      &(text->out_buf_len), *clientoutlen);
+ 		if(ret != SASL_OK) {
+-		    GSS_LOCK_MUTEX(params->utils);
++		    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 		    gss_release_buffer(&min_stat, output_token);
+-		    GSS_UNLOCK_MUTEX(params->utils);
++		    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 		    return ret;
+ 		}
+ 		memcpy(text->out_buf, output_token->value, *clientoutlen);
+ 		*clientout = text->out_buf;
+ 	    }
+ 	    
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    gss_release_buffer(&min_stat, output_token);
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	}
+ 	
+ 	if (maj_stat == GSS_S_COMPLETE) {
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    maj_stat = gss_inquire_context(&min_stat,
+ 					   text->gss_ctx,
+ 					   &text->client_name,
+@@ -1678,7 +1705,7 @@ static int gssapi_client_mech_step(void *conn_context,
+ 					   NULL,       /* flags */
+ 					   NULL,       /* local init */
+ 					   NULL);      /* open */
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	    
+ 	    if (GSS_ERROR(maj_stat)) {
+ 		sasl_gss_seterror(text->utils, maj_stat, min_stat);
+@@ -1687,18 +1714,18 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	    }
+ 	    
+ 	    name_token.length = 0;
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    maj_stat = gss_display_name(&min_stat,
+ 					text->client_name,
+ 					&name_token,
+ 					NULL);
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	    
+ 	    if (GSS_ERROR(maj_stat)) {
+ 		if (name_token.value) {
+-		    GSS_LOCK_MUTEX(params->utils);
++		    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 		    gss_release_buffer(&min_stat, &name_token);
+-		    GSS_UNLOCK_MUTEX(params->utils);
++		    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 		}
+ 		SETERROR(text->utils, "GSSAPI Failure");
+ 		sasl_gss_free_context_contents(text);
+@@ -1719,9 +1746,9 @@ static int gssapi_client_mech_step(void *conn_context,
+ 					 SASL_CU_AUTHID | SASL_CU_AUTHZID,
+ 					 oparams);
+ 	    }
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    gss_release_buffer(&min_stat, &name_token);
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	    
+ 	    if (ret != SASL_OK) return ret;
+ 	    
+@@ -1747,32 +1774,32 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	real_input_token.value = (void *) serverin;
+ 	real_input_token.length = serverinlen;
+ 	
+-	GSS_LOCK_MUTEX(params->utils);
++	GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	maj_stat = gss_unwrap(&min_stat,
+ 			      text->gss_ctx,
+ 			      input_token,
+ 			      output_token,
+ 			      NULL,
+ 			      NULL);
+-	GSS_UNLOCK_MUTEX(params->utils);
++	GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	
+ 	if (GSS_ERROR(maj_stat)) {
+ 	    sasl_gss_seterror(text->utils, maj_stat, min_stat);
+-	    sasl_gss_free_context_contents(text);
+ 	    if (output_token->value) {
+-		GSS_LOCK_MUTEX(params->utils);
++		GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 		gss_release_buffer(&min_stat, output_token);
+-		GSS_UNLOCK_MUTEX(params->utils);
++		GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	    }
++	    sasl_gss_free_context_contents(text);
+ 	    return SASL_FAIL;
+ 	}
+ 	
+ 	if (output_token->length != 4) {
+ 	    SETERROR(text->utils,
+ 		     (output_token->length < 4) ? "token too short" : "token too long");
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    gss_release_buffer(&min_stat, output_token);
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	    sasl_gss_free_context_contents(text);
+ 	    return SASL_FAIL;
+ 	}
+@@ -1873,9 +1900,9 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	    }
+ 	}
+ 	
+-	GSS_LOCK_MUTEX(params->utils);
++	GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	gss_release_buffer(&min_stat, output_token);
+-	GSS_UNLOCK_MUTEX(params->utils);
++	GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	
+ 	/* oparams->user is always set, due to canon_user requirements.
+ 	 * Make sure the client actually requested it though, by checking
+@@ -1921,7 +1948,7 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	}
+ 	((unsigned char *)input_token->value)[0] = mychoice;
+ 	
+-	GSS_LOCK_MUTEX(params->utils);
++	GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	maj_stat = gss_wrap (&min_stat,
+ 			     text->gss_ctx,
+ 			     0, /* Just integrity checking here */
+@@ -1929,7 +1956,7 @@ static int gssapi_client_mech_step(void *conn_context,
+ 			     input_token,
+ 			     NULL,
+ 			     output_token);
+-	GSS_UNLOCK_MUTEX(params->utils);
++	GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	
+ 	params->utils->free(input_token->value);
+ 	input_token->value = NULL;
+@@ -1937,9 +1964,9 @@ static int gssapi_client_mech_step(void *conn_context,
+ 	if (GSS_ERROR(maj_stat)) {
+ 	    sasl_gss_seterror(text->utils, maj_stat, min_stat);
+ 	    if (output_token->value) {
+-		GSS_LOCK_MUTEX(params->utils);
++		GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 		gss_release_buffer(&min_stat, output_token);
+-		GSS_UNLOCK_MUTEX(params->utils);
++		GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 	    }
+ 	    sasl_gss_free_context_contents(text);
+ 	    return SASL_FAIL;
+@@ -1955,18 +1982,18 @@ static int gssapi_client_mech_step(void *conn_context,
+ 				      &(text->out_buf_len),
+ 				      *clientoutlen);
+ 		if (ret != SASL_OK) {
+-		    GSS_LOCK_MUTEX(params->utils);
++		    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 		    gss_release_buffer(&min_stat, output_token);
+-		    GSS_UNLOCK_MUTEX(params->utils);
++		    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 		    return ret;
+ 		}
+ 		memcpy(text->out_buf, output_token->value, *clientoutlen);
+ 		*clientout = text->out_buf;
+ 	    }
+ 	    
+-	    GSS_LOCK_MUTEX(params->utils);
++	    GSS_LOCK_MUTEX_CTX(params->utils, text);
+ 	    gss_release_buffer(&min_stat, output_token);
+-	    GSS_UNLOCK_MUTEX(params->utils);
++	    GSS_UNLOCK_MUTEX_CTX(params->utils, text);
+ 
+ 	}
+ 	
+-- 
+2.4.3
+
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch b/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch
new file mode 100644
index 0000000..6931d4d
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch
@@ -0,0 +1,29 @@
+From 7739268e775e6ed91509727b014cc1d367ad386d Mon Sep 17 00:00:00 2001
+From: Alexey Melnikov <alexey.melnikov@isode.com>
+Date: Sun, 30 Mar 2014 15:13:34 +0100
+Subject: When processing a list of mechanism names, we shouldn't allow a short
+ prefix match the whole mechanism name
+
+"A", "AN", etc where matching "ANONYMOUS". This patch fixes that.
+
+As reported by plautrba@redhat.com
+
+diff --git a/lib/common.c b/lib/common.c
+index e0f59eb..672fe2f 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -2428,6 +2428,11 @@ int _sasl_is_equal_mech(const char *req_mech,
+         *plus = 0;
+     }
+ 
++    if (n < strlen(plug_mech)) {
++	/* Don't allow arbitrary prefix match */
++	return 0;
++    }
++
+     return (strncasecmp(req_mech, plug_mech, n) == 0);
+ }
+ 
+-- 
+cgit v0.10.2
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-keytab.patch b/SOURCES/cyrus-sasl-2.1.26-keytab.patch
new file mode 100644
index 0000000..390b517
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-keytab.patch
@@ -0,0 +1,36 @@
+diff --git a/cmulocal/sasl2.m4 b/cmulocal/sasl2.m4
+index 3c2841a..b086b8f 100644
+--- a/cmulocal/sasl2.m4
++++ b/cmulocal/sasl2.m4
+@@ -269,6 +269,18 @@ if test "$gssapi" != no; then
+   cmu_save_LIBS="$LIBS"
+   LIBS="$LIBS $GSSAPIBASE_LIBS"
+   AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity)
++  if test "$ac_cv_func_gsskrb5_register_acceptor_identity" = no ; then
++    AC_CHECK_HEADERS(gssapi/gssapi_krb5.h)
++    if test "$ac_cv_header_gssapi_gssapi_krb5_h" = "yes"; then
++      AC_CHECK_DECL(gsskrb5_register_acceptor_identity,
++                    [AC_DEFINE(HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY,1,
++                               [Define if your GSSAPI implementation defines gsskrb5_register_acceptor_identity])],,
++                    [
++                    AC_INCLUDES_DEFAULT
++                    #include <gssapi/gssapi_krb5.h>
++                    ])
++    fi
++  fi
+   AC_CHECK_FUNCS(gss_decapsulate_token)
+   AC_CHECK_FUNCS(gss_encapsulate_token)
+   AC_CHECK_FUNCS(gss_oid_equal)
+diff --git a/plugins/gssapi.c b/plugins/gssapi.c
+index 6be9d23..e6fcf46 100644
+--- a/plugins/gssapi.c
++++ b/plugins/gssapi.c
+@@ -51,6 +51,8 @@
+ #include <gssapi/gssapi.h>
+ #endif
+ 
++#include <gssapi/gssapi_krb5.h>
++
+ #ifdef WIN32
+ #  include <winsock2.h>
+ 
diff --git a/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch b/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch
new file mode 100644
index 0000000..9deee8b
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch
@@ -0,0 +1,66 @@
+From 3d48a475054911856b736ca2720b82f529dd68cf Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Wed, 1 Oct 2014 14:20:27 -0700
+Subject: [PATCH] Bug 1147659 - cyrus-sasl client library (client.c) is not
+ thread safe
+
+Description: client_dispose (lib/clinet.c) which closes a connection
+of a sasl client frees mech_list if the head of the list differs
+from the head of the global cmechlist->mech_list.  But there was a
+possibility that the list appears in the middle of the global mech
+list.  By freeing the mech, it crashed a multi-threaded sasl client.
+
+This patch checks each mech if it is in the global mech list or not.
+Only if it is not, the mech is freed.
+---
+ lib/client.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/lib/client.c b/lib/client.c
+index 31fe346..3f76483 100644
+--- a/lib/client.c
++++ b/lib/client.c
+@@ -324,6 +324,26 @@ int sasl_client_init(const sasl_callback_t *callbacks)
+   return ret;
+ }
+ 
++/*
++ * If mech is in cmechlist->mech_list, return 1
++ * Otherwise, return 0
++ */
++static int mech_is_in_cmechlist(cmechanism_t *mech)
++{
++  cmechanism_t *m = cmechlist->mech_list;
++  if (NULL == mech) {
++    return 0;
++  }
++  
++  while (m && mech) {
++    if (m == mech) {
++      return 1;
++    }
++    m = m->next;
++  }
++  return 0;
++}
++
+ static void client_dispose(sasl_conn_t *pconn)
+ {
+   sasl_client_conn_t *c_conn=(sasl_client_conn_t *) pconn;
+@@ -352,6 +372,13 @@ static void client_dispose(sasl_conn_t *pconn)
+       while (m) {
+ 	  prevm = m;
+ 	  m = m->next;
++	  if (mech_is_in_cmechlist(prevm)) {
++	    /*
++	     * If prevm exists in the global mech_list cmechlist->mech_list,
++	     * we should not free it as well as the rest of the list.
++	     */
++	    break;
++	  }
+ 	  sasl_FREE(prevm);    
+       }
+   }
+-- 
+1.9.3
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-md5global.patch b/SOURCES/cyrus-sasl-2.1.26-md5global.patch
new file mode 100644
index 0000000..744962f
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-md5global.patch
@@ -0,0 +1,385 @@
+diff -up cyrus-sasl-2.1.26/include/Makefile.am.md5global.h cyrus-sasl-2.1.26/include/Makefile.am
+--- cyrus-sasl-2.1.26/include/Makefile.am.md5global.h	2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/include/Makefile.am	2013-09-03 13:12:17.623999149 +0200
+@@ -47,16 +47,7 @@ noinst_HEADERS = gai.h exits.h
+ saslincludedir = $(includedir)/sasl
+ saslinclude_HEADERS = hmac-md5.h md5.h md5global.h sasl.h saslplug.h saslutil.h prop.h
+ 
+-noinst_PROGRAMS = makemd5
+-
+-makemd5_SOURCES = makemd5.c
+-
+-md5global.h: makemd5
+-	-rm -f md5global.h
+-	./makemd5 md5global.h
+-
+ EXTRA_DIST = NTMakefile
+-DISTCLEANFILES = md5global.h
+ 
+ if MACOSX
+ framedir = /Library/Frameworks/SASL2.framework
+diff -up cyrus-sasl-2.1.26/include/Makefile.in.md5global.h cyrus-sasl-2.1.26/include/Makefile.in
+--- cyrus-sasl-2.1.26/include/Makefile.in.md5global.h	2013-09-03 13:09:27.860999892 +0200
++++ cyrus-sasl-2.1.26/include/Makefile.in	2013-09-03 13:12:21.726000002 +0200
+@@ -1,4 +1,4 @@
+-# Makefile.in generated by automake 1.11 from Makefile.am.
++# Makefile.in generated by automake 1.11.1 from Makefile.am.
+ # @configure_input@
+ 
+ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+@@ -60,7 +60,6 @@
+ ################################################################
+ 
+ 
+-
+ VPATH = @srcdir@
+ pkgdatadir = $(datadir)/@PACKAGE@
+ pkgincludedir = $(includedir)/@PACKAGE@
+@@ -81,48 +80,19 @@ POST_UNINSTALL = :
+ build_triplet = @build@
+ host_triplet = @host@
+ target_triplet = @target@
+-noinst_PROGRAMS = makemd5$(EXEEXT)
+ subdir = include
+ DIST_COMMON = $(noinst_HEADERS) $(saslinclude_HEADERS) \
+ 	$(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+-am__aclocal_m4_deps = $(top_srcdir)/config/kerberos_v4.m4 \
+-	$(top_srcdir)/config/libtool.m4 $(top_srcdir)/config/plain.m4 \
+-	$(top_srcdir)/config/sasldb.m4 \
+-	$(top_srcdir)/cmulocal/berkdb.m4 \
+-	$(top_srcdir)/cmulocal/bsd_sockets.m4 \
+-	$(top_srcdir)/cmulocal/c-attribute.m4 \
+-	$(top_srcdir)/cmulocal/common.m4 \
+-	$(top_srcdir)/cmulocal/cyrus.m4 \
+-	$(top_srcdir)/cmulocal/init_automake.m4 \
+-	$(top_srcdir)/cmulocal/ipv6.m4 \
+-	$(top_srcdir)/cmulocal/openldap.m4 \
+-	$(top_srcdir)/cmulocal/openssl.m4 \
+-	$(top_srcdir)/cmulocal/sasl2.m4 $(top_srcdir)/configure.in
++am__aclocal_m4_deps = $(top_srcdir)/configure.in
+ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ 	$(ACLOCAL_M4)
+ mkinstalldirs = $(SHELL) $(top_srcdir)/config/mkinstalldirs
+ CONFIG_HEADER = $(top_builddir)/config.h
+ CONFIG_CLEAN_FILES =
+ CONFIG_CLEAN_VPATH_FILES =
+-PROGRAMS = $(noinst_PROGRAMS)
+-am_makemd5_OBJECTS = makemd5.$(OBJEXT)
+-makemd5_OBJECTS = $(am_makemd5_OBJECTS)
+-makemd5_LDADD = $(LDADD)
+-DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+-depcomp = $(SHELL) $(top_srcdir)/config/depcomp
+-am__depfiles_maybe = depfiles
+-am__mv = mv -f
+-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+-LTCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+-CCLD = $(CC)
+-LINK = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link \
+-	$(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+-SOURCES = $(makemd5_SOURCES)
+-DIST_SOURCES = $(makemd5_SOURCES)
++SOURCES =
++DIST_SOURCES =
+ am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+ am__vpath_adj = case $$p in \
+     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+@@ -153,6 +123,7 @@ CTAGS = ctags
+ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ ACLOCAL = @ACLOCAL@
+ AMTAR = @AMTAR@
++AR = @AR@
+ AUTOCONF = @AUTOCONF@
+ AUTOHEADER = @AUTOHEADER@
+ AUTOMAKE = @AUTOMAKE@
+@@ -160,7 +131,6 @@ AWK = @AWK@
+ CC = @CC@
+ CCDEPMODE = @CCDEPMODE@
+ CFLAGS = @CFLAGS@
+-CMU_LIB_SUBDIR = @CMU_LIB_SUBDIR@
+ CPP = @CPP@
+ CPPFLAGS = @CPPFLAGS@
+ CYGPATH_W = @CYGPATH_W@
+@@ -168,17 +138,18 @@ DEFS = @DEFS@
+ DEPDIR = @DEPDIR@
+ DIRS = @DIRS@
+ DMALLOC_LIBS = @DMALLOC_LIBS@
++DSYMUTIL = @DSYMUTIL@
++DUMPBIN = @DUMPBIN@
+ ECHO_C = @ECHO_C@
+ ECHO_N = @ECHO_N@
+ ECHO_T = @ECHO_T@
+ EGREP = @EGREP@
+ EXEEXT = @EXEEXT@
++FGREP = @FGREP@
+ GETADDRINFOOBJS = @GETADDRINFOOBJS@
+ GETNAMEINFOOBJS = @GETNAMEINFOOBJS@
+ GETSUBOPT = @GETSUBOPT@
+ GREP = @GREP@
+-GSSAPIBASE_LIBS = @GSSAPIBASE_LIBS@
+-GSSAPI_LIBS = @GSSAPI_LIBS@
+ INSTALL = @INSTALL@
+ INSTALL_DATA = @INSTALL_DATA@
+ INSTALL_PROGRAM = @INSTALL_PROGRAM@
+@@ -190,19 +161,18 @@ JAVADOC = @JAVADOC@
+ JAVAH = @JAVAH@
+ JAVAROOT = @JAVAROOT@
+ JAVA_INCLUDES = @JAVA_INCLUDES@
++LD = @LD@
+ LDFLAGS = @LDFLAGS@
+ LIBOBJS = @LIBOBJS@
+ LIBS = @LIBS@
+ LIBTOOL = @LIBTOOL@
+-LIB_CRYPT = @LIB_CRYPT@
+-LIB_DES = @LIB_DES@
+ LIB_DOOR = @LIB_DOOR@
+ LIB_LDAP = @LIB_LDAP@
+ LIB_MYSQL = @LIB_MYSQL@
+ LIB_PGSQL = @LIB_PGSQL@
+-LIB_SOCKET = @LIB_SOCKET@
+ LIB_SQLITE = @LIB_SQLITE@
+ LIB_SQLITE3 = @LIB_SQLITE3@
++LIPO = @LIPO@
+ LN_S = @LN_S@
+ LTGETADDRINFOOBJS = @LTGETADDRINFOOBJS@
+ LTGETNAMEINFOOBJS = @LTGETNAMEINFOOBJS@
+@@ -211,8 +181,12 @@ LTSNPRINTFOBJS = @LTSNPRINTFOBJS@
+ MAKEINFO = @MAKEINFO@
+ MKDIR_P = @MKDIR_P@
+ NM = @NM@
++NMEDIT = @NMEDIT@
+ NTLM_LIBS = @NTLM_LIBS@
++OBJDUMP = @OBJDUMP@
+ OBJEXT = @OBJEXT@
++OTOOL = @OTOOL@
++OTOOL64 = @OTOOL64@
+ OTP_LIBS = @OTP_LIBS@
+ PACKAGE = @PACKAGE@
+ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+@@ -222,19 +196,11 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
+ PACKAGE_VERSION = @PACKAGE_VERSION@
+ PASSDSS_LIBS = @PASSDSS_LIBS@
+ PATH_SEPARATOR = @PATH_SEPARATOR@
+-PLAIN_LIBS = @PLAIN_LIBS@
+ PURECOV = @PURECOV@
+ PURIFY = @PURIFY@
+ PWCHECKMETH = @PWCHECKMETH@
+ RANLIB = @RANLIB@
+-SASL_DB_BACKEND = @SASL_DB_BACKEND@
+-SASL_DB_BACKEND_STATIC = @SASL_DB_BACKEND_STATIC@
+-SASL_DB_INC = @SASL_DB_INC@
+-SASL_DB_LIB = @SASL_DB_LIB@
+-SASL_DB_MANS = @SASL_DB_MANS@
+-SASL_DB_UTILS = @SASL_DB_UTILS@
+ SASL_DL_LIB = @SASL_DL_LIB@
+-SASL_KRB_LIB = @SASL_KRB_LIB@
+ SASL_MECHS = @SASL_MECHS@
+ SASL_STATIC_LIBS = @SASL_STATIC_LIBS@
+ SASL_STATIC_OBJS = @SASL_STATIC_OBJS@
+@@ -242,6 +208,7 @@ SASL_STATIC_SRCS = @SASL_STATIC_SRCS@
+ SASL_UTIL_HEADERS_EXTRA = @SASL_UTIL_HEADERS_EXTRA@
+ SASL_UTIL_LIBS_EXTRA = @SASL_UTIL_LIBS_EXTRA@
+ SCRAM_LIBS = @SCRAM_LIBS@
++SED = @SED@
+ SET_MAKE = @SET_MAKE@
+ SFIO_INC_FLAGS = @SFIO_INC_FLAGS@
+ SFIO_LIB_FLAGS = @SFIO_LIB_FLAGS@
+@@ -256,6 +223,7 @@ abs_srcdir = @abs_srcdir@
+ abs_top_builddir = @abs_top_builddir@
+ abs_top_srcdir = @abs_top_srcdir@
+ ac_ct_CC = @ac_ct_CC@
++ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+ am__include = @am__include@
+ am__leading_dot = @am__leading_dot@
+ am__quote = @am__quote@
+@@ -287,6 +255,7 @@ libdir = @libdir@
+ libexecdir = @libexecdir@
+ localedir = @localedir@
+ localstatedir = @localstatedir@
++lt_ECHO = @lt_ECHO@
+ mandir = @mandir@
+ mkdir_p = @mkdir_p@
+ oldincludedir = @oldincludedir@
+@@ -311,16 +280,13 @@ top_srcdir = @top_srcdir@
+ noinst_HEADERS = gai.h exits.h
+ saslincludedir = $(includedir)/sasl
+ saslinclude_HEADERS = hmac-md5.h md5.h md5global.h sasl.h saslplug.h saslutil.h prop.h
+-makemd5_SOURCES = makemd5.c
+ EXTRA_DIST = NTMakefile
+-DISTCLEANFILES = md5global.h
+ @MACOSX_TRUE@framedir = /Library/Frameworks/SASL2.framework
+ @MACOSX_TRUE@frameheaderdir = $(framedir)/Versions/A/Headers
+ @MACOSX_TRUE@frameheader_DATA = $(saslinclude_HEADERS)
+ all: all-am
+ 
+ .SUFFIXES:
+-.SUFFIXES: .c .lo .o .obj
+ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+ 	@for dep in $?; do \
+ 	  case '$(am__configure_deps)' in \
+@@ -352,47 +318,6 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+ 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+ $(am__aclocal_m4_deps):
+ 
+-clean-noinstPROGRAMS:
+-	@list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
+-	echo " rm -f" $$list; \
+-	rm -f $$list || exit $$?; \
+-	test -n "$(EXEEXT)" || exit 0; \
+-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+-	echo " rm -f" $$list; \
+-	rm -f $$list
+-makemd5$(EXEEXT): $(makemd5_OBJECTS) $(makemd5_DEPENDENCIES) 
+-	@rm -f makemd5$(EXEEXT)
+-	$(LINK) $(makemd5_OBJECTS) $(makemd5_LDADD) $(LIBS)
+-
+-mostlyclean-compile:
+-	-rm -f *.$(OBJEXT)
+-
+-distclean-compile:
+-	-rm -f *.tab.c
+-
+-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/makemd5.Po@am__quote@
+-
+-.c.o:
+-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+-
+-.c.obj:
+-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+-
+-.c.lo:
+-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+-
+ mostlyclean-libtool:
+ 	-rm -f *.lo
+ 
+@@ -523,7 +448,7 @@ distdir: $(DISTFILES)
+ 	done
+ check-am: all-am
+ check: check-am
+-all-am: Makefile $(PROGRAMS) $(DATA) $(HEADERS)
++all-am: Makefile $(DATA) $(HEADERS)
+ installdirs:
+ 	for dir in "$(DESTDIR)$(frameheaderdir)" "$(DESTDIR)$(saslincludedir)"; do \
+ 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+@@ -549,21 +474,17 @@ clean-generic:
+ distclean-generic:
+ 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+-	-test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES)
+ 
+ maintainer-clean-generic:
+ 	@echo "This command is intended for maintainers to use"
+ 	@echo "it deletes files that may require special tools to rebuild."
+ clean: clean-am
+ 
+-clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
+-	mostlyclean-am
++clean-am: clean-generic clean-libtool mostlyclean-am
+ 
+ distclean: distclean-am
+-	-rm -rf ./$(DEPDIR)
+ 	-rm -f Makefile
+-distclean-am: clean-am distclean-compile distclean-generic \
+-	distclean-tags
++distclean-am: clean-am distclean-generic distclean-tags
+ 
+ dvi: dvi-am
+ 
+@@ -606,14 +527,12 @@ install-ps-am:
+ installcheck-am:
+ 
+ maintainer-clean: maintainer-clean-am
+-	-rm -rf ./$(DEPDIR)
+ 	-rm -f Makefile
+ maintainer-clean-am: distclean-am maintainer-clean-generic
+ 
+ mostlyclean: mostlyclean-am
+ 
+-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+-	mostlyclean-libtool
++mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+ 
+ pdf: pdf-am
+ 
+@@ -628,26 +547,21 @@ uninstall-am: uninstall-frameheaderDATA 
+ .MAKE: install-am install-strip
+ 
+ .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+-	clean-libtool clean-noinstPROGRAMS ctags distclean \
+-	distclean-compile distclean-generic distclean-libtool \
+-	distclean-tags distdir dvi dvi-am html html-am info info-am \
+-	install install-am install-data install-data-am install-dvi \
+-	install-dvi-am install-exec install-exec-am \
+-	install-frameheaderDATA install-html install-html-am \
+-	install-info install-info-am install-man install-pdf \
+-	install-pdf-am install-ps install-ps-am \
++	clean-libtool ctags distclean distclean-generic \
++	distclean-libtool distclean-tags distdir dvi dvi-am html \
++	html-am info info-am install install-am install-data \
++	install-data-am install-dvi install-dvi-am install-exec \
++	install-exec-am install-frameheaderDATA install-html \
++	install-html-am install-info install-info-am install-man \
++	install-pdf install-pdf-am install-ps install-ps-am \
+ 	install-saslincludeHEADERS install-strip installcheck \
+ 	installcheck-am installdirs maintainer-clean \
+-	maintainer-clean-generic mostlyclean mostlyclean-compile \
+-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+-	tags uninstall uninstall-am uninstall-frameheaderDATA \
++	maintainer-clean-generic mostlyclean mostlyclean-generic \
++	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
++	uninstall-am uninstall-frameheaderDATA \
+ 	uninstall-saslincludeHEADERS
+ 
+ 
+-md5global.h: makemd5
+-	-rm -f md5global.h
+-	./makemd5 md5global.h
+-
+ # Tell versions [3.59,3.63) of GNU make to not export all variables.
+ # Otherwise a system limit (for SysV at least) may be exceeded.
+ .NOEXPORT:
+diff -up cyrus-sasl-2.1.26/include/md5global.h.md5global.h cyrus-sasl-2.1.26/include/md5global.h
+--- cyrus-sasl-2.1.26/include/md5global.h.md5global.h	2012-10-15 20:17:34.000000000 +0200
++++ cyrus-sasl-2.1.26/include/md5global.h	2013-09-03 13:09:19.562000004 +0200
+@@ -15,14 +15,17 @@ The following makes PROTOTYPES default t
+ /* POINTER defines a generic pointer type */
+ typedef unsigned char *POINTER;
+ 
+-typedef signed char INT1;		/*  8 bits */
+-typedef short INT2;			/* 16 bits */
+-typedef int INT4;			/* 32 bits */
+-/* There is no 64 bit type */
+-typedef unsigned char UINT1;		/*  8 bits */
+-typedef unsigned short UINT2;		/* 16 bits */
+-typedef unsigned int UINT4;		/* 32 bits */
+-/* There is no 64 bit type */
++/* We try to define integer types for our use */
++#include <inttypes.h>
++
++typedef int8_t INT1;			/*  8 bits */
++typedef int16_t INT2;			/* 16 bits */
++typedef int32_t INT4;			/* 32 bits */
++typedef int64_t INT8;			/* 64 bits */
++typedef uint8_t UINT1;			/*  8 bits */
++typedef uint16_t UINT2;			/* 16 bits */
++typedef uint32_t UINT4;			/* 32 bits */
++typedef uint64_t UINT8;			/* 64 bits */
+ 
+ /* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
+ If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
diff --git a/SOURCES/cyrus-sasl-2.1.26-null-crypt.patch b/SOURCES/cyrus-sasl-2.1.26-null-crypt.patch
new file mode 100644
index 0000000..ce9b5e2
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-null-crypt.patch
@@ -0,0 +1,86 @@
+diff -up cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c.null-crypt cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c
+--- cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c.null-crypt	2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/pwcheck/pwcheck_getpwnam.c	2012-12-20 17:00:14.614580310 +0100
+@@ -31,7 +31,7 @@ char *pwcheck(userid, password)
+ char *userid;
+ char *password;
+ {
+-    char* r;
++    char* r, *cryptbuf;
+     struct passwd *pwd;
+ 
+     pwd = getpwnam(userid);
+@@ -41,11 +41,13 @@ char *password;
+     else if (pwd->pw_passwd[0] == '*') {
+ 	r = "Account disabled";
+     }
+-    else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
+-	r = "Incorrect password";
+-    }
+     else {
+-	r = "OK";
++	cryptbuf = crypt(password, pwd->pw_passwd);
++	if((cryptbuf == NULL) || (strcmp(pwd->pw_passwd, cryptbuf) != 0)) {
++	   r = "Incorrect password";
++	} else {
++	   r = "OK";
++	}
+     }
+ 
+     endpwent();
+diff -up cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c.null-crypt cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c
+--- cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c.null-crypt	2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/saslauthd/auth_getpwent.c	2012-12-20 17:03:17.940793653 +0100
+@@ -78,6 +78,7 @@ auth_getpwent (
+     /* VARIABLES */
+     struct passwd *pw;			/* pointer to passwd file entry */
+     int errnum;
++    char *cryptbuf;
+     /* END VARIABLES */
+   
+     errno = 0;
+@@ -105,7 +106,8 @@ auth_getpwent (
+ 	}
+     }
+ 
+-    if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
++    cryptbuf = crypt(password, pw->pw_passwd);
++    if ((cryptbuf == NULL) || strcmp(pw->pw_passwd, cryptbuf)) {
+ 	if (flags & VERBOSE) {
+ 	    syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
+ 	}
+diff -up cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.null-crypt cyrus-sasl-2.1.26/saslauthd/auth_shadow.c
+--- cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.null-crypt	2012-12-20 17:00:14.000000000 +0100
++++ cyrus-sasl-2.1.26/saslauthd/auth_shadow.c	2012-12-20 17:16:44.190360006 +0100
+@@ -214,8 +214,8 @@ auth_shadow (
+ 	RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
+     }
+ 
+-    cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
+-    if (strcmp(sp->sp_pwdp, cpw)) {
++    cpw = crypt(password, sp->sp_pwdp);
++    if ((cpw == NULL) || strcmp(sp->sp_pwdp, cpw)) {
+ 	if (flags & VERBOSE) {
+ 	    /*
+ 	     * This _should_ reveal the SHADOW_PW_LOCKED prefix to an
+@@ -225,10 +225,8 @@ auth_shadow (
+ 	    syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
+ 		   sp->sp_pwdp, cpw);
+ 	}
+-	free(cpw);
+ 	RETURN("NO Incorrect password");
+     }
+-    free(cpw);
+ 
+     /*
+      * The following fields will be set to -1 if:
+@@ -290,7 +288,8 @@ auth_shadow (
+ 	RETURN("NO Invalid username");
+     }
+   
+-    if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
++    cpw = crypt(password, upw->upw_passwd);
++    if ((cpw == NULL) || strcmp(upw->upw_passwd, cpw) != 0) {
+ 	if (flags & VERBOSE) {
+ 	    syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
+ 		   password, upw->upw_passwd);
diff --git a/SOURCES/cyrus-sasl-2.1.26-obsolete-macro.patch b/SOURCES/cyrus-sasl-2.1.26-obsolete-macro.patch
new file mode 100644
index 0000000..a836d8f
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-obsolete-macro.patch
@@ -0,0 +1,13 @@
+diff --git a/configure.in b/configure.in
+index e70c99a..60f366c 100644
+--- a/configure.in
++++ b/configure.in
+@@ -1416,7 +1416,7 @@ inline static unsigned int sleep(unsigned int seconds) {
+ #endif /* CONFIG_H */
+ ])
+ 
+-AM_CONFIG_HEADER(config.h)
++AC_CONFIG_HEADERS(config.h)
+ 
+ AC_OUTPUT(Makefile
+ libsasl2.pc
diff --git a/SOURCES/cyrus-sasl-2.1.26-ppc.patch b/SOURCES/cyrus-sasl-2.1.26-ppc.patch
new file mode 100644
index 0000000..0ebba70
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-ppc.patch
@@ -0,0 +1,24 @@
+diff -up cyrus-sasl-2.1.26/config/ltconfig.ppc cyrus-sasl-2.1.26/config/ltconfig
+--- cyrus-sasl-2.1.26/config/ltconfig.ppc	2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/config/ltconfig	2013-06-04 15:38:53.695401296 +0200
+@@ -2040,7 +2040,7 @@ linux-gnu*)
+   else
+     # Only the GNU ld.so supports shared libraries on MkLinux.
+     case "$host_cpu" in
+-    powerpc*) dynamic_linker=no ;;
++#    powerpc*) dynamic_linker=no ;;
+     *) dynamic_linker='Linux ld.so' ;;
+     esac
+   fi
+diff -up cyrus-sasl-2.1.26/saslauthd/config/ltconfig.ppc cyrus-sasl-2.1.26/saslauthd/config/ltconfig
+--- cyrus-sasl-2.1.26/saslauthd/config/ltconfig.ppc	2013-06-04 15:39:49.849463707 +0200
++++ cyrus-sasl-2.1.26/saslauthd/config/ltconfig	2013-06-04 15:39:12.826741036 +0200
+@@ -2040,7 +2040,7 @@ linux-gnu*)
+   else
+     # Only the GNU ld.so supports shared libraries on MkLinux.
+     case "$host_cpu" in
+-    powerpc*) dynamic_linker=no ;;
++    #powerpc*) dynamic_linker=no ;;
+     *) dynamic_linker='Linux ld.so' ;;
+     esac
+   fi
diff --git a/SOURCES/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch b/SOURCES/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
new file mode 100644
index 0000000..af88e81
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
@@ -0,0 +1,51 @@
+commit 26dcfb2d7176b78e70757aa5d01951a28ca217c7
+Author: Alexey Melnikov <alexey.melnikov@isode.com>
+Date:   Fri Jul 5 16:37:59 2013 +0100
+
+    Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN when selecting the best client side SASL mechanism
+    
+    Both SCRAM-SHA-1 & DIGEST-MD5 are lacking SASL_SEC_PASS_CREDENTIALS security
+    flag, which prevented them from being chosen over PLAIN when PLAIN is selected
+    as the best mechanism first. For example the problem can be observed when
+    the server advertises "PLAIN DIGEST-MD5 SCRAM-SHA-1" (PLAIN just has to be
+    returned before SCRAM/DIGEST.)
+    
+    Cyrus SASL bug # 3793
+
+diff --git a/lib/client.c b/lib/client.c
+index 62dfb0b..31fe346 100644
+--- a/lib/client.c
++++ b/lib/client.c
+@@ -658,6 +658,20 @@ _sasl_cbinding_disp(sasl_client_params_t *cparams,
+     return SASL_OK;
+ }
+ 
++static int
++_sasl_are_current_security_flags_worse_then_best(unsigned best_security_flags,
++						 unsigned current_security_flags)
++{
++    /* We don't qualify SASL_SEC_PASS_CREDENTIALS as "secure" flag */
++    best_security_flags &= ~SASL_SEC_PASS_CREDENTIALS;
++
++    if ((current_security_flags ^ best_security_flags) & best_security_flags) {
++	return 1;
++    } else {
++	return 0;
++    }
++}
++
+ /* select a mechanism for a connection
+  *  mechlist      -- mechanisms server has available (punctuation ignored)
+  *  secret        -- optional secret from previous session
+@@ -823,8 +837,9 @@ int sasl_client_start(sasl_conn_t *conn,
+ 	     */
+ 
+ 	    if (bestm &&
+-		((m->m.plug->security_flags ^ bestm->m.plug->security_flags) &
+-		 bestm->m.plug->security_flags)) {
++		_sasl_are_current_security_flags_worse_then_best(
++		    bestm->m.plug->security_flags,
++		    m->m.plug->security_flags)) {
+ 		break;
+ 	    }
+ 
diff --git a/SOURCES/cyrus-sasl-2.1.26-release-server_creds.patch b/SOURCES/cyrus-sasl-2.1.26-release-server_creds.patch
new file mode 100644
index 0000000..a84bf9f
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-release-server_creds.patch
@@ -0,0 +1,16 @@
+diff -up cyrus-sasl-2.1.26/plugins/gssapi.c.release-server_creds cyrus-sasl-2.1.26/plugins/gssapi.c
+--- cyrus-sasl-2.1.26/plugins/gssapi.c.release-server_creds	2012-12-20 17:17:37.000000000 +0100
++++ cyrus-sasl-2.1.26/plugins/gssapi.c	2012-12-20 17:42:11.498138999 +0100
+@@ -945,6 +945,12 @@ gssapi_server_mech_authneg(context_t *te
+ 	ret = SASL_CONTINUE;
+     }
+ 
++    /* Release server creds which are no longer needed */
++     if ( text->server_creds != GSS_C_NO_CREDENTIAL) {
++        maj_stat = gss_release_cred(&min_stat, &text->server_creds);
++        text->server_creds = GSS_C_NO_CREDENTIAL;
++     }
++
+   cleanup:
+     if (client_name_MN) {
+ 	GSS_LOCK_MUTEX(params->utils);
diff --git a/SOURCES/cyrus-sasl-2.1.26-relro.patch b/SOURCES/cyrus-sasl-2.1.26-relro.patch
new file mode 100644
index 0000000..f8b6027
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-relro.patch
@@ -0,0 +1,70 @@
+diff -up cyrus-sasl-2.1.26/lib/Makefile.am.relro cyrus-sasl-2.1.26/lib/Makefile.am
+--- cyrus-sasl-2.1.26/lib/Makefile.am.relro	2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/lib/Makefile.am	2013-02-11 14:18:01.749053772 +0100
+@@ -64,7 +64,7 @@ LIB_DOOR= @LIB_DOOR@
+ lib_LTLIBRARIES = libsasl2.la
+ 
+ libsasl2_la_SOURCES = $(common_sources) $(common_headers)
+-libsasl2_la_LDFLAGS = -version-info $(sasl_version)
++libsasl2_la_LDFLAGS = -Wl,-z,relro -version-info $(sasl_version)
+ libsasl2_la_DEPENDENCIES = $(LTLIBOBJS)
+ libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR)
+ 
+diff -up cyrus-sasl-2.1.26/lib/Makefile.in.relro cyrus-sasl-2.1.26/lib/Makefile.in
+--- cyrus-sasl-2.1.26/lib/Makefile.in.relro	2013-11-13 16:55:09.606555125 +0100
++++ cyrus-sasl-2.1.26/lib/Makefile.in	2013-11-13 16:56:43.331096795 +0100
+@@ -330,7 +330,7 @@ common_headers = saslint.h
+ common_sources = auxprop.c canonusr.c checkpw.c client.c common.c config.c external.c md5.c saslutil.c server.c seterror.c dlopen.c ../plugins/plugin_common.c
+ lib_LTLIBRARIES = libsasl2.la
+ libsasl2_la_SOURCES = $(common_sources) $(common_headers)
+-libsasl2_la_LDFLAGS = -version-info $(sasl_version)
++libsasl2_la_LDFLAGS = -Wl,-z,relro -version-info $(sasl_version)
+ libsasl2_la_DEPENDENCIES = $(LTLIBOBJS)
+ libsasl2_la_LIBADD = $(LTLIBOBJS) $(SASL_DL_LIB) $(LIB_SOCKET) $(LIB_DOOR)
+ @MACOSX_TRUE@framedir = /Library/Frameworks/SASL2.framework
+diff -up cyrus-sasl-2.1.26/plugins/Makefile.am.relro cyrus-sasl-2.1.26/plugins/Makefile.am
+--- cyrus-sasl-2.1.26/plugins/Makefile.am.relro	2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/plugins/Makefile.am	2013-02-11 14:18:01.749053772 +0100
+@@ -50,7 +50,7 @@
+ plugin_version = 3:0:0
+ 
+ INCLUDES=-I$(top_srcdir)/include -I$(top_srcdir)/lib -I$(top_srcdir)/sasldb -I$(top_builddir)/include
+-AM_LDFLAGS = -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version)
++AM_LDFLAGS = -Wl,-z,relro -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version)
+ 
+ COMPAT_OBJS = @LTGETADDRINFOOBJS@ @LTGETNAMEINFOOBJS@ @LTSNPRINTFOBJS@
+ 
+diff -up cyrus-sasl-2.1.26/plugins/Makefile.in.relro cyrus-sasl-2.1.26/plugins/Makefile.in
+--- cyrus-sasl-2.1.26/plugins/Makefile.in.relro	2013-11-13 16:57:08.430974081 +0100
++++ cyrus-sasl-2.1.26/plugins/Makefile.in	2013-11-13 16:57:58.911727846 +0100
+@@ -364,7 +364,7 @@ top_srcdir = @top_srcdir@
+ # CURRENT:REVISION:AGE
+ plugin_version = 3:0:0
+ INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/lib -I$(top_srcdir)/sasldb -I$(top_builddir)/include
+-AM_LDFLAGS = -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version)
++AM_LDFLAGS = -Wl,-z,relro -module -export-dynamic -rpath $(plugindir) -version-info $(plugin_version)
+ COMPAT_OBJS = @LTGETADDRINFOOBJS@ @LTGETNAMEINFOOBJS@ @LTSNPRINTFOBJS@
+ EXTRA_DIST = makeinit.sh NTMakefile
+ noinst_SCRIPTS = makeinit.sh
+diff -up cyrus-sasl-2.1.26/saslauthd/Makefile.am.relro cyrus-sasl-2.1.26/saslauthd/Makefile.am
+--- cyrus-sasl-2.1.26/saslauthd/Makefile.am.relro	2013-02-11 14:18:36.910900647 +0100
++++ cyrus-sasl-2.1.26/saslauthd/Makefile.am	2013-02-11 14:20:17.336463915 +0100
+@@ -17,6 +17,7 @@ saslauthd_DEPENDENCIES = saslauthd-main.
+ saslauthd_LDADD	= @SASL_KRB_LIB@ \
+ 		  @GSSAPIBASE_LIBS@ @GSSAPI_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \
+ 		  @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ @LTLIBOBJS@
++saslauthd_LDFLAGS = -pie -Wl,-z,now
+ 
+ testsaslauthd_SOURCES = testsaslauthd.c utils.c
+ testsaslauthd_LDADD = @LIB_SOCKET@
+diff -up cyrus-sasl-2.1.26/saslauthd/Makefile.in.relro cyrus-sasl-2.1.26/saslauthd/Makefile.in
+--- cyrus-sasl-2.1.26/saslauthd/Makefile.in.relro	2013-11-13 16:58:13.085659148 +0100
++++ cyrus-sasl-2.1.26/saslauthd/Makefile.in	2013-11-13 16:58:49.679481841 +0100
+@@ -234,6 +234,7 @@ saslauthd_DEPENDENCIES = saslauthd-main.
+ saslauthd_LDADD = @SASL_KRB_LIB@ \
+ 		  @GSSAPIBASE_LIBS@ @GSSAPI_LIBS@ @LIB_CRYPT@ @LIB_SIA@ \
+ 		  @LIB_SOCKET@ @SASL_DB_LIB@ @LIB_PAM@ @LDAP_LIBS@ @LTLIBOBJS@
++saslauthd_LDFLAGS = -pie -Wl,-z,now
+ 
+ testsaslauthd_SOURCES = testsaslauthd.c utils.c
+ testsaslauthd_LDADD = @LIB_SOCKET@
diff --git a/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch b/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch
new file mode 100644
index 0000000..1a1d259
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch
@@ -0,0 +1,16 @@
+--- cyrus-sasl2.orig/plugins/gssapi.c
++++ cyrus-sasl2/plugins/gssapi.c
+@@ -1583,10 +1583,10 @@ static int gssapi_client_mech_step(void
+ 	}
+ 
+ 	/* Setup req_flags properly */
+-	req_flags = GSS_C_INTEG_FLAG;
++	req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
+ 	if (params->props.max_ssf > params->external_ssf) {
+ 	    /* We are requesting a security layer */
+-	    req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
++	    req_flags |= GSS_C_INTEG_FLAG;
+ 	    /* Any SSF bigger than 1 is confidentiality. */
+ 	    /* Let's check if the client of the API requires confidentiality,
+ 	       and it wasn't already provided by an external layer */
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch b/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch
new file mode 100644
index 0000000..cace375
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch
@@ -0,0 +1,33 @@
+diff --git a/saslauthd/saslauthd.mdoc b/saslauthd/saslauthd.mdoc
+index 37c6f6e..5b635ab 100644
+--- a/saslauthd/saslauthd.mdoc
++++ b/saslauthd/saslauthd.mdoc
+@@ -44,7 +44,27 @@ multi-user mode. When running against a protected authentication
+ database (e.g. the
+ .Li shadow
+ mechanism),
+-it must be run as the superuser.
++it must be run as the superuser. Otherwise it is recommended to run
++daemon unprivileged as saslauth:saslauth. You can do so by following
++these steps:
++.Bl -enum -compact
++.It
++create directory
++.Pa /etc/systemd/system/saslauthd.service.d/
++.It
++create file
++.Pa /etc/systemd/system/saslauthd.service.d/user.conf
++with content
++.Bd -literal
++[Service]
++User=saslauth
++Group=saslauth
++
++.Ed
++.It
++Reload systemd service file: run
++.Dq systemctl daemon-reload
++.El
+ .Ss Options
+ Options named by lower\-case letters configure the server itself.
+ Upper\-case options control the behavior of specific authentication
diff --git a/SOURCES/cyrus-sasl-2.1.26-size_t.patch b/SOURCES/cyrus-sasl-2.1.26-size_t.patch
new file mode 100644
index 0000000..cde8238
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-size_t.patch
@@ -0,0 +1,12 @@
+diff -up cyrus-sasl-2.1.26/include/sasl.h.size_t cyrus-sasl-2.1.26/include/sasl.h
+--- cyrus-sasl-2.1.26/include/sasl.h.size_t	2012-10-12 09:05:48.000000000 -0500
++++ cyrus-sasl-2.1.26/include/sasl.h	2013-01-31 13:21:04.007739327 -0600
+@@ -223,6 +223,8 @@ extern "C" {
+  * they must be called before all other SASL functions:
+  */
+ 
++#include <sys/types.h>
++
+ /* memory allocation functions which may optionally be replaced:
+  */
+ typedef void *sasl_malloc_t(size_t);
diff --git a/SOURCES/cyrus-sasl-2.1.26-sql.patch b/SOURCES/cyrus-sasl-2.1.26-sql.patch
new file mode 100644
index 0000000..b7f3db4
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-sql.patch
@@ -0,0 +1,2296 @@
+diff -up ./configure.in.sql ./configure.in
+--- ./configure.in.sql	2013-11-14 13:19:19.231000002 +0100
++++ ./configure.in	2013-11-14 14:10:44.728997789 +0100
+@@ -729,7 +729,18 @@ LIB_MYSQL=""
+ 
+ case "$with_mysql" in
+     no) true;;
+-    notfound) AC_WARN([MySQL Library not found]); true;;
++    notfound) 
++     save_LDFLAGS=$LDFLAGS
++     LIB_MYSQL=`mysql_config --libs`
++     LIB_MYSQL="-lmysqlclient"
++     LDFLAGS="$LDFLAGS $LIB_MYSQL"
++     # CPPFLAGS="${CPPFLAGS} `mysql_config --include`"
++     AC_CHECK_LIB(mysqlclient, mysql_select_db,
++           AC_DEFINE(HAVE_MYSQL, [], [Do we have mysql support?]),
++           [AC_WARN([MySQL library mysqlclient does not work])
++            with_mysql=no])
++     LDFLAGS=$save_LDFLAGS
++     ;;
+     *)
+      if test -d ${with_mysql}/lib/mysql; then
+ 	CMU_ADD_LIBPATH_TO(${with_mysql}/lib/mysql, LIB_MYSQL)
+@@ -750,6 +761,8 @@ case "$with_mysql" in
+          CPPFLAGS="${CPPFLAGS} -I${with_mysql}/mysql/include"
+      elif test -d ${with_mysql}/include; then
+          CPPFLAGS="${CPPFLAGS} -I${with_mysql}/include"
++     elif test -d ${prefix}/include/mysql; then
++         CPPFLAGS="${CPPFLAGS} -I${prefix}/include/mysql"
+      else
+          CPPFLAGS="${CPPFLAGS} -I${with_mysql}"
+      fi
+@@ -793,7 +806,17 @@ LIB_PGSQL=""
+ 
+ case "$with_pgsql" in
+     no) true;;
+-    notfound) AC_WARN([PostgreSQL Library not found]); true;;
++    notfound)
++     LIB_PGSQL="-lpq"
++     # CPPFLAGS="${CPPFLAGS} -I`pg_config --includedir`"
++     save_LDFLAGS=$LDFLAGS
++     LDFLAGS="$LDFLAGS $LIB_PGSQL"
++     AC_CHECK_LIB(pq, PQsetdbLogin, AC_DEFINE(HAVE_PGSQL,[],
++         [Do we have Postgres support?]),
++         [AC_WARN([PostgreSQL Library pq does not work])
++          with_pgsql=no])
++     LDFLAGS=$save_LDFLAGS
++     ;;
+     *)
+      if test -d ${with_pgsql}/lib/pgsql; then
+ 	CMU_ADD_LIBPATH_TO(${with_pgsql}/lib/pgsql, LIB_PGSQL)
+@@ -814,6 +837,8 @@ case "$with_pgsql" in
+          CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/pgsql/include"
+      elif test -d ${with_pgsql}/include; then
+          CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include"
++     elif test -d ${prefix}/include; then
++         CPPFLAGS="${CPPFLAGS} -I${prefix}/include"
+      else
+          CPPFLAGS="${CPPFLAGS} -I${with_pgsql}"
+      fi
+diff -up ./configure.sql ./configure
+--- ./configure.sql	2013-11-14 13:19:19.177000002 +0100
++++ ./configure	2013-11-14 14:10:50.848000001 +0100
+@@ -4340,116 +4340,8 @@ $as_echo "$ac_cv___attribute__" >&6; }
+ 
+ 
+    # CMU GUESS RUNPATH SWITCH
+-  { $as_echo "$as_me:$LINENO: checking for runpath switch" >&5
+-$as_echo_n "checking for runpath switch... " >&6; }
+-if test "${andrew_cv_runpath_switch+set}" = set; then
+-  $as_echo_n "(cached) " >&6
+-else
+-
+-    # first, try -R
+-    SAVE_LDFLAGS="${LDFLAGS}"
+-    LDFLAGS="-R /usr/lib"
+-    cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
+-/* end confdefs.h.  */
+-
+-int
+-main ()
+-{
+-
+-  ;
+-  return 0;
+-}
+-_ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (ac_try="$ac_link"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+-$as_echo "$ac_try_echo") >&5
+-  (eval "$ac_link") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest$ac_exeext && {
+-	 test "$cross_compiling" = yes ||
+-	 $as_test_x conftest$ac_exeext
+-       }; then
+-  andrew_cv_runpath_switch="-R"
+-else
+-  $as_echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-
+-  	LDFLAGS="-Wl,-rpath,/usr/lib"
+-    cat >conftest.$ac_ext <<_ACEOF
+-/* confdefs.h.  */
+-_ACEOF
+-cat confdefs.h >>conftest.$ac_ext
+-cat >>conftest.$ac_ext <<_ACEOF
+-/* end confdefs.h.  */
+-
+-int
+-main ()
+-{
+-
+-  ;
+-  return 0;
+-}
+-_ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (ac_try="$ac_link"
+-case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+-$as_echo "$ac_try_echo") >&5
+-  (eval "$ac_link") 2>conftest.er1
+-  ac_status=$?
+-  grep -v '^ *+' conftest.er1 >conftest.err
+-  rm -f conftest.er1
+-  cat conftest.err >&5
+-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
+-	 test ! -s conftest.err
+-       } && test -s conftest$ac_exeext && {
+-	 test "$cross_compiling" = yes ||
+-	 $as_test_x conftest$ac_exeext
+-       }; then
+-  andrew_cv_runpath_switch="-Wl,-rpath,"
+-else
+-  $as_echo "$as_me: failed program was:" >&5
+-sed 's/^/| /' conftest.$ac_ext >&5
+-
+-	andrew_cv_runpath_switch="none"
+-fi
+-
+-rm -rf conftest.dSYM
+-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+-      conftest$ac_exeext conftest.$ac_ext
+-
+-fi
+-
+-rm -rf conftest.dSYM
+-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+-      conftest$ac_exeext conftest.$ac_ext
+-  LDFLAGS="${SAVE_LDFLAGS}"
++    andrew_runpath_switch="none"
+ 
+-fi
+-{ $as_echo "$as_me:$LINENO: result: $andrew_cv_runpath_switch" >&5
+-$as_echo "$andrew_cv_runpath_switch" >&6; }
+ 
+ 
+ # Check whether --with-staticsasl was given.
+@@ -4784,7 +4676,7 @@ test x"$silent" = xyes && libtool_flags=
+ case "$lt_target" in
+ *-*-irix6*)
+   # Find out which ABI we are using.
+-  echo '#line 4787 "configure"' > conftest.$ac_ext
++  echo '#line 4679 "configure"' > conftest.$ac_ext
+   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+   (eval $ac_compile) 2>&5
+   ac_status=$?
+@@ -11239,7 +11131,6 @@ $as_echo "$cyrus_krbinclude" >&6; }
+        if test -n "${cyrus_krbinclude}"; then
+          CPPFLAGS="$CPPFLAGS -I${cyrus_krbinclude}"
+        fi
+-       LDFLAGS="$LDFLAGS -L$krb4/lib"
+     fi
+ 
+     if test "$with_des" != no; then
+@@ -13467,69 +13358,43 @@ _ACEOF
+ fi
+ done
+ 
++  if test "$ac_cv_func_gsskrb5_register_acceptor_identity" = no ; then
+ 
+-for ac_func in gss_decapsulate_token
++for ac_header in gssapi/gssapi_krb5.h
+ do
+-as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+-$as_echo_n "checking for $ac_func... " >&6; }
+-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
++as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
++  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
++$as_echo_n "checking for $ac_header... " >&6; }
++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+   $as_echo_n "(cached) " >&6
++fi
++ac_res=`eval 'as_val=${'$as_ac_Header'}
++		 $as_echo "$as_val"'`
++	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
+ else
+-  cat >conftest.$ac_ext <<_ACEOF
++  # Is the header compilable?
++{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
++$as_echo_n "checking $ac_header usability... " >&6; }
++cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h.  */
+ _ACEOF
+ cat confdefs.h >>conftest.$ac_ext
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h.  */
+-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+-#define $ac_func innocuous_$ac_func
+-
+-/* System header to define __stub macros and hopefully few prototypes,
+-    which can conflict with char $ac_func (); below.
+-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+-    <limits.h> exists even on freestanding compilers.  */
+-
+-#ifdef __STDC__
+-# include <limits.h>
+-#else
+-# include <assert.h>
+-#endif
+-
+-#undef $ac_func
+-
+-/* Override any GCC internal prototype to avoid an error.
+-   Use char because int might match the return type of a GCC
+-   builtin and then its argument prototype would still apply.  */
+-#ifdef __cplusplus
+-extern "C"
+-#endif
+-char $ac_func ();
+-/* The GNU C library defines this for functions which it implements
+-    to always fail with ENOSYS.  Some functions are actually named
+-    something starting with __ and the normal name is an alias.  */
+-#if defined __stub_$ac_func || defined __stub___$ac_func
+-choke me
+-#endif
+-
+-int
+-main ()
+-{
+-return $ac_func ();
+-  ;
+-  return 0;
+-}
++$ac_includes_default
++#include <$ac_header>
+ _ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (ac_try="$ac_link"
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
+ case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+ eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+ $as_echo "$ac_try_echo") >&5
+-  (eval "$ac_link") 2>conftest.er1
++  (eval "$ac_compile") 2>conftest.er1
+   ac_status=$?
+   grep -v '^ *+' conftest.er1 >conftest.err
+   rm -f conftest.er1
+@@ -13538,139 +13403,178 @@ $as_echo "$ac_try_echo") >&5
+   (exit $ac_status); } && {
+ 	 test -z "$ac_c_werror_flag" ||
+ 	 test ! -s conftest.err
+-       } && test -s conftest$ac_exeext && {
+-	 test "$cross_compiling" = yes ||
+-	 $as_test_x conftest$ac_exeext
+-       }; then
+-  eval "$as_ac_var=yes"
++       } && test -s conftest.$ac_objext; then
++  ac_header_compiler=yes
+ else
+   $as_echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+ 
+-	eval "$as_ac_var=no"
+-fi
+-
+-rm -rf conftest.dSYM
+-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+-      conftest$ac_exeext conftest.$ac_ext
+-fi
+-ac_res=`eval 'as_val=${'$as_ac_var'}
+-		 $as_echo "$as_val"'`
+-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+-$as_echo "$ac_res" >&6; }
+-as_val=`eval 'as_val=${'$as_ac_var'}
+-		 $as_echo "$as_val"'`
+-   if test "x$as_val" = x""yes; then
+-  cat >>confdefs.h <<_ACEOF
+-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+-_ACEOF
+-
++	ac_header_compiler=no
+ fi
+-done
+ 
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
++$as_echo "$ac_header_compiler" >&6; }
+ 
+-for ac_func in gss_encapsulate_token
+-do
+-as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+-$as_echo_n "checking for $ac_func... " >&6; }
+-if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+-  $as_echo_n "(cached) " >&6
+-else
+-  cat >conftest.$ac_ext <<_ACEOF
++# Is the header present?
++{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
++$as_echo_n "checking $ac_header presence... " >&6; }
++cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h.  */
+ _ACEOF
+ cat confdefs.h >>conftest.$ac_ext
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h.  */
+-/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+-#define $ac_func innocuous_$ac_func
+-
+-/* System header to define __stub macros and hopefully few prototypes,
+-    which can conflict with char $ac_func (); below.
+-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+-    <limits.h> exists even on freestanding compilers.  */
+-
+-#ifdef __STDC__
+-# include <limits.h>
+-#else
+-# include <assert.h>
+-#endif
+-
+-#undef $ac_func
+-
+-/* Override any GCC internal prototype to avoid an error.
+-   Use char because int might match the return type of a GCC
+-   builtin and then its argument prototype would still apply.  */
+-#ifdef __cplusplus
+-extern "C"
+-#endif
+-char $ac_func ();
+-/* The GNU C library defines this for functions which it implements
+-    to always fail with ENOSYS.  Some functions are actually named
+-    something starting with __ and the normal name is an alias.  */
+-#if defined __stub_$ac_func || defined __stub___$ac_func
+-choke me
+-#endif
+-
+-int
+-main ()
+-{
+-return $ac_func ();
+-  ;
+-  return 0;
+-}
++#include <$ac_header>
+ _ACEOF
+-rm -f conftest.$ac_objext conftest$ac_exeext
+-if { (ac_try="$ac_link"
++if { (ac_try="$ac_cpp conftest.$ac_ext"
+ case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+   *) ac_try_echo=$ac_try;;
+ esac
+ eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+ $as_echo "$ac_try_echo") >&5
+-  (eval "$ac_link") 2>conftest.er1
++  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+   ac_status=$?
+   grep -v '^ *+' conftest.er1 >conftest.err
+   rm -f conftest.er1
+   cat conftest.err >&5
+   $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && {
+-	 test -z "$ac_c_werror_flag" ||
++  (exit $ac_status); } >/dev/null && {
++	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ 	 test ! -s conftest.err
+-       } && test -s conftest$ac_exeext && {
+-	 test "$cross_compiling" = yes ||
+-	 $as_test_x conftest$ac_exeext
+        }; then
+-  eval "$as_ac_var=yes"
++  ac_header_preproc=yes
+ else
+   $as_echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+ 
+-	eval "$as_ac_var=no"
++  ac_header_preproc=no
+ fi
+ 
+-rm -rf conftest.dSYM
+-rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+-      conftest$ac_exeext conftest.$ac_ext
++rm -f conftest.err conftest.$ac_ext
++{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
++$as_echo "$ac_header_preproc" >&6; }
++
++# So?  What about this header?
++case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
++  yes:no: )
++    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
++$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
++    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
++$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
++    ac_header_preproc=yes
++    ;;
++  no:yes:* )
++    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
++$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
++    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
++$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
++    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
++$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
++    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
++$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
++    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
++$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
++    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
++$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
++
++    ;;
++esac
++{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
++$as_echo_n "checking for $ac_header... " >&6; }
++if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
++  $as_echo_n "(cached) " >&6
++else
++  eval "$as_ac_Header=\$ac_header_preproc"
+ fi
+-ac_res=`eval 'as_val=${'$as_ac_var'}
++ac_res=`eval 'as_val=${'$as_ac_Header'}
+ 		 $as_echo "$as_val"'`
+ 	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+ $as_echo "$ac_res" >&6; }
+-as_val=`eval 'as_val=${'$as_ac_var'}
++
++fi
++as_val=`eval 'as_val=${'$as_ac_Header'}
+ 		 $as_echo "$as_val"'`
+    if test "x$as_val" = x""yes; then
+   cat >>confdefs.h <<_ACEOF
+-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
++#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+ _ACEOF
+ 
+ fi
++
+ done
+ 
++    if test "$ac_cv_header_gssapi_gssapi_krb5_h" = "yes"; then
++      { $as_echo "$as_me:$LINENO: checking whether gsskrb5_register_acceptor_identity is declared" >&5
++$as_echo_n "checking whether gsskrb5_register_acceptor_identity is declared... " >&6; }
++if test "${ac_cv_have_decl_gsskrb5_register_acceptor_identity+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++                    $ac_includes_default
++                    #include <gssapi/gssapi_krb5.h>
+ 
+-for ac_func in gss_oid_equal
++
++int
++main ()
++{
++#ifndef gsskrb5_register_acceptor_identity
++  (void) gsskrb5_register_acceptor_identity;
++#endif
++
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  ac_cv_have_decl_gsskrb5_register_acceptor_identity=yes
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_cv_have_decl_gsskrb5_register_acceptor_identity=no
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_have_decl_gsskrb5_register_acceptor_identity" >&5
++$as_echo "$ac_cv_have_decl_gsskrb5_register_acceptor_identity" >&6; }
++if test "x$ac_cv_have_decl_gsskrb5_register_acceptor_identity" = x""yes; then
++
++cat >>confdefs.h <<\_ACEOF
++#define HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY 1
++_ACEOF
++
++fi
++
++    fi
++  fi
++
++for ac_func in gss_decapsulate_token
+ do
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ { $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+@@ -13770,12 +13674,8 @@ _ACEOF
+ fi
+ done
+ 
+-  LIBS="$cmu_save_LIBS"
+-
+-  cmu_save_LIBS="$LIBS"
+-  LIBS="$LIBS $GSSAPIBASE_LIBS"
+ 
+-for ac_func in gss_get_name_attribute
++for ac_func in gss_encapsulate_token
+ do
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ { $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
+@@ -13875,20 +13775,14 @@ _ACEOF
+ fi
+ done
+ 
+-  LIBS="$cmu_save_LIBS"
+ 
+-  cmu_save_LIBS="$LIBS"
+-  LIBS="$LIBS $GSSAPIBASE_LIBS"
+-  { $as_echo "$as_me:$LINENO: checking for SPNEGO support in GSSAPI libraries" >&5
+-$as_echo_n "checking for SPNEGO support in GSSAPI libraries... " >&6; }
+-  if test "$cross_compiling" = yes; then
+-  { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
+-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+-{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+-See \`config.log' for more details." >&5
+-$as_echo "$as_me: error: cannot run test program while cross compiling
+-See \`config.log' for more details." >&2;}
+-   { (exit 1); exit 1; }; }; }
++for ac_func in gss_oid_equal
++do
++as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
++{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
++$as_echo_n "checking for $ac_func... " >&6; }
++if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
++  $as_echo_n "(cached) " >&6
+ else
+   cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h.  */
+@@ -13896,30 +13790,46 @@ _ACEOF
+ cat confdefs.h >>conftest.$ac_ext
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h.  */
++/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
++   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
++#define $ac_func innocuous_$ac_func
+ 
+-#ifdef HAVE_GSSAPI_H
+-#include <gssapi.h>
++/* System header to define __stub macros and hopefully few prototypes,
++    which can conflict with char $ac_func (); below.
++    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
++    <limits.h> exists even on freestanding compilers.  */
++
++#ifdef __STDC__
++# include <limits.h>
+ #else
+-#include <gssapi/gssapi.h>
++# include <assert.h>
+ #endif
+ 
+-int main(void)
+-{
+-    gss_OID_desc spnego_oid = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
+-    gss_OID_set mech_set;
+-    OM_uint32 min_stat;
+-    int have_spnego = 0;
++#undef $ac_func
+ 
+-    if (gss_indicate_mechs(&min_stat, &mech_set) == GSS_S_COMPLETE) {
+-	gss_test_oid_set_member(&min_stat, &spnego_oid, mech_set, &have_spnego);
+-	gss_release_oid_set(&min_stat, &mech_set);
+-    }
++/* Override any GCC internal prototype to avoid an error.
++   Use char because int might match the return type of a GCC
++   builtin and then its argument prototype would still apply.  */
++#ifdef __cplusplus
++extern "C"
++#endif
++char $ac_func ();
++/* The GNU C library defines this for functions which it implements
++    to always fail with ENOSYS.  Some functions are actually named
++    something starting with __ and the normal name is an alias.  */
++#if defined __stub_$ac_func || defined __stub___$ac_func
++choke me
++#endif
+ 
+-    return (!have_spnego);  // 0 = success, 1 = failure
++int
++main ()
++{
++return $ac_func ();
++  ;
++  return 0;
+ }
+-
+ _ACEOF
+-rm -f conftest$ac_exeext
++rm -f conftest.$ac_objext conftest$ac_exeext
+ if { (ac_try="$ac_link"
+ case "(($ac_try" in
+   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+@@ -13927,63 +13837,259 @@ case "(($ac_try" in
+ esac
+ eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+ $as_echo "$ac_try_echo") >&5
+-  (eval "$ac_link") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+-  { (case "(($ac_try" in
+-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+-  *) ac_try_echo=$ac_try;;
+-esac
+-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+-$as_echo "$ac_try_echo") >&5
+-  (eval "$ac_try") 2>&5
++  (eval "$ac_link") 2>conftest.er1
+   ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
+   $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+-  (exit $ac_status); }; }; then
+-
+-cat >>confdefs.h <<\_ACEOF
+-#define HAVE_GSS_SPNEGO /**/
+-_ACEOF
+-
+-	{ $as_echo "$as_me:$LINENO: result: yes" >&5
+-$as_echo "yes" >&6; }
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest$ac_exeext && {
++	 test "$cross_compiling" = yes ||
++	 $as_test_x conftest$ac_exeext
++       }; then
++  eval "$as_ac_var=yes"
+ else
+-  $as_echo "$as_me: program exited with status $ac_status" >&5
+-$as_echo "$as_me: failed program was:" >&5
++  $as_echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+ 
+-( exit $ac_status )
+-{ $as_echo "$as_me:$LINENO: result: no" >&5
+-$as_echo "no" >&6; }
++	eval "$as_ac_var=no"
+ fi
++
+ rm -rf conftest.dSYM
+-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
++      conftest$ac_exeext conftest.$ac_ext
+ fi
++ac_res=`eval 'as_val=${'$as_ac_var'}
++		 $as_echo "$as_val"'`
++	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++as_val=`eval 'as_val=${'$as_ac_var'}
++		 $as_echo "$as_val"'`
++   if test "x$as_val" = x""yes; then
++  cat >>confdefs.h <<_ACEOF
++#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
++_ACEOF
+ 
+-
+-  LIBS="$cmu_save_LIBS"
+-
+-else
+-  { $as_echo "$as_me:$LINENO: result: disabled" >&5
+-$as_echo "disabled" >&6; }
+ fi
++done
+ 
++  LIBS="$cmu_save_LIBS"
+ 
++  cmu_save_LIBS="$LIBS"
++  LIBS="$LIBS $GSSAPIBASE_LIBS"
+ 
+-
+-if test "$gssapi" != "no"; then
+-
+-cat >>confdefs.h <<\_ACEOF
+-#define STATIC_GSSAPIV2 /**/
+-_ACEOF
+-
+-  mutex_default="no"
+-  if test "$gss_impl" = "mit"; then
+-     mutex_default="yes"
+-  fi
+-  { $as_echo "$as_me:$LINENO: checking to use mutexes aroung GSS calls" >&5
+-$as_echo_n "checking to use mutexes aroung GSS calls... " >&6; }
++for ac_func in gss_get_name_attribute
++do
++as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
++{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
++$as_echo_n "checking for $ac_func... " >&6; }
++if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
++  $as_echo_n "(cached) " >&6
++else
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
++   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
++#define $ac_func innocuous_$ac_func
++
++/* System header to define __stub macros and hopefully few prototypes,
++    which can conflict with char $ac_func (); below.
++    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
++    <limits.h> exists even on freestanding compilers.  */
++
++#ifdef __STDC__
++# include <limits.h>
++#else
++# include <assert.h>
++#endif
++
++#undef $ac_func
++
++/* Override any GCC internal prototype to avoid an error.
++   Use char because int might match the return type of a GCC
++   builtin and then its argument prototype would still apply.  */
++#ifdef __cplusplus
++extern "C"
++#endif
++char $ac_func ();
++/* The GNU C library defines this for functions which it implements
++    to always fail with ENOSYS.  Some functions are actually named
++    something starting with __ and the normal name is an alias.  */
++#if defined __stub_$ac_func || defined __stub___$ac_func
++choke me
++#endif
++
++int
++main ()
++{
++return $ac_func ();
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext conftest$ac_exeext
++if { (ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_link") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest$ac_exeext && {
++	 test "$cross_compiling" = yes ||
++	 $as_test_x conftest$ac_exeext
++       }; then
++  eval "$as_ac_var=yes"
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	eval "$as_ac_var=no"
++fi
++
++rm -rf conftest.dSYM
++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
++      conftest$ac_exeext conftest.$ac_ext
++fi
++ac_res=`eval 'as_val=${'$as_ac_var'}
++		 $as_echo "$as_val"'`
++	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
++$as_echo "$ac_res" >&6; }
++as_val=`eval 'as_val=${'$as_ac_var'}
++		 $as_echo "$as_val"'`
++   if test "x$as_val" = x""yes; then
++  cat >>confdefs.h <<_ACEOF
++#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
++_ACEOF
++
++fi
++done
++
++  LIBS="$cmu_save_LIBS"
++
++  cmu_save_LIBS="$LIBS"
++  LIBS="$LIBS $GSSAPIBASE_LIBS"
++  { $as_echo "$as_me:$LINENO: checking for SPNEGO support in GSSAPI libraries" >&5
++$as_echo_n "checking for SPNEGO support in GSSAPI libraries... " >&6; }
++  if test "$cross_compiling" = yes; then
++  { { $as_echo "$as_me:$LINENO: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++{ { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling
++See \`config.log' for more details." >&5
++$as_echo "$as_me: error: cannot run test program while cross compiling
++See \`config.log' for more details." >&2;}
++   { (exit 1); exit 1; }; }; }
++else
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_GSSAPI_H
++#include <gssapi.h>
++#else
++#include <gssapi/gssapi.h>
++#endif
++
++int main(void)
++{
++    gss_OID_desc spnego_oid = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
++    gss_OID_set mech_set;
++    OM_uint32 min_stat;
++    int have_spnego = 0;
++
++    if (gss_indicate_mechs(&min_stat, &mech_set) == GSS_S_COMPLETE) {
++	gss_test_oid_set_member(&min_stat, &spnego_oid, mech_set, &have_spnego);
++	gss_release_oid_set(&min_stat, &mech_set);
++    }
++
++    return (!have_spnego);  // 0 = success, 1 = failure
++}
++
++_ACEOF
++rm -f conftest$ac_exeext
++if { (ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_link") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
++  { (case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_try") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); }; }; then
++
++cat >>confdefs.h <<\_ACEOF
++#define HAVE_GSS_SPNEGO /**/
++_ACEOF
++
++	{ $as_echo "$as_me:$LINENO: result: yes" >&5
++$as_echo "yes" >&6; }
++else
++  $as_echo "$as_me: program exited with status $ac_status" >&5
++$as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++( exit $ac_status )
++{ $as_echo "$as_me:$LINENO: result: no" >&5
++$as_echo "no" >&6; }
++fi
++rm -rf conftest.dSYM
++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
++fi
++
++
++  LIBS="$cmu_save_LIBS"
++
++else
++  { $as_echo "$as_me:$LINENO: result: disabled" >&5
++$as_echo "disabled" >&6; }
++fi
++
++
++
++
++if test "$gssapi" != "no"; then
++
++cat >>confdefs.h <<\_ACEOF
++#define STATIC_GSSAPIV2 /**/
++_ACEOF
++
++  mutex_default="no"
++  if test "$gss_impl" = "mit"; then
++     mutex_default="yes"
++  fi
++  { $as_echo "$as_me:$LINENO: checking to use mutexes aroung GSS calls" >&5
++$as_echo_n "checking to use mutexes aroung GSS calls... " >&6; }
+   # Check whether --enable-gss_mutexes was given.
+ if test "${enable_gss_mutexes+set}" = set; then
+   enableval=$enable_gss_mutexes; use_gss_mutexes=$enableval
+@@ -14246,44 +14352,127 @@ LIB_MYSQL=""
+ 
+ case "$with_mysql" in
+     no) true;;
+-    notfound) { $as_echo "$as_me:$LINENO: WARNING: MySQL Library not found" >&5
+-$as_echo "$as_me: WARNING: MySQL Library not found" >&2;}; true;;
+-    *)
+-     if test -d ${with_mysql}/lib/mysql; then
+-
+-  # this is CMU ADD LIBPATH TO
+-  if test "$andrew_cv_runpath_switch" = "none" ; then
+-	LIB_MYSQL="-L${with_mysql}/lib/mysql ${LIB_MYSQL}"
+-  else
+-	LIB_MYSQL="-L${with_mysql}/lib/mysql ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/lib/mysql"
+-  fi
+-
+-     elif test -d ${with_mysql}/mysql/lib; then
+-
+-  # this is CMU ADD LIBPATH TO
+-  if test "$andrew_cv_runpath_switch" = "none" ; then
+-	LIB_MYSQL="-L${with_mysql}/mysql/lib ${LIB_MYSQL}"
+-  else
+-	LIB_MYSQL="-L${with_mysql}/mysql/lib ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/mysql/lib"
+-  fi
+-
+-     elif test -d ${with_mysql}/lib; then
+-
+-  # this is CMU ADD LIBPATH TO
+-  if test "$andrew_cv_runpath_switch" = "none" ; then
+-	LIB_MYSQL="-L${with_mysql}/lib ${LIB_MYSQL}"
+-  else
+-	LIB_MYSQL="-L${with_mysql}/lib ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/lib"
+-  fi
+-
+-     else
++    notfound)
++     save_LDFLAGS=$LDFLAGS
++     LIB_MYSQL=`mysql_config --libs`
++     LIB_MYSQL="-lmysqlclient"
++     LDFLAGS="$LDFLAGS $LIB_MYSQL"
++     # CPPFLAGS="${CPPFLAGS} `mysql_config --include`"
++     { $as_echo "$as_me:$LINENO: checking for mysql_select_db in -lmysqlclient" >&5
++$as_echo_n "checking for mysql_select_db in -lmysqlclient... " >&6; }
++if test "${ac_cv_lib_mysqlclient_mysql_select_db+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  ac_check_lib_save_LIBS=$LIBS
++LIBS="-lmysqlclient  $LIBS"
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
+ 
+-  # this is CMU ADD LIBPATH TO
+-  if test "$andrew_cv_runpath_switch" = "none" ; then
+-	LIB_MYSQL="-L${with_mysql} ${LIB_MYSQL}"
+-  else
+-	LIB_MYSQL="-L${with_mysql} ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}"
+-  fi
++/* Override any GCC internal prototype to avoid an error.
++   Use char because int might match the return type of a GCC
++   builtin and then its argument prototype would still apply.  */
++#ifdef __cplusplus
++extern "C"
++#endif
++char mysql_select_db ();
++int
++main ()
++{
++return mysql_select_db ();
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext conftest$ac_exeext
++if { (ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_link") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest$ac_exeext && {
++	 test "$cross_compiling" = yes ||
++	 $as_test_x conftest$ac_exeext
++       }; then
++  ac_cv_lib_mysqlclient_mysql_select_db=yes
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_cv_lib_mysqlclient_mysql_select_db=no
++fi
++
++rm -rf conftest.dSYM
++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
++      conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_mysqlclient_mysql_select_db" >&5
++$as_echo "$ac_cv_lib_mysqlclient_mysql_select_db" >&6; }
++if test "x$ac_cv_lib_mysqlclient_mysql_select_db" = x""yes; then
++
++cat >>confdefs.h <<\_ACEOF
++#define HAVE_MYSQL /**/
++_ACEOF
++
++else
++  { $as_echo "$as_me:$LINENO: WARNING: MySQL library mysqlclient does not work" >&5
++$as_echo "$as_me: WARNING: MySQL library mysqlclient does not work" >&2;}
++            with_mysql=no
++fi
++
++     LDFLAGS=$save_LDFLAGS
++     ;;
++    *)
++     if test -d ${with_mysql}/lib/mysql; then
++
++  # this is CMU ADD LIBPATH TO
++  if test "$andrew_cv_runpath_switch" = "none" ; then
++	LIB_MYSQL="-L${with_mysql}/lib/mysql ${LIB_MYSQL}"
++  else
++	LIB_MYSQL="-L${with_mysql}/lib/mysql ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/lib/mysql"
++  fi
++
++     elif test -d ${with_mysql}/mysql/lib; then
++
++  # this is CMU ADD LIBPATH TO
++  if test "$andrew_cv_runpath_switch" = "none" ; then
++	LIB_MYSQL="-L${with_mysql}/mysql/lib ${LIB_MYSQL}"
++  else
++	LIB_MYSQL="-L${with_mysql}/mysql/lib ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/mysql/lib"
++  fi
++
++     elif test -d ${with_mysql}/lib; then
++
++  # this is CMU ADD LIBPATH TO
++  if test "$andrew_cv_runpath_switch" = "none" ; then
++	LIB_MYSQL="-L${with_mysql}/lib ${LIB_MYSQL}"
++  else
++	LIB_MYSQL="-L${with_mysql}/lib ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}/lib"
++  fi
++
++     else
++
++  # this is CMU ADD LIBPATH TO
++  if test "$andrew_cv_runpath_switch" = "none" ; then
++	LIB_MYSQL="-L${with_mysql} ${LIB_MYSQL}"
++  else
++	LIB_MYSQL="-L${with_mysql} ${LIB_MYSQL} $andrew_cv_runpath_switch${with_mysql}"
++  fi
+ 
+      fi
+ 
+@@ -14296,6 +14485,8 @@ $as_echo "$as_me: WARNING: MySQL Library
+          CPPFLAGS="${CPPFLAGS} -I${with_mysql}/mysql/include"
+      elif test -d ${with_mysql}/include; then
+          CPPFLAGS="${CPPFLAGS} -I${with_mysql}/include"
++     elif test -d ${prefix}/include/mysql; then
++         CPPFLAGS="${CPPFLAGS} -I${prefix}/include/mysql"
+      else
+          CPPFLAGS="${CPPFLAGS} -I${with_mysql}"
+      fi
+@@ -14416,8 +14607,90 @@ LIB_PGSQL=""
+ 
+ case "$with_pgsql" in
+     no) true;;
+-    notfound) { $as_echo "$as_me:$LINENO: WARNING: PostgreSQL Library not found" >&5
+-$as_echo "$as_me: WARNING: PostgreSQL Library not found" >&2;}; true;;
++    notfound)
++     LIB_PGSQL="-lpq"
++     # CPPFLAGS="${CPPFLAGS} -I`pg_config --includedir`"
++     save_LDFLAGS=$LDFLAGS
++     LDFLAGS="$LDFLAGS $LIB_PGSQL"
++     { $as_echo "$as_me:$LINENO: checking for PQsetdbLogin in -lpq" >&5
++$as_echo_n "checking for PQsetdbLogin in -lpq... " >&6; }
++if test "${ac_cv_lib_pq_PQsetdbLogin+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  ac_check_lib_save_LIBS=$LIBS
++LIBS="-lpq  $LIBS"
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++/* Override any GCC internal prototype to avoid an error.
++   Use char because int might match the return type of a GCC
++   builtin and then its argument prototype would still apply.  */
++#ifdef __cplusplus
++extern "C"
++#endif
++char PQsetdbLogin ();
++int
++main ()
++{
++return PQsetdbLogin ();
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext conftest$ac_exeext
++if { (ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_link") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest$ac_exeext && {
++	 test "$cross_compiling" = yes ||
++	 $as_test_x conftest$ac_exeext
++       }; then
++  ac_cv_lib_pq_PQsetdbLogin=yes
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_cv_lib_pq_PQsetdbLogin=no
++fi
++
++rm -rf conftest.dSYM
++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
++      conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pq_PQsetdbLogin" >&5
++$as_echo "$ac_cv_lib_pq_PQsetdbLogin" >&6; }
++if test "x$ac_cv_lib_pq_PQsetdbLogin" = x""yes; then
++
++cat >>confdefs.h <<\_ACEOF
++#define HAVE_PGSQL /**/
++_ACEOF
++
++else
++  { $as_echo "$as_me:$LINENO: WARNING: PostgreSQL Library pq does not work" >&5
++$as_echo "$as_me: WARNING: PostgreSQL Library pq does not work" >&2;}
++          with_pgsql=no
++fi
++
++     LDFLAGS=$save_LDFLAGS
++     ;;
+     *)
+      if test -d ${with_pgsql}/lib/pgsql; then
+ 
+@@ -14466,6 +14739,8 @@ $as_echo "$as_me: WARNING: PostgreSQL Li
+          CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/pgsql/include"
+      elif test -d ${with_pgsql}/include; then
+          CPPFLAGS="${CPPFLAGS} -I${with_pgsql}/include"
++     elif test -d ${prefix}/include; then
++         CPPFLAGS="${CPPFLAGS} -I${prefix}/include"
+      else
+          CPPFLAGS="${CPPFLAGS} -I${with_pgsql}"
+      fi
+@@ -18166,116 +18441,989 @@ fi
+ 
+ done
+ 
+-ac_fn_c_check_type "$LINENO" "long long" "ac_cv_type_long_long" "
+-#ifdef HAVE_INTTYPES_H
+-#include <inttypes.h>
+-#endif
+-"
+-if test "x$ac_cv_type_long_long" = xyes; then :
+-
+-cat >>confdefs.h <<_ACEOF
+-#define HAVE_LONG_LONG 1
++{ $as_echo "$as_me:$LINENO: checking for long long" >&5
++$as_echo_n "checking for long long... " >&6; }
++if test "${ac_cv_type_long_long+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  ac_cv_type_long_long=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
+ _ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
+ 
+-
+-fi
+-ac_fn_c_check_type "$LINENO" "int8_t" "ac_cv_type_int8_t" "
+ #ifdef HAVE_INTTYPES_H
+ #include <inttypes.h>
+ #endif
+-"
+-if test "x$ac_cv_type_int8_t" = xyes; then :
+ 
+-cat >>confdefs.h <<_ACEOF
+-#define HAVE_INT8_T 1
++int
++main ()
++{
++if (sizeof (long long))
++       return 0;
++  ;
++  return 0;
++}
+ _ACEOF
+-
+-
+-fi
+-ac_fn_c_check_type "$LINENO" "uint8_t" "ac_cv_type_uint8_t" "
+-#ifdef HAVE_INTTYPES_H
+-#include <inttypes.h>
+-#endif
+-"
+-if test "x$ac_cv_type_uint8_t" = xyes; then :
+-
+-cat >>confdefs.h <<_ACEOF
+-#define HAVE_UINT8_T 1
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
+ _ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
+ 
+-
+-fi
+-ac_fn_c_check_type "$LINENO" "int16_t" "ac_cv_type_int16_t" "
+ #ifdef HAVE_INTTYPES_H
+ #include <inttypes.h>
+ #endif
+-"
+-if test "x$ac_cv_type_int16_t" = xyes; then :
+ 
+-cat >>confdefs.h <<_ACEOF
+-#define HAVE_INT16_T 1
++int
++main ()
++{
++if (sizeof ((long long)))
++	  return 0;
++  ;
++  return 0;
++}
+ _ACEOF
+-
+-
+-fi
+-ac_fn_c_check_type "$LINENO" "uint16_t" "ac_cv_type_uint16_t" "
+-#ifdef HAVE_INTTYPES_H
+-#include <inttypes.h>
+-#endif
+-"
+-if test "x$ac_cv_type_uint16_t" = xyes; then :
+-
+-cat >>confdefs.h <<_ACEOF
+-#define HAVE_UINT16_T 1
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  :
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_cv_type_long_long=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_long_long" >&5
++$as_echo "$ac_cv_type_long_long" >&6; }
++if test "x$ac_cv_type_long_long" = x""yes; then
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_LONG_LONG 1
+ _ACEOF
+ 
+ 
+ fi
+-ac_fn_c_check_type "$LINENO" "int32_t" "ac_cv_type_int32_t" "
++{ $as_echo "$as_me:$LINENO: checking for int8_t" >&5
++$as_echo_n "checking for int8_t... " >&6; }
++if test "${ac_cv_type_int8_t+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  ac_cv_type_int8_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
+ #ifdef HAVE_INTTYPES_H
+ #include <inttypes.h>
+ #endif
+-"
+-if test "x$ac_cv_type_int32_t" = xyes; then :
+ 
+-cat >>confdefs.h <<_ACEOF
+-#define HAVE_INT32_T 1
++int
++main ()
++{
++if (sizeof (int8_t))
++       return 0;
++  ;
++  return 0;
++}
+ _ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
+ 
+-
+-fi
+-ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "
+ #ifdef HAVE_INTTYPES_H
+ #include <inttypes.h>
+ #endif
+-"
+-if test "x$ac_cv_type_uint32_t" = xyes; then :
++
++int
++main ()
++{
++if (sizeof ((int8_t)))
++	  return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  :
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_cv_type_int8_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int8_t" >&5
++$as_echo "$ac_cv_type_int8_t" >&6; }
++if test "x$ac_cv_type_int8_t" = x""yes; then
+ 
+ cat >>confdefs.h <<_ACEOF
+-#define HAVE_UINT32_T 1
++#define HAVE_INT8_T 1
+ _ACEOF
+ 
+ 
+ fi
+-ac_fn_c_check_type "$LINENO" "int64_t" "ac_cv_type_int64_t" "
++{ $as_echo "$as_me:$LINENO: checking for uint8_t" >&5
++$as_echo_n "checking for uint8_t... " >&6; }
++if test "${ac_cv_type_uint8_t+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  ac_cv_type_uint8_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
+ #ifdef HAVE_INTTYPES_H
+ #include <inttypes.h>
+ #endif
+-"
+-if test "x$ac_cv_type_int64_t" = xyes; then :
++
++int
++main ()
++{
++if (sizeof (uint8_t))
++       return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((uint8_t)))
++	  return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  :
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_cv_type_uint8_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint8_t" >&5
++$as_echo "$ac_cv_type_uint8_t" >&6; }
++if test "x$ac_cv_type_uint8_t" = x""yes; then
+ 
+ cat >>confdefs.h <<_ACEOF
+-#define HAVE_INT64_T 1
++#define HAVE_UINT8_T 1
+ _ACEOF
+ 
+ 
+ fi
+-ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "
++{ $as_echo "$as_me:$LINENO: checking for int16_t" >&5
++$as_echo_n "checking for int16_t... " >&6; }
++if test "${ac_cv_type_int16_t+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  ac_cv_type_int16_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
+ #ifdef HAVE_INTTYPES_H
+ #include <inttypes.h>
+ #endif
+-"
+-if test "x$ac_cv_type_uint64_t" = xyes; then :
++
++int
++main ()
++{
++if (sizeof (int16_t))
++       return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((int16_t)))
++	  return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  :
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_cv_type_int16_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int16_t" >&5
++$as_echo "$ac_cv_type_int16_t" >&6; }
++if test "x$ac_cv_type_int16_t" = x""yes; then
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT16_T 1
++_ACEOF
++
++
++fi
++{ $as_echo "$as_me:$LINENO: checking for uint16_t" >&5
++$as_echo_n "checking for uint16_t... " >&6; }
++if test "${ac_cv_type_uint16_t+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  ac_cv_type_uint16_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof (uint16_t))
++       return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((uint16_t)))
++	  return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  :
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_cv_type_uint16_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint16_t" >&5
++$as_echo "$ac_cv_type_uint16_t" >&6; }
++if test "x$ac_cv_type_uint16_t" = x""yes; then
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_UINT16_T 1
++_ACEOF
++
++
++fi
++{ $as_echo "$as_me:$LINENO: checking for int32_t" >&5
++$as_echo_n "checking for int32_t... " >&6; }
++if test "${ac_cv_type_int32_t+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  ac_cv_type_int32_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof (int32_t))
++       return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((int32_t)))
++	  return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  :
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_cv_type_int32_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int32_t" >&5
++$as_echo "$ac_cv_type_int32_t" >&6; }
++if test "x$ac_cv_type_int32_t" = x""yes; then
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT32_T 1
++_ACEOF
++
++
++fi
++{ $as_echo "$as_me:$LINENO: checking for uint32_t" >&5
++$as_echo_n "checking for uint32_t... " >&6; }
++if test "${ac_cv_type_uint32_t+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  ac_cv_type_uint32_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof (uint32_t))
++       return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((uint32_t)))
++	  return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  :
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_cv_type_uint32_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint32_t" >&5
++$as_echo "$ac_cv_type_uint32_t" >&6; }
++if test "x$ac_cv_type_uint32_t" = x""yes; then
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_UINT32_T 1
++_ACEOF
++
++
++fi
++{ $as_echo "$as_me:$LINENO: checking for int64_t" >&5
++$as_echo_n "checking for int64_t... " >&6; }
++if test "${ac_cv_type_int64_t+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  ac_cv_type_int64_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof (int64_t))
++       return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((int64_t)))
++	  return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  :
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_cv_type_int64_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_int64_t" >&5
++$as_echo "$ac_cv_type_int64_t" >&6; }
++if test "x$ac_cv_type_int64_t" = x""yes; then
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_INT64_T 1
++_ACEOF
++
++
++fi
++{ $as_echo "$as_me:$LINENO: checking for uint64_t" >&5
++$as_echo_n "checking for uint64_t... " >&6; }
++if test "${ac_cv_type_uint64_t+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  ac_cv_type_uint64_t=no
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof (uint64_t))
++       return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h>
++#endif
++
++int
++main ()
++{
++if (sizeof ((uint64_t)))
++	  return 0;
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext
++if { (ac_try="$ac_compile"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_compile") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest.$ac_objext; then
++  :
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	ac_cv_type_uint64_t=yes
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++
++fi
++
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++fi
++{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uint64_t" >&5
++$as_echo "$ac_cv_type_uint64_t" >&6; }
++if test "x$ac_cv_type_uint64_t" = x""yes; then
+ 
+ cat >>confdefs.h <<_ACEOF
+ #define HAVE_UINT64_T 1
diff --git a/SOURCES/cyrus-sasl-2.1.26-warnings.patch b/SOURCES/cyrus-sasl-2.1.26-warnings.patch
new file mode 100644
index 0000000..f7127bb
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-warnings.patch
@@ -0,0 +1,74 @@
+diff -up cyrus-sasl-2.1.26/lib/server.c.warnings cyrus-sasl-2.1.26/lib/server.c
+--- cyrus-sasl-2.1.26/lib/server.c.warnings	2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/lib/server.c	2012-12-20 17:49:39.620254792 +0100
+@@ -650,7 +650,7 @@ static int load_config(const sasl_callba
+             goto done;
+         }
+ 
+-        snprintf(config_filename, len, "%.*s%c%s.conf", path_len, path_to_config, 
++        snprintf(config_filename, len, "%.*s%c%s.conf", (int)path_len, path_to_config, 
+ 	        HIER_DELIMITER, global_callbacks.appname);
+ 
+         /* Ask the application if it's safe to use this file */
+diff -up cyrus-sasl-2.1.26/plugins/gssapi.c.warnings cyrus-sasl-2.1.26/plugins/gssapi.c
+--- cyrus-sasl-2.1.26/plugins/gssapi.c.warnings	2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/plugins/gssapi.c	2012-12-20 17:49:39.620254792 +0100
+@@ -202,7 +202,8 @@ sasl_gss_seterror_(const sasl_utils_t *u
+     OM_uint32 msg_ctx;
+     int ret;
+     char *out = NULL;
+-    size_t len, curlen = 0;
++    size_t len;
++    unsigned curlen = 0;
+     const char prefix[] = "GSSAPI Error: ";
+ 
+     if (!utils) return SASL_OK;
+diff -up cyrus-sasl-2.1.26/plugins/ldapdb.c.warnings cyrus-sasl-2.1.26/plugins/ldapdb.c
+--- cyrus-sasl-2.1.26/plugins/ldapdb.c.warnings	2012-01-28 00:31:36.000000000 +0100
++++ cyrus-sasl-2.1.26/plugins/ldapdb.c	2012-12-20 17:49:39.621254788 +0100
+@@ -22,6 +22,7 @@
+ 
+ #include "plugin_common.h"
+ 
++#define LDAP_DEPRECATED 1
+ #include <ldap.h>
+ 
+ static char ldapdb[] = "ldapdb";
+diff -up cyrus-sasl-2.1.26/plugins/plugin_common.c.warnings cyrus-sasl-2.1.26/plugins/plugin_common.c
+--- cyrus-sasl-2.1.26/plugins/plugin_common.c.warnings	2013-09-03 14:40:35.181455452 +0200
++++ cyrus-sasl-2.1.26/plugins/plugin_common.c	2013-09-03 14:40:38.320441024 +0200
+@@ -94,7 +94,7 @@ static void sockaddr_unmapped(
+     if (!IN6_IS_ADDR_V4MAPPED((&sin6->sin6_addr)))
+ 	return;
+     sin4 = (struct sockaddr_in *)sa;
+-    addr = *(uint32_t *)&sin6->sin6_addr.s6_addr[12];
++    addr = *(uint32_t *)&sin6->sin6_addr.s6_addr32[3];
+     port = sin6->sin6_port;
+     memset(sin4, 0, sizeof(struct sockaddr_in));
+     sin4->sin_addr.s_addr = addr;
+diff -up cyrus-sasl-2.1.26/saslauthd/auth_httpform.c.warnings cyrus-sasl-2.1.26/saslauthd/auth_httpform.c
+--- cyrus-sasl-2.1.26/saslauthd/auth_httpform.c.warnings	2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/saslauthd/auth_httpform.c	2013-09-03 14:39:25.411776109 +0200
+@@ -574,7 +574,7 @@ auth_httpform (
+               "Content-Type: application/x-www-form-urlencoded" CRLF
+               "Content-Length: %d" TWO_CRLF
+               "%s",
+-              r_uri, r_host, r_port, strlen(req), req);
++              r_uri, r_host, r_port, (int)strlen(req), req);
+ 
+     if (flags & VERBOSE) {
+         syslog(LOG_DEBUG, "auth_httpform: sending %s %s %s",
+diff -up cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.warnings cyrus-sasl-2.1.26/saslauthd/auth_shadow.c
+--- cyrus-sasl-2.1.26/saslauthd/auth_shadow.c.warnings	2012-10-12 16:05:48.000000000 +0200
++++ cyrus-sasl-2.1.26/saslauthd/auth_shadow.c	2012-12-20 17:49:39.621254788 +0100
+@@ -70,6 +70,10 @@
+ #  include <shadow.h>
+ # endif /* ! HAVE_GETUSERPW */
+ 
++# ifdef HAVE_CRYPT_H
++#  include <crypt.h>
++# endif
++
+ # include "auth_shadow.h"
+ # include "globals.h"
+ /* END PUBLIC DEPENDENCIES */
diff --git a/SOURCES/make-no-dlcompatorsrp-tarball.sh b/SOURCES/make-no-dlcompatorsrp-tarball.sh
new file mode 100755
index 0000000..a0a3245
--- /dev/null
+++ b/SOURCES/make-no-dlcompatorsrp-tarball.sh
@@ -0,0 +1,41 @@
+#!/bin/bash -e
+#
+#  See ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ for unmodified sources.
+#
+
+tmppath=`mktemp -d ${TMPDIR:-/tmp}/make-no-dlcompat-tarball-XXXXXX`
+if test -z "$tmppath" ; then
+	echo Error creating temporary directory.
+	exit 1
+fi
+trap "rm -fr $tmppath" EXIT
+
+initialdir=`pwd`
+
+for tarball in ${initialdir}/cyrus-sasl-*.tar.{gz,bz2} ; do
+	if ! test -s "$tarball" ; then
+		continue
+	fi
+	rm -fr $tmppath/*
+	pushd $tmppath > /dev/null
+	case "$tarball" in
+	*nodlcompat*)
+		: Do nothing.
+		;;
+	*.gz)
+		gzip  -dc "$tarball" | tar xf -
+		rm -fr cyrus-sasl-*/dlcompat*
+		rm -fr cyrus-sasl-*/plugins/srp*
+		tar cf - * | gzip  -9c > \
+		$initialdir/`basename $tarball .tar.gz`-nodlcompatorsrp.tar.gz
+		;;
+	*.bz2)
+		bzip2 -dc "$tarball" | tar xf -
+		rm -fr cyrus-sasl-*/dlcompat*
+		rm -fr cyrus-sasl-*/plugins/srp*
+		tar cf - * | bzip2 -9c > \
+		$initialdir/`basename $tarball .tar.bz2`-nodlcompatorsrp.tar.bz2
+		;;
+	esac
+	popd > /dev/null
+done
diff --git a/SOURCES/sasl-checkpass.c b/SOURCES/sasl-checkpass.c
new file mode 100644
index 0000000..27a0b94
--- /dev/null
+++ b/SOURCES/sasl-checkpass.c
@@ -0,0 +1,185 @@
+#include <errno.h>
+#include <getopt.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "sasl.h"
+#ifdef SASL2
+static int main_requested_sasl_version = 2;
+#else
+static int main_requested_sasl_version = 1;
+#endif
+
+static int main_verbose = 0;
+
+static int
+my_getopt(void *context, const char *plugin_name,
+	  const char *option, const char **result, unsigned *len)
+{
+	if (result) {
+		*result = NULL;
+		if (strcmp(option, "pwcheck_method") == 0) {
+			*result = "saslauthd";
+		}
+		if (strcmp(option, "saslauthd_version") == 0) {
+			switch (main_requested_sasl_version) {
+			case 1:
+				*result = "1";
+				break;
+			case 2:
+				*result = "2";
+				break;
+			default:
+#ifdef SASL2
+				*result = "2";
+#else
+				*result = "1";
+#endif
+				break;
+			}
+		}
+		if (main_verbose) {
+			fprintf(stderr, "Getopt plugin=%s%s%s/option=%s%s%s -> ",
+				plugin_name ? "\"" : "",
+				plugin_name ? plugin_name : "(null)",
+				plugin_name ? "\"" : "",
+				option ? "\"" : "",
+				option ? option : "(null)",
+				option ? "\"" : "");
+			fprintf(stderr, "'%s'.\n", *result ? *result : "");
+		}
+	}
+	if (len) {
+		*len = 0;
+	}
+	return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+	const char *user, *realm, *passwd, *service, *mechs, **globals, *err;
+	int c, ret;
+	sasl_callback_t callbacks[] = {
+		{SASL_CB_GETOPT, my_getopt, NULL},
+		{SASL_CB_LIST_END},
+	};
+	sasl_conn_t *connection;
+	char hostname[512];
+	char fulluser[512]; /* XXX: may overflow */
+
+	user = realm = passwd = service = "";
+	strcpy(hostname, "localhost");
+	gethostname(hostname, sizeof(hostname));
+
+	while ((c = getopt(argc, argv, "u:r:p:s:h:12v")) != -1) {
+		switch (c) {
+		case 'u':
+			user = optarg;
+			break;
+		case 'r':
+			realm = optarg;
+			break;
+		case 'p':
+			passwd = optarg;
+			break;
+		case 's':
+			service = optarg;
+			break;
+		case 'h':
+			strncpy(hostname, optarg, sizeof(hostname) - 1);
+			hostname[sizeof(hostname) - 1] = '\0';
+			break;
+		case '1':
+			main_requested_sasl_version = 1;
+			break;
+		case '2':
+			main_requested_sasl_version = 2;
+			break;
+		case 'v':
+			main_verbose++;
+			break;
+		default:
+			printf("Usage: %s [-v] [-1] [-2] "
+			       "[-h hostname] "
+			       "[-u user] "
+			       "[-r realm] "
+			       "[-p password] "
+			       "[-s service] "
+			       "\n", argv[0]);
+			return 2;
+			break;
+		}
+	}
+	if ((strlen(user) == 0) || (strlen(passwd) == 0)) {
+		printf("Usage: %s [-v] [-1] [-2] "
+		       "[-h hostname] "
+		       "[-u user] "
+		       "[-r realm] "
+		       "[-p password] "
+		       "[-s service] "
+		       "\n", argv[0]);
+		return 2;
+	}
+	if (realm && (strlen(realm) > 0)) {
+		sprintf(fulluser, "%s@%s", user, realm);
+	} else {
+		sprintf(fulluser, "%s", user);
+	}
+
+	ret = sasl_server_init(callbacks,
+			       strlen(service) ? service : "sasl-checkpass");
+	if (ret != SASL_OK) {
+		fprintf(stderr, "Error in sasl_server_init(): %s\n",
+			sasl_errstring(ret, NULL, NULL));
+	}
+
+	connection = NULL;
+	ret = sasl_server_new(strlen(service) ? service : "sasl-checkpass",
+			      hostname,
+			      NULL,
+#ifdef SASL2
+			      NULL,
+			      NULL,
+#endif
+			      callbacks,
+			      0,
+			      &connection);
+	if (ret != SASL_OK) {
+		fprintf(stderr, "Error in sasl_server_new(): %s\n",
+			sasl_errstring(ret, NULL, NULL));
+	}
+
+	err = NULL;
+	ret = sasl_checkpass(connection,
+			     fulluser, strlen(fulluser),
+			     passwd, strlen(passwd)
+#ifndef SASL2
+			     , &err
+#endif
+			     );
+	switch (ret) {
+	case SASL_OK:
+		printf("OK\n");
+		break;
+	default:
+		printf("NO: %d", ret);
+		switch (ret) {
+		case SASL_FAIL:
+			err = "generic failure";
+			break;
+		case SASL_BADAUTH:
+			err = "authentication failure";
+			break;
+		default:
+			err = NULL;
+			break;
+		}
+		if (err) {
+			printf(" (%s)", err);
+		}
+		printf("\n");
+		break;
+	}
+	return ret;
+}
diff --git a/SOURCES/sasl-mechlist.c b/SOURCES/sasl-mechlist.c
new file mode 100644
index 0000000..680e983
--- /dev/null
+++ b/SOURCES/sasl-mechlist.c
@@ -0,0 +1,99 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "sasl.h"
+
+static int
+my_getopt(void *context, const char *plugin_name,
+	  const char *option, const char **result, unsigned *len)
+{
+	if (result) {
+		*result = NULL;
+#if 0
+		fprintf(stderr, "Getopt plugin=%s%s%s/option=%s%s%s -> ",
+			plugin_name ? "\"" : "",
+			plugin_name ? plugin_name : "(null)",
+			plugin_name ? "\"" : "",
+			option ? "\"" : "",
+			option ? option : "(null)",
+			option ? "\"" : "");
+		fprintf(stderr, "'%s'.\n", *result ? *result : "");
+#endif
+	}
+	if (len) {
+		*len = 0;
+	}
+	return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+	int ret, i;
+	const char *mechs, **globals;
+	sasl_callback_t callbacks[] = {
+		{SASL_CB_GETOPT, my_getopt, NULL},
+		{SASL_CB_LIST_END},
+	};
+	sasl_conn_t *connection;
+	char hostname[512];
+
+	if ((argc > 1) && (argv[1][0] == '-')) {
+		fprintf(stderr, "Usage: %s [appname [hostname] ]\n", argv[0]);
+		return 0;
+	}
+
+	ret = sasl_server_init(callbacks, argc > 1 ? argv[1] : "sasl-mechlist");
+	if (ret != SASL_OK) {
+		fprintf(stderr, "Error in sasl_server_init(): %s\n",
+			sasl_errstring(ret, NULL, NULL));
+	}
+
+	connection = NULL;
+	strcpy(hostname, "localhost");
+	gethostname(hostname, sizeof(hostname));
+	ret = sasl_server_new(argc > 2 ? argv[2] : "host",
+			      hostname,
+			      NULL,
+			      NULL,
+			      NULL,
+			      callbacks,
+			      0,
+			      &connection);
+	if (ret != SASL_OK) {
+		fprintf(stderr, "Error in sasl_server_new(): %s\n",
+			sasl_errstring(ret, NULL, NULL));
+	}
+
+	ret = sasl_listmech(connection,
+			    getenv("USER") ? getenv("USER") : "root",
+			    "Available mechanisms: ",
+			    ",",
+			    "\n",
+			    &mechs,
+			    NULL,
+			    NULL);
+	if (ret != SASL_OK) {
+		fprintf(stderr, "Error in sasl_listmechs(): %s\n",
+			sasl_errstring(ret, NULL, NULL));
+	} else {
+		fprintf(stdout, "%s", mechs);
+	}
+
+	globals = sasl_global_listmech();
+	for (i = 0; (globals != NULL) && (globals[i] != NULL); i++) {
+		if (i == 0) {
+			fprintf(stdout, "Library supports: ");
+		}
+		fprintf(stdout, "%s", globals[i]);
+		if (globals[i + 1] != NULL) {
+			fprintf(stdout, ",");
+		} else {
+			fprintf(stdout, "\n");
+		}
+	}
+
+	return 0;
+}
diff --git a/SOURCES/saslauthd.service b/SOURCES/saslauthd.service
new file mode 100644
index 0000000..f59ab3e
--- /dev/null
+++ b/SOURCES/saslauthd.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=SASL authentication daemon.
+After=syslog.target 
+
+[Service]
+Type=forking
+PIDFile=/run/saslauthd/saslauthd.pid
+EnvironmentFile=/etc/sysconfig/saslauthd
+ExecStart=/usr/sbin/saslauthd -m $SOCKETDIR -a $MECH $FLAGS
+RuntimeDirectory=saslauthd
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/saslauthd.sysconfig b/SOURCES/saslauthd.sysconfig
new file mode 100644
index 0000000..5413c36
--- /dev/null
+++ b/SOURCES/saslauthd.sysconfig
@@ -0,0 +1,11 @@
+# Directory in which to place saslauthd's listening socket, pid file, and so
+# on.  This directory must already exist.
+SOCKETDIR=/run/saslauthd
+
+# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
+# of which mechanism your installation was compiled with the ablity to use.
+MECH=pam
+
+# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
+# for the list of accepted flags.
+FLAGS=
diff --git a/SPECS/cyrus-sasl.spec b/SPECS/cyrus-sasl.spec
new file mode 100644
index 0000000..30c6bbf
--- /dev/null
+++ b/SPECS/cyrus-sasl.spec
@@ -0,0 +1,1120 @@
+%define username	saslauth
+%define hint		Saslauthd user
+%define homedir		/run/saslauthd
+
+%define _plugindir2 %{_libdir}/sasl2
+%define bootstrap_cyrus_sasl 0
+
+%global _performance_build 1
+
+Summary: The Cyrus SASL library
+Name: cyrus-sasl
+Version: 2.1.26
+Release: 23%{?dist}
+License: BSD with advertising
+Group: System Environment/Libraries
+# Source0 originally comes from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/;
+# make-no-dlcompatorsrp-tarball.sh removes the "dlcompat" subdirectory and builds a
+# new tarball.
+Source0: cyrus-sasl-%{version}-nodlcompatorsrp.tar.gz
+Source5: saslauthd.service
+Source7: sasl-mechlist.c
+Source8: sasl-checkpass.c
+Source9: saslauthd.sysconfig
+Source10: make-no-dlcompatorsrp-tarball.sh
+URL: http://asg.web.cmu.edu/sasl/sasl-library.html
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Patch11: cyrus-sasl-2.1.25-no_rpath.patch
+Patch15: cyrus-sasl-2.1.20-saslauthd.conf-path.patch
+Patch23: cyrus-sasl-2.1.23-man.patch
+Patch24: cyrus-sasl-2.1.21-sizes.patch
+Patch31: cyrus-sasl-2.1.22-kerberos4.patch
+Patch32: cyrus-sasl-2.1.26-warnings.patch
+Patch34: cyrus-sasl-2.1.22-ldap-timeout.patch
+# removed due to #759334
+#Patch38: cyrus-sasl-2.1.23-pam_rhosts.patch
+Patch42: cyrus-sasl-2.1.26-relro.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=816250
+Patch43: cyrus-sasl-2.1.26-null-crypt.patch
+Patch44: cyrus-sasl-2.1.26-release-server_creds.patch
+# AM_CONFIG_HEADER is obsolete, use AC_CONFIG_HEADERS instead
+Patch45: cyrus-sasl-2.1.26-obsolete-macro.patch
+# missing size_t declaration in sasl.h
+Patch46: cyrus-sasl-2.1.26-size_t.patch
+# disable incorrect check for MkLinux
+Patch47: cyrus-sasl-2.1.26-ppc.patch
+# detect gsskrb5_register_acceptor_identity macro (#976538)
+Patch48: cyrus-sasl-2.1.26-keytab.patch
+Patch49: cyrus-sasl-2.1.26-md5global.patch
+# improve sql libraries detection (#1029918)
+Patch50: cyrus-sasl-2.1.26-sql.patch
+# Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)
+Patch51: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
+# Revert updated GSSAPI flags as in RFC 4752 to restore backward compatibility (#1154566)
+Patch52: cyrus-sasl-2.1.26-revert-gssapi-flags.patch
+# Document ability to run saslauthd unprivileged (#1188065)
+Patch53: cyrus-sasl-2.1.26-saslauthd-user.patch
+# Support non-confidentiality/non-integrity requests from AIX SASL GSSAPI implementation (#1174322)
+Patch54: cyrus-sasl-2.1.26-gssapi-non-encrypt.patch
+# Update client library to be thread safe (#1147659)
+Patch55: cyrus-sasl-2.1.26-make-client-thread-sage.patch
+# Parsing short prefix matches the whole mechanism name (#1089267)
+Patch56: cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch
+# Fix confusing message when config file has typo (#1022479)
+Patch57: cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch
+# GSSAPI: Use per-connection mutex where possible (#1263017)
+Patch58: cyrus-sasl-2.1.26-gssapi-use-per-connection-mutex.patch
+# GSS-SPNEGO compatible with Windows clients (#1421663)
+Patch59: cyrus-sasl-2.1.26-gss-spnego.patch
+# Allow cyrus sasl to get the ssf from gssapi (#1431586)
+Patch60: cyrus-sasl-2.1.26-gss-ssf.patch
+
+Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
+BuildRequires: krb5-devel >= 1.2.2, openssl-devel, pam-devel, pkgconfig
+BuildRequires: mysql-devel, postgresql-devel, zlib-devel
+BuildRequires: libdb-devel
+%if ! %{bootstrap_cyrus_sasl}
+BuildRequires: openldap-devel
+%endif
+Requires(post): chkconfig, /sbin/service systemd-units
+Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd systemd-units
+Requires(postun): /usr/sbin/userdel /usr/sbin/groupdel systemd-units
+Requires: /sbin/nologin
+Requires: systemd >= 219
+Provides: user(%username)
+Provides: group(%username)
+
+
+%description
+The %{name} package contains the Cyrus implementation of SASL.
+SASL is the Simple Authentication and Security Layer, a method for
+adding authentication support to connection-based protocols.
+
+%package lib
+Group: System Environment/Libraries
+Summary: Shared libraries needed by applications which use Cyrus SASL
+
+%description lib
+The %{name}-lib package contains shared libraries which are needed by
+applications which use the Cyrus SASL library.
+
+%package devel
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: pkgconfig
+Group: Development/Libraries
+Summary: Files needed for developing applications with Cyrus SASL
+
+%description devel
+The %{name}-devel package contains files needed for developing and
+compiling applications which use the Cyrus SASL library.
+
+%package gssapi
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: GSSAPI authentication support for Cyrus SASL
+
+%description gssapi
+The %{name}-gssapi package contains the Cyrus SASL plugins which
+support GSSAPI authentication. GSSAPI is commonly used for Kerberos
+authentication.
+
+%package plain
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: PLAIN and LOGIN authentication support for Cyrus SASL
+
+%description plain
+The %{name}-plain package contains the Cyrus SASL plugins which support
+PLAIN and LOGIN authentication schemes.
+
+%package md5
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: CRAM-MD5 and DIGEST-MD5 authentication support for Cyrus SASL
+
+%description md5
+The %{name}-md5 package contains the Cyrus SASL plugins which support
+CRAM-MD5 and DIGEST-MD5 authentication schemes.
+
+%package ntlm
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: NTLM authentication support for Cyrus SASL
+
+%description ntlm
+The %{name}-ntlm package contains the Cyrus SASL plugin which supports
+the NTLM authentication scheme.
+
+# This would more appropriately be named cyrus-sasl-auxprop-sql.
+%package sql
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: SQL auxprop support for Cyrus SASL
+
+%description sql
+The %{name}-sql package contains the Cyrus SASL plugin which supports
+using a RDBMS for storing shared secrets.
+
+%if ! %{bootstrap_cyrus_sasl}
+# This was *almost* named cyrus-sasl-auxprop-ldapdb, but that's a lot of typing.
+%package ldap
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: LDAP auxprop support for Cyrus SASL
+
+%description ldap
+The %{name}-ldap package contains the Cyrus SASL plugin which supports using
+a directory server, accessed using LDAP, for storing shared secrets.
+%endif
+
+%package scram
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: SCRAM auxprop support for Cyrus SASL
+
+%description scram
+The %{name}-scram package contains the Cyrus SASL plugin which supports
+the SCRAM authentication scheme.
+
+%package gs2
+Requires: %{name}-lib%{?_isa} = %{version}-%{release}
+Group: System Environment/Libraries
+Summary: GS2 support for Cyrus SASL
+
+%description gs2
+The %{name}-gs2 package contains the Cyrus SASL plugin which supports
+the GS2 authentication scheme.
+
+###
+
+
+%prep
+%setup -q
+chmod -x doc/*.html
+chmod -x include/*.h
+%patch11 -p1 -b .no_rpath
+%patch15 -p1 -b .path
+%patch23 -p1 -b .man
+%patch24 -p1 -b .sizes
+%patch31 -p1 -b .krb4
+%patch32 -p1 -b .warnings
+%patch34 -p1 -b .ldap-timeout
+%patch42 -p1 -b .relro
+%patch43 -p1 -b .null-crypt
+%patch44 -p1 -b .release-server_creds
+%patch45 -p1 -b .obsolete-macro
+%patch46 -p1 -b .size_t
+%patch47 -p1 -b .ppc
+%patch48 -p1 -b .keytab
+%patch49 -p1 -b .md5global.h
+%patch50 -p1 -b .sql
+%patch51 -p1 -b .sha1vsplain
+%patch52 -p1 -b .revert
+%patch53 -p1 -b .man-unprivileged
+%patch54 -p1 -b .gssapi_non_encrypt
+%patch55 -p1 -b .threads
+%patch56 -p1 -b .prefix
+%patch57 -p1 -b .typo
+%patch58 -p1 -b .mutex
+%patch59 -p1 -b .spnego
+%patch60 -p1 -b .ssf
+
+
+%build
+# Find Kerberos.
+krb5_prefix=`krb5-config --prefix`
+if test x$krb5_prefix = x%{_prefix} ; then
+        krb5_prefix=
+else
+        CPPFLAGS="-I${krb5_prefix}/include $CPPFLAGS"; export CPPFLAGS
+        LDFLAGS="-L${krb5_prefix}/%{_lib} $LDFLAGS"; export LDFLAGS
+fi
+
+# Find OpenSSL.
+LIBS="-lcrypt"; export LIBS
+if pkg-config openssl ; then
+        CPPFLAGS="`pkg-config --cflags-only-I openssl` $CPPFLAGS"; export CPPFLAGS
+        LDFLAGS="`pkg-config --libs-only-L openssl` $LDFLAGS"; export LDFLAGS
+fi
+
+# Find the MySQL libraries used needed by the SQL auxprop plugin.
+INC_DIR="`mysql_config --include`"
+if test x"$INC_DIR" != "x-I%{_includedir}"; then
+        CPPFLAGS="$INC_DIR $CPPFLAGS"; export CPPFLAGS
+fi
+LIB_DIR="`mysql_config --libs | sed -e 's,-[^L][^ ]*,,g' -e 's,^ *,,' -e 's, *$,,' -e 's,  *, ,g'`"
+if test x"$LIB_DIR" != "x-L%{_libdir}"; then
+        LDFLAGS="$LIB_DIR $LDFLAGS"; export LDFLAGS
+fi
+
+# Find the PostgreSQL libraries used needed by the SQL auxprop plugin.
+INC_DIR="-I`pg_config --includedir`"
+if test x"$INC_DIR" != "x-I%{_includedir}"; then
+        CPPFLAGS="$INC_DIR $CPPFLAGS"; export CPPFLAGS
+fi
+LIB_DIR="-L`pg_config --libdir`"
+if test x"$LIB_DIR" != "x-L%{_libdir}"; then
+        LDFLAGS="$LIB_DIR $LDFLAGS"; export LDFLAGS
+fi
+
+CFLAGS="$RPM_OPT_FLAGS $CFLAGS $CPPFLAGS -fPIE"; export CFLAGS
+LDFLAGS="$LDFLAGS -pie -Wl,-z,now"; export LDFLAGS
+
+echo "$CFLAGS"
+echo "$CPPFLAGS"
+echo "$LDFLAGS"
+
+%configure \
+        --enable-shared --disable-static \
+        --disable-java \
+        --with-plugindir=%{_plugindir2} \
+        --with-configdir=%{_plugindir2}:%{_sysconfdir}/sasl2 \
+        --disable-krb4 \
+        --enable-gssapi${krb5_prefix:+=${krb5_prefix}} \
+        --with-gss_impl=mit \
+        --with-rc4 \
+        --with-dblib=berkeley \
+        --with-bdb=db \
+        --with-saslauthd=/run/saslauthd --without-pwcheck \
+%if ! %{bootstrap_cyrus_sasl}
+        --with-ldap \
+%endif
+        --with-devrandom=/dev/urandom \
+        --enable-anon \
+        --enable-cram \
+        --enable-digest \
+        --enable-ntlm \
+        --enable-plain \
+        --enable-login \
+        --enable-alwaystrue \
+        --enable-httpform \
+        --disable-otp \
+%if ! %{bootstrap_cyrus_sasl}
+        --enable-ldapdb \
+%endif
+        --enable-sql --with-mysql=yes --with-pgsql=yes \
+        --without-sqlite \
+        "$@"
+        # --enable-auth-sasldb -- EXPERIMENTAL
+make sasldir=%{_plugindir2}
+make -C saslauthd testsaslauthd
+make -C sample
+
+# Build a small program to list the available mechanisms, because I need it.
+pushd lib
+../libtool --mode=link %{__cc} -o sasl2-shared-mechlist -I../include $CFLAGS %{SOURCE7} $LDFLAGS ./libsasl2.la
+
+
+%install
+test "$RPM_BUILD_ROOT" != "/" && rm -rf $RPM_BUILD_ROOT
+
+make install DESTDIR=$RPM_BUILD_ROOT sasldir=%{_plugindir2}
+make install DESTDIR=$RPM_BUILD_ROOT sasldir=%{_plugindir2} -C plugins
+
+install -m755 -d $RPM_BUILD_ROOT%{_bindir}
+./libtool --mode=install \
+install -m755 sample/client $RPM_BUILD_ROOT%{_bindir}/sasl2-sample-client
+./libtool --mode=install \
+install -m755 sample/server $RPM_BUILD_ROOT%{_bindir}/sasl2-sample-server
+./libtool --mode=install \
+install -m755 saslauthd/testsaslauthd $RPM_BUILD_ROOT%{_sbindir}/testsaslauthd
+
+# Install the saslauthd mdoc page in the expected location.  Sure, it's not
+# really a man page, but groff seems to be able to cope with it.
+install -m755 -d $RPM_BUILD_ROOT%{_mandir}/man8/
+install -m644 -p saslauthd/saslauthd.mdoc $RPM_BUILD_ROOT%{_mandir}/man8/saslauthd.8
+install -m644 -p saslauthd/testsaslauthd.8 $RPM_BUILD_ROOT%{_mandir}/man8/testsaslauthd.8
+
+# Install the init script for saslauthd and the init script's config file.
+install -m755 -d $RPM_BUILD_ROOT/etc/rc.d/init.d $RPM_BUILD_ROOT/etc/sysconfig
+install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
+install -m644 -p %{SOURCE5} $RPM_BUILD_ROOT/%{_unitdir}/saslauthd.service
+install -m644 -p %{SOURCE9} $RPM_BUILD_ROOT/etc/sysconfig/saslauthd
+
+# Install the config dirs if they're not already there.
+install -m755 -d $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2
+install -m755 -d $RPM_BUILD_ROOT/%{_plugindir2}
+
+# Provide an easy way to query the list of available mechanisms.
+./libtool --mode=install \
+install -m755 lib/sasl2-shared-mechlist $RPM_BUILD_ROOT/%{_sbindir}/
+
+# Remove unpackaged files from the buildroot.
+rm -f $RPM_BUILD_ROOT%{_libdir}/sasl2/libotp.*
+rm -f $RPM_BUILD_ROOT%{_libdir}/sasl2/*.a
+rm -f $RPM_BUILD_ROOT%{_libdir}/sasl2/*.la
+rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
+rm -f $RPM_BUILD_ROOT%{_mandir}/cat8/saslauthd.8
+
+
+%clean
+test "$RPM_BUILD_ROOT" != "/" && rm -rf $RPM_BUILD_ROOT
+
+%pre
+getent group %{username} >/dev/null || groupadd -g 76 -r %{username}
+getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} -s /sbin/nologin -c "%{hint}" %{username}
+
+%post
+%systemd_post saslauthd.service
+
+%preun
+%systemd_preun saslauthd.service
+
+%postun
+%systemd_postun_with_restart saslauthd.service
+
+%triggerun -n cyrus-sasl -- cyrus-sasl < 2.1.23-32
+/usr/bin/systemd-sysv-convert --save saslauthd >/dev/null 2>&1 || :
+/sbin/chkconfig --del saslauthd >/dev/null 2>&1 || :
+/bin/systemctl try-restart saslauthd.service >/dev/null 2>&1 || :
+
+%post lib -p /sbin/ldconfig
+%postun lib -p /sbin/ldconfig
+
+%files
+%defattr(-,root,root)
+%doc saslauthd/LDAP_SASLAUTHD
+%{_mandir}/man8/*
+%{_sbindir}/pluginviewer
+%{_sbindir}/saslauthd
+%{_sbindir}/testsaslauthd
+%config(noreplace) /etc/sysconfig/saslauthd
+%{_unitdir}/saslauthd.service
+%ghost /run/saslauthd
+
+%files lib
+%defattr(-,root,root)
+%doc AUTHORS COPYING NEWS README doc/*.html
+%{_libdir}/libsasl*.so.*
+%dir %{_sysconfdir}/sasl2
+%dir %{_plugindir2}/
+%{_plugindir2}/*anonymous*.so*
+%{_plugindir2}/*sasldb*.so*
+%{_sbindir}/saslpasswd2
+%{_sbindir}/sasldblistusers2
+
+%files plain
+%defattr(-,root,root)
+%{_plugindir2}/*plain*.so*
+%{_plugindir2}/*login*.so*
+
+%if ! %{bootstrap_cyrus_sasl}
+%files ldap
+%defattr(-,root,root)
+%{_plugindir2}/*ldapdb*.so*
+%endif
+
+%files md5
+%defattr(-,root,root)
+%{_plugindir2}/*crammd5*.so*
+%{_plugindir2}/*digestmd5*.so*
+
+%files ntlm
+%defattr(-,root,root)
+%{_plugindir2}/*ntlm*.so*
+
+%files sql
+%defattr(-,root,root)
+%{_plugindir2}/*sql*.so*
+
+%files gssapi
+%defattr(-,root,root)
+%{_plugindir2}/*gssapi*.so*
+
+%files scram
+%defattr(-,root,root)
+%{_plugindir2}/libscram.so*
+
+%files gs2
+%defattr(-,root,root)
+%{_plugindir2}/libgs2.so*
+
+%files devel
+%defattr(-,root,root)
+%doc doc/*.txt
+%{_bindir}/sasl2-sample-client
+%{_bindir}/sasl2-sample-server
+%{_includedir}/*
+%{_libdir}/libsasl*.*so
+%{_libdir}/pkgconfig/*.pc
+%{_mandir}/man3/*
+%{_sbindir}/sasl2-shared-mechlist
+
+%changelog
+* Wed Nov 22 2017 Jakub Jelen <jjelen@redhat.com> - 2.1.26-23
+- Avoid undefined symbols on s390x (#1516193)
+
+* Thu Sep 21 2017 Jakub Jelen <jjelen@redhat.com> - 2.1.26-22
+- Allow cyrus sasl to get the ssf from gssapi (#1431586)
+
+* Mon Mar 06 2017 Jakub Jelen <jjelen@redhat.com> - 2.1.26-21
+- support proper SASL GSS-SPNEGO (#1421663)
+
+* Fri Dec 04 2015 Jakub Jelen <jjelen@redhat.com> 2.1.26-20
+- GSSAPI: Use per-connection mutex where possible (#1263017)
+
+* Thu Jul 16 2015 Jakub Jelen <jjelen@redhat.com> 2.1.26-19.2
+- Revert tmpfiles.d and use new systemd feature RuntimeDirectory (#1188065)
+
+* Wed May 20 2015 Jakub Jelen <jjelen@redhat.com> 2.1.26-18
+- Revert updated GSSAPI flags as in RFC 4752 to restore backward compatibility (#1154566)
+- Add and document ability to run saslauth as non-root user (#1188065)
+- Support AIX SASL GSSAPI (#1174322)
+- Update client library to be thread safe (#1147659)
+- Fix problem, that parsing short prefix matches the whole mechanism name (#1089267)
+- Don't use unnecessary quotes around user description (#1082564)
+- Fix confusing message when config file has typo (#1022479)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.1.26-17
+- Mass rebuild 2014-01-24
+
+* Wed Jan 15 2014 Honza Horak <hhorak@redhat.com> - 2.1.26-16
+- Rebuild for mariadb-libs
+  Related: #1045013
+
+* Tue Jan 14 2014 Petr Lautrbach <plautrba@redhat.com> 2.1.26-15
+- compile cyrus-sasl with -O3 on ppc64 (#1051063)
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.1.26-14
+- Mass rebuild 2013-12-27
+
+* Tue Nov 19 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-13
+- Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)
+
+* Tue Oct 01 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-12.1
+- rebuild for https://bugzilla.redhat.com/show_bug.cgi?id=1002625
+
+* Mon Sep 09 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-11
+- build with RPM_OPT_FLAGS <ville.skytta@iki.fi> (#1005535)
+
+* Tue Sep 03 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-10
+- fix hardening for /usr/sbin/saslauthd
+- add testsaslauthd.8 man page to the package
+- use static md5global.h file
+
+* Mon Jun 24 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-9
+- detect gsskrb5_register_acceptor_identity macro <nalin@redhat.com> (#976538)
+
+* Tue Jun 04 2013 Karsten Hopp <karsten@redhat.com> 2.1.26-8
+- disable incorrect check for MkLinux to allow building with shared libraries on PPC
+
+* Tue May 21 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-7
+- fix the spec file in order to build the cyrus-sasl-sql plugin
+  with support for PostgreSQL and MySQL
+
+* Thu Feb 21 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-6
+- don't include system sasl2 library needed for rebuilds after rebase
+
+* Mon Feb 11 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-5
+- enable full relro and PIE compiler flags for saslauthd
+
+* Fri Feb 01 2013 Petr Lautrbach <plautrba@redhat.com> 2.1.26-4
+- fix library symlinks
+
+* Thu Jan 31 2013 Rex Dieter <rdieter@fedoraproject.org> 2.1.26-3
+- actually apply size_t patch (#906519)
+
+* Thu Jan 31 2013 Rex Dieter <rdieter@fedoraproject.org> 2.1.26-2
+- sasl.h: +#include<sys/types.h> for missing size_t type (#906519)
+- tighten subpkg deps via %%?_isa
+
+* Thu Dec 20 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.26-1
+- update to 2.1.26
+- fix segfaults in sasl_gss_encode (#886140)
+
+* Mon Dec 10 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.25-2
+- always use the current external Berkeley DB when linking
+
+* Fri Dec 07 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.25-1
+- update to 2.1.25
+- add cyrus-sasl-scram and cyrus-sasl-gs2 packages
+
+* Fri Sep 14 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.23-36
+- replace scriptlets with systemd macros (#856666)
+
+* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.23-35
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Jul 17 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.23-34
+- move /etc/tmpfiles.d/saslauthd.conf to /usr/lib/tmpfiles.d/saslauthd.conf (#840193)
+
+* Wed Jun 20 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.23-33
+- properly deal with crypt() returning NULL (#816250)
+- use fixed gid 76 for saslauth
+
+* Mon Apr 16 2012 Jindrich Novy <jnovy@redhat.com> 2.1.23-32
+- re-enable libdb support and utilities
+
+* Wed Apr 04 2012 Jindrich Novy <jnovy@redhat.com> 2.1.23-31
+- temporarily disable libdb support to resolve cyrus-sasl
+  chicken and egg build problem against libdb
+
+* Tue Apr 03 2012 Jindrich Novy <jnovy@redhat.com> 2.1.23-30
+- rebuild against new libdb
+
+* Wed Feb 08 2012 Petr Lautrbach <plautrba@redhat.com> 2.1.23-29
+- Change saslauth user homedir to /run/saslauthd (#752889)
+- Change all /var/run/ to /run/
+- DAEMONOPTS are not supported any more in systemd units
+
+* Mon Jan 09 2012 Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> - 2.1.23-28
+- Ship with sasl_pwcheck_method: alwaystrue
+
+* Mon Dec 12 2011 Petr Lautrbach <plautrba@redhat.com> 2.1.23-27
+- remove support for logging of the remote host via PAM (#759334)
+- fix systemd files (#750436)
+
+* Wed Aug 10 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-26
+- Add partial relro support for libraries
+
+* Mon Jul 25 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-25
+- Add support for berkeley db 5
+
+* Wed Jun 29 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-23
+- Migrate the package to full native systemd unit files, according to the Fedora
+  packaging guidelines.
+
+* Wed Jun  1 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-22
+- repair rimap support (more packets in response)
+
+* Wed May 25 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-21
+- repair ntlm support
+
+* Mon May 23 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-20
+- add logging of the remote host via PAM
+
+* Thu Apr 28 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-19
+- temporarilly revert systemd units
+
+* Tue Apr 26 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-18
+- update scriptlets
+
+* Fri Apr 22 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-17
+- Add systemd units
+
+* Wed Mar 23 2011 Tomas Mraz <tmraz@redhat.com> - 2.1.23-16
+- Rebuilt with new mysqlclient
+
+* Fri Feb 25 2011 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-15
+- set correct license tag
+- add ghost to /var/run/saslauthd
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.23-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Fri Apr  9 2010 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-13
+- Add /etc/tmpfiles.d element (#662734)
+
+* Fri Apr  9 2010 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-12
+- Update init script to impeach pid file
+
+* Thu Mar 11 2010 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-11
+- Update pre post preun and postun scripts (#572399)
+
+* Wed Mar 10 2010 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-10
+- Rewrite spec file, make corect CFLAGS, CPPFLAGS and LDFLAGS
+
+* Mon Feb 22 2010 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-9
+- solve race condition (#566875)
+
+* Wed Feb 17 2010 Stepan Kasal <skasal@redhat.com> - 2.1.23-8
+- improve m4 quoting to fix saslauthd/configure (#566088)
+- call autotools in build, not in prep
+
+* Fri Feb  5 2010 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-7
+- Add man page to testtcpauthd (#526189)
+
+* Fri Oct 16 2009 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-6
+- Create the saslauth user according to fedora packaging guide
+
+* Thu Sep 24 2009 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-5
+- Repair initscript to make condrestart working properly (#522103)
+
+* Wed Sep 23 2009 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-3
+- Add possibility to run the saslauth without root privilegies (#185614)
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 2.1.23-2
+- rebuilt with new openssl
+
+* Fri Aug  7 2009 Jan F. Chadima <jchadima@redhat.com> - 2.1.23-1
+- update to 2.1.23
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.22-25
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon May 11 2009 Jan F. Chadima <jchadima@redhat.com> - 2.1.22-24
+- repair sasl_encode64 nul termination (#487251)
+
+* Thu Apr 16 2009 Robert Scheck <robert@fedoraproject.org> - 2.1.22-23
+- Don't build the krb4 plugin as krb5 1.7 will drop it (#225974 #c6)
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.22-22
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Fri Feb  6 2009 Tomas Mraz <tmraz@redhat.com> - 2.1.22-21
+- fix build with gcc-4.4
+
+* Fri Jan 23 2009 Tomas Mraz <tmraz@redhat.com> - 2.1.22-20
+- set LDAP_OPT_TIMEOUT (#326452)
+- provide LSB compatible init script (#246900)
+
+* Fri Sep 26 2008 Tomas Mraz <tmraz@redhat.com> - 2.1.22-19
+- always use the current external db4 when linking,
+  thanks to Dan Horak for the original patch (#464098)
+
+* Wed Sep 10 2008 Tomas Mraz <tmraz@redhat.com> - 2.1.22-18
+- fix most critical build warnings (#433583)
+- use external db4
+
+* Fri Aug 29 2008 Tomas Mraz <tmraz@redhat.com> - 2.1.22-17
+- always link against the internal db4 (#459163)
+- rediff patches for no fuzz
+
+* Wed Jul  9 2008 Tomas Mraz <tmraz@redhat.com> - 2.1.22-16
+- update internal db4 (#449737)
+
+* Tue Jul  1 2008 Tomas Mraz <tmraz@redhat.com> - 2.1.22-15
+- drop reload from initscript help (#448154)
+- fix hang in rimap auth method (#438533)
+- build the krb4 plugin (#154675)
+
+* Fri May 23 2008 Dennis Gilmore <dennis@ausil.us> - 2.1.22-14
+- make it so that bootstrap actually works
+
+* Thu May 22 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 2.1.22-13.1
+- minor release bump for sparc rebuild
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 2.1.22-13
+- Autorebuild for GCC 4.3
+
+* Thu Feb 14 2008 Steve Conklin <sconklin@redhat.com> - 2.1.22-12
+- rebuild for gcc4.3
+
+* Fri Jan 25 2008 Steve Conklin <sconklin@redhat.com> - 2.1.22-11
+- Cleanup after merge review bz #225673
+- no longer mark /etc/rc.d/init.d/saslauthd as config file
+- removed -x permissions on include files
+- added devel package dependency on cyrus-sasl
+- removed some remaining .la files that were being delivered
+
+* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 2.1.22-10
+ - Rebuild for deps
+
+* Wed Nov  7 2007 Steve Conklin <sconklin@redhat.com> - 2.1.22-9
+- Fixed a typo in the spec file
+
+* Wed Nov  7 2007 Steve Conklin <sconklin@redhat.com> - 2.1.22-8
+- Removed srp plugin source and added dist to NVR
+
+* Tue Sep 18 2007 Steve Conklin <sconklin@redhat.com> 2.1.22-7
+- use db4 version 4.6.19 bz#249737
+
+* Mon Feb 26 2007 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-6
+- install config files and init scripts using -p
+- pull in patch to build with current automake (#229010, Jacek Konieczny
+  and Robert Scheck)
+- remove prereq on ldconfig, RPM should pick it up based on the -libs
+  scriptlets
+- pull in patch to correctly detect gsskrb5_register_acceptor_identity
+  (#200892, Mirko Streckenbach)
+- move sasldb auxprop modules into the -lib subpackage, so that we'll pick
+  it up for multilib systems
+
+* Thu Feb 22 2007 Nalin Dahyabhai <nalin@redhat.com>
+- pull CVS fix for not tripping over extra commas in digest-md5
+  challenges (#229640)
+
+* Fri Feb 16 2007 Nalin Dahyabhai <nalin@redhat.com>
+- remove static build, which is no longer a useful option because not all of
+  our dependencies are available as static libraries
+- drop patches which were needed to keep static builds going
+- drop gssapi-generic patch due to lack of interest
+- update the bundled copy of db to 4.5.20 (#229012)
+- drop dbconverter-2, as we haven't bundled v1 libraries since FC4
+
+* Tue Dec  5 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-5
+- rebuild
+- add 'authentication' or 'auxprop' to summaries for plugin packages to
+  better indicate what the plugin provides
+- switch from automake 1.9 to automake 1.7
+
+* Fri Sep 29 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-4
+- rebuild without 'dlcompat' bits (#206119)
+
+* Mon Jul 17 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-3
+- rebuild
+
+* Tue Jun 20 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-2
+- fix a typo in sasl_client_start(3) (#196066)
+
+* Mon May 22 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.22-1
+- update to 2.1.22, adding pluginviewer to %%{_sbindir}
+
+* Tue May 16 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-12
+- add conditionalized build dependency on openldap-devel (#191855)
+- patch md5global.h to be the same on all architectures
+
+* Thu Apr 27 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-11
+- add unapplied patch which makes the DIGEST-MD5 plugin omit the realm
+  argument when the environment has $CYRUS_SASL_DIGEST_MD5_OMIT_REALM set to a
+  non-zero value, for testing purposes
+- add missing buildrequires on zlib-devel (#190113)
+
+* Mon Feb 20 2006 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-10
+- add missing buildrequires on gdbm-devel (Karsten Hopp)
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 2.1.21-9.2
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 2.1.21-9.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Mon Dec 19 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-9
+- use --as-needed to avoid linking dbconverter-2 with SQL libraries, which
+  it doesn't use because it manipulates files directly (#173321)
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Mon Nov 14 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-8
+- rebuild with new OpenLDAP, overriding the version checks to assume that
+  2.3.11 is acceptable
+- remove a lingering patch for 1.x which we no longer use
+
+* Sat Nov 12 2005 Tom Lane <tgl@redhat.com> 2.1.21-7
+- Rebuild due to mysql update.
+
+* Tue Nov  8 2005 Tomas Mraz <tmraz@redhat.com> 2.1.21-6
+- rebuilt with new openssl
+
+* Fri Sep  9 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-5
+- add missing buildrequires: on groff (#163032)
+
+* Thu Sep  1 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-4
+- move the ldapdb auxprop support into a subpackage (#167300)
+  (note: the ldap password check support in saslauthd doesn't use auxprop)
+
+* Tue Aug 30 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-3
+- correct a use of uninitialized memory in the bundled libdb (Arjan van de Ven)
+
+* Mon Aug 29 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-2
+- move the ANONYMOUS mech plugin to the -lib subpackage so that multilib
+  systems can use it without installing the main package
+- build the static libraries without sql auxprop support
+
+* Mon Aug 29 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.21-1
+- update to 2.1.21
+- turn off compilation of libsasl v1 (finally)
+- explicitly disable sqlite to avoid the build warning
+- change the default mechanism which is set for saslauthd from "shadow" to
+  "pam" (#159194)
+- split the shared library up from saslauthd so that multilib systems don't
+  have to pull in every dependency of saslauthd for the compat arch (#166749)
+
+* Wed Apr 13 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-5
+- rebuild with new deps
+
+* Tue Mar  1 2005 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-4
+- rebuild with new deps
+
+* Thu Nov 11 2004 Jeff Johnson <jbj@jbj.org> 2.1.20-3
+- rebuild against db-4.3.21.
+
+* Thu Nov 11 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-2
+- build with mysql-devel instead of mysqlclient10
+
+* Mon Nov  1 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-1
+- build with mysqlclient10 instead of mysql-devel
+
+* Wed Oct 27 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.20-0
+- update to 2.1.20, including the fix for CAN-2004-0884
+
+* Tue Oct  5 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.19-3
+- use notting's fix for incorrect patch for CAN-2004-0884 for 1.5.28
+
+* Tue Oct  5 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.19-2
+- don't trust the environment in setuid/setgid contexts (CAN-2004-0884, #134660)
+
+* Thu Aug 19 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.19-1
+- rebuild (the 2.1.19 changelog for fixing a buffer overflow referred to a CVS
+  revision between 2.1.18 and 2.1.19)
+
+* Mon Jul 19 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.19-0
+- update to 2.1.19, maybe for update
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Mon Jun  7 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-4
+- enable sql auxprop support in a subpackage
+- include LDAP_SASLAUTHD documentation file (#124830)
+
+* Fri Jun  4 2004 Nalin Dahyabhai <nalin@redhat.com>
+- turn on ntlm in a subpackage
+
+* Thu May 13 2004 Thomas Woerner <twoerner@redhat.com> 2.1.18-3
+- removed rpath
+
+* Tue Mar 16 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-2
+- turn on building of libsasl v1 again
+
+* Fri Mar 12 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-1
+- update to 2.1.18
+- saslauthd's ldap code is no longer marked experimental, so we build it
+
+* Mon Mar  8 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.17-4
+- rebuild
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Feb  3 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.17-2
+- include default /etc/sysconfig/saslauthd configuration file for the init
+  script (#114868)
+
+* Thu Jan 29 2004 Nalin Dahyabhai <nalin@redhat.com>
+- drop saslauthd_version patch for libsasl2
+
+* Thu Jan 29 2004 Nalin Dahyabhai <nalin@redhat.com>
+- add a saslauthd_version option to libsasl's saslauthd client and teach it to
+  do the right thing
+- enable the saslauthd client code in libsasl version 1 (it's still going away!)
+- add saslauthd1-checkpass/saslauthd2-checkpass for testing the above change
+
+* Wed Jan  7 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.17-1
+- forcibly disable otp and sql plugins at compile-time
+
+* Fri Dec 19 2003 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.17, forcing the gssapi plugin to be shared now, as before
+- use a bundled libdb (#112215)
+- build static-with-all-plugins and normal-shared libsasl versions
+- add sasl2-{shared,static}-mechlist for very basic sanity checking
+- make inclusion of sasl1 stuffs conditional, because it's so going away
+
+* Sat Dec 13 2003 Jeff Johnson <jbj@jbj.org> 2.1.15-7
+- rebuild against db-4.2.52.
+
+* Thu Oct 23 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.15-6
+- use /dev/urandom instead of /dev/random for SASL2 (docs indicate that this is
+  safe if you aren't using OTP or SRP, and we build neither); SASL1 appears to
+  use it to seed the libc RNG only (#103378)
+
+* Mon Oct 20 2003 Nalin Dahyabhai <nalin@redhat.com>
+- obey RPM_OPT_FLAGS again when krb5_prefix != %%{_prefix}
+
+* Fri Oct 17 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.15-5
+- install saslauthd's mdoc page instead of the pre-formatted man page, which
+  would get formatted again
+
+* Thu Sep 25 2003 Jeff Johnson <jbj@jbj.org> 2.1.15-5
+- rebuild against db-4.2.42.
+
+* Mon Sep 15 2003 Nalin Dahyabhai <nalin@redhat.com>
+- include testsaslauthd
+- note in the README that the saslauthd protocol is different for v1 and v2,
+  so v1's clients can't talk to the v2 server
+
+* Thu Aug 21 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.15-4
+- rebuild
+
+* Thu Aug 21 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.15-3
+- add logic to build with gssapi libs in either /usr or /usr/kerberos
+
+* Mon Jul 21 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.15-2
+- rebuild
+
+* Tue Jul 15 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.15-1
+- update to 2.1.15
+
+* Mon Jul 14 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.14-1
+- update to 2.1.14
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Fri May  9 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.13-3
+- change -m argument to saslauthd to be a directory instead of a path
+
+* Thu May  8 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.13-2
+- link libsasl2 with -lpthread to ensure that the sasldb plug-in can always
+  be loaded
+
+* Tue Apr 29 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.13-1
+- update to 2.1.13
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Tue Jan  7 2003 Nalin Dahyabhai <nalin@redhat.com> 2.1.10-3
+- rebuild
+
+* Thu Dec 12 2002 Nalin Dahyabhai <nalin@redhat.com>
+- consider either des_cbc_encrypt or DES_cbc_encrypt to be sufficient when
+  searching for a DES implementation in libcrypto
+- pull in CPPFLAGS and LDFLAGS from openssl's pkg-config data, if it exists
+
+* Mon Dec  9 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.10-2
+- rebuild
+
+* Mon Dec  9 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.10-1
+- update to 2.1.10, fixing buffer overflows in libsasl2 noted by Timo Sirainen
+
+* Tue Nov 12 2002 Tim Powers <timp@redhat.com> 2.1.7-5
+- remove files from $RPM_BUILD_ROOT that we don't intend to include
+
+* Wed Oct  9 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.7-4
+- update to SASLv1 to final 1.5.28
+
+* Fri Sep 13 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.7-3
+- rebuild, overriding sasldir when running make so that on multilib systems
+  applications will be able to load modules for the right arch
+
+* Mon Sep  2 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.7-2
+- include dbconverter-2 (#68741)
+
+* Fri Aug  9 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.7-1
+- update to 2.1.7, fixing a race condition in digest-md5
+
+* Wed Jul 17 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.6-1
+- update to 2.1.6 and 1.5.28
+
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu Jun 13 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.5-1
+- update to 2.1.5
+
+* Mon Jun 10 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.4-1
+- update to 2.1.4
+
+* Sun May 26 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu May 16 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.2-1
+- modify to build with db 4.x
+
+* Thu Apr 18 2002 Nalin Dahyabhai <nalin@redhat.com>
+- update cyrus-sasl 2 to 2.1.2
+- change buildreq to db3-devel
+
+* Tue Feb 12 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.1-3
+- suppress output to stdout/stderr in %%postun
+
+* Sun Feb 10 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.1-2
+- configure sasldb2 to use berkeley DB instead of gdbm
+
+* Wed Feb  6 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.1-1
+- update to 2.1.1
+
+* Thu Jan 31 2002 Nalin Dahyabhai <nalin@redhat.com> 2.1.0-1
+- marge 1.5.24 back in, making a note that it should be removed at some
+  point in the future
+
+* Wed Jan 30 2002 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.1.0, which is designed to be installed in parallel with cyrus sasl
+  1.x, so fork the package and rename it to cyrus-sasl2
+- add the sasldb auxprop plugin to the main package
+- add disabled-by-default saslauthd init script
+- move the .la files for plugins into their respective packages -- they're
+  needed by the library
+
+* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 1.5.24-24
+- free ride through the build system
+
+* Fri Nov  2 2001 Nalin Dahyabhai <nalin@redhat.com> 1.5.24-23
+- patch to fix possible syslog format-string vulnerability 
+
+* Mon Oct 29 2001 Nalin Dahyabhai <nalin@redhat.com> 1.5.24-22
+- add pam-devel as a buildprereq
+
+* Wed Aug 29 2001 Nalin Dahyabhai <nalin@redhat.com> 1.5.24-21
+- include sample programs in the -devel subpackage, prefixing their names
+  with "sasl-" to reduce future potential naming conflicts
+
+* Tue Aug 14 2001 Nalin Dahyabhai <nalin@redhat.com> 1.5.24-20
+- build without -ggdb
+
+* Fri Aug  3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add gdbm-devel as a build dependency (#44990)
+- split off CRAM-MD5 and DIGEST-MD5 into a subpackage of their own (#43079,
+  and dialogs with David L. Parsley)
+
+* Fri Apr 27 2001 Nalin Dahyabhai <nalin@redhat.com>
+- split out the PLAIN and LOGIN mechanisms into their own package (this allows
+  an administrator to disable them by simply removing the package)
+
+* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Wed Dec  6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix gssapi-over-tls
+
+* Fri Oct 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- enable static libraries, but always build with -fPIC
+
+* Wed Oct 25 2000 Nalin Dahyabhai <nalin@redhat.com>
+- make sure the version of 1.5.24 in the package matches the masters (#18968)
+
+* Mon Oct  9 2000 Nalin Dahyabhai <nalin@redhat.com>
+- re-add the libsasl.so symlink to the -devel package (oops)
+
+* Fri Oct  6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- move .so files for modules to their respective packages -- they're not -devel
+  links meant for use by ld anyway
+
+* Thu Oct  5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- split off -devel subpackage
+- add a -gssapi subpackage for the gssapi plugins
+
+* Wed Aug 16 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix the summary text
+
+* Sun Aug 13 2000 Nalin Dahyabhai <nalin@redhat.com>
+- re-enable arcfour and CRAM
+
+* Fri Aug  4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- force use of gdbm for database files to avoid DB migration weirdness
+- enable login mechanism
+- disable gssapi until it can coexist peacefully with non-gssapi setups
+- actually do a make in the build section (#15410)
+
+* Fri Jul 21 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 1.5.24
+
+* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
+- automatic rebuild
+
+* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment (release 3)
+
+* Mon Jun 19 2000 Nalin Dahyabhai <nalin@redhat.com>
+- don't muck with syslogd in post
+- remove patch for db-3.0 wackiness, no longer needed
+
+* Thu Jun  8 2000 Nalin Dahyabhai <nalin@redhat.com>
+- FHS cleanup
+- don't strip anything by default
+
+* Fri Feb 11 2000 Tim Powers <timp@redhat.com>
+- fixed man pages not being gzipped
+
+* Tue Nov 16 1999 Tim Powers <timp@redhat.com>
+- incorporated changes from Mads Kiilerich
+- release number is 1, not mk1
+
+* Wed Nov 10 1999 Mads Kiilerich <mads@kiilerich.com>
+- updated to sasl 1.5.11
+- configure --disable-krb4 --without-rc4 --disable-cram 
+  because of missing libraries and pine having cram as default...
+- handle changing libsasl.so versions
+
+* Mon Aug 30 1999 Tim Powers <timp@redhat.com>
+- changed group
+
+* Fri Aug 13 1999 Tim Powers <timp@redhat.com>
+- first build for Powertools