diff --git a/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch
new file mode 100644
index 0000000..37e4e5d
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch
@@ -0,0 +1,12 @@
+diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
+index a1c0b36..207c010 100644
+--- a/src/providers/krb5/krb5_auth.c
++++ b/src/providers/krb5/krb5_auth.c
+@@ -1037,6 +1037,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
+     case ERR_ACCOUNT_LOCKED:
+         state->pam_status = PAM_PERM_DENIED;
+         state->dp_err = DP_ERR_OK;
++        state->pd->account_locked = true;
+         ret = EOK;
+         goto done;
+ 
\ No newline at end of file
diff --git a/sys-auth/sssd/files/sssd-2.9.1-mit-krb-1.21.patch b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
similarity index 83%
rename from sys-auth/sssd/files/sssd-2.9.1-mit-krb-1.21.patch
rename to sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
index 01aef9b..c849fe7 100644
--- a/sys-auth/sssd/files/sssd-2.9.1-mit-krb-1.21.patch
+++ b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
@@ -1,7 +1,7 @@
 From 74d0f4538deb766592079b1abca0d949d6dea105 Mon Sep 17 00:00:00 2001
 From: Alexey Tikhonov <atikhono@redhat.com>
 Date: Thu, 15 Jun 2023 12:05:03 +0200
-Subject: [PATCH] BUILD: Accept krb5 1.21 for building the PAC plugin
+Subject: [PATCH 1/1] BUILD: Accept krb5 1.21 for building the PAC plugin
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -13,7 +13,7 @@ Reviewed-by: Sumit Bose <sbose@redhat.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
-index 3cbe3c9cfb..90727185b5 100644
+index 3cbe3c9cfba03b59e26a8c5c2d73446eead2acea..90727185b574411bddd928f8d87efdc87076eba4 100644
 --- a/src/external/pac_responder.m4
 +++ b/src/external/pac_responder.m4
 @@ -22,7 +22,8 @@ then
@@ -26,3 +26,6 @@ index 3cbe3c9cfb..90727185b5 100644
              krb5_version_ok=yes
              AC_MSG_RESULT([yes])
              ;;
+-- 
+2.41.0
+
diff --git a/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
new file mode 100644
index 0000000..258940b
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
@@ -0,0 +1,87 @@
+From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 19:06:27 +0200
+Subject: [PATCH 3/3] certmap: fix partial string comparison
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the formatting option of the certificate digest/hash function
+contained and additional specifier separated with a '_' the comparison
+of the provided digest name and the available ones was incomplete, the
+last character was ignored and the comparison was successful if even if
+there was only a partial match.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc)
+---
+ src/lib/certmap/sss_certmap_ldap_mapping.c |  9 ++++++++-
+ src/tests/cmocka/test_certmap.c            | 22 ++++++++++++++++++++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c
+index 2f16837a1..354b0310b 100644
+--- a/src/lib/certmap/sss_certmap_ldap_mapping.c
++++ b/src/lib/certmap/sss_certmap_ldap_mapping.c
+@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list,
+     bool colon = false;
+     bool reverse = false;
+     char *c;
++    size_t len = 0;
+ 
+     sep = strchr(inp, '_');
++    if (sep != NULL) {
++        len = sep - inp;
++    }
+ 
+     for (d = 0; digest_list[d] != NULL; d++) {
+         if (sep == NULL) {
+             cmp = strcasecmp(digest_list[d], inp);
+         } else {
+-            cmp = strncasecmp(digest_list[d], inp, (sep - inp -1));
++            if (strlen(digest_list[d]) != len) {
++                continue;
++            }
++            cmp = strncasecmp(digest_list[d], inp, len);
+         }
+ 
+         if (cmp == 0) {
+diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
+index da312beaf..a15984d60 100644
+--- a/src/tests/cmocka/test_certmap.c
++++ b/src/tests/cmocka/test_certmap.c
+@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state)
+     assert_non_null(ctx);
+     assert_null(ctx->prio_list);
+ 
++    /* cert!sha */
++    ret = sss_certmap_add_rule(ctx, 91,
++                            "KRB5:<ISSUER>.*",
++                            "LDAP:rule91={cert!sha}", NULL);
++    assert_int_equal(ret, EINVAL);
++
++    ret = sss_certmap_add_rule(ctx, 91,
++                            "KRB5:<ISSUER>.*",
++                            "LDAPU1:rule91={cert!sha}", NULL);
++    assert_int_equal(ret, EINVAL);
++
++    /* cert!sha_u */
++    ret = sss_certmap_add_rule(ctx, 90,
++                            "KRB5:<ISSUER>.*",
++                            "LDAP:rule90={cert!sha_u}", NULL);
++    assert_int_equal(ret, EINVAL);
++
++    ret = sss_certmap_add_rule(ctx, 99,
++                            "KRB5:<ISSUER>.*",
++                            "LDAPU1:rule90={cert!sha_u}", NULL);
++    assert_int_equal(ret, EINVAL);
++
+     /* cert!sha555 */
+     ret = sss_certmap_add_rule(ctx, 89,
+                             "KRB5:<ISSUER>.*",
+-- 
+2.38.1
+
diff --git a/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch
index 6ebe2a3..de46b96 100644
--- a/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch
+++ b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch
@@ -1,26 +1,18 @@
+diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
+index b40043d04..dce6b9d36 100644
 --- a/src/tools/analyzer/Makefile.am
 +++ b/src/tools/analyzer/Makefile.am
-@@ -1,11 +1,12 @@
- sss_analyze_pythondir = $(libexecdir)/sssd
-+pkgpythondir = $(python3dir)/sssd
+@@ -5,7 +5,9 @@ dist_sss_analyze_python_SCRIPTS = \
+     $(NULL)
+ 
+ pkgpythondir = $(python3dir)/sssd
 +modulesdir = $(pkgpythondir)/modules
  
 +if BUILD_PYTHON_BINDINGS
- dist_sss_analyze_python_SCRIPTS = \
-     sss_analyze \
-     $(NULL)
- 
--pkgpythondir = $(python3dir)/sssd
--
  dist_pkgpython_DATA = \
      __init__.py \
      source_files.py \
-@@ -15,8 +16,8 @@ dist_pkgpython_DATA = \
-     sss_analyze.py \
-     $(NULL)
- 
--modulesdir = $(pkgpythondir)/modules
- dist_modules_DATA = \
+@@ -20,3 +22,4 @@ dist_modules_DATA = \
      modules/__init__.py \
      modules/request.py \
      $(NULL)
diff --git a/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
new file mode 100644
index 0000000..3a72436
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
@@ -0,0 +1,39 @@
+From 15d7d34b20219e2fd45c43881088f5d542e9603e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 18:56:35 +0200
+Subject: [PATCH 2/3] sssct: allow cert-show and cert-eval-rule as non-root
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The cert-show and cert-eval-rule sub-commands do not need root access and
+do not require SSSD to be configured on the host.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 8466f0e4d0c6cd2b98d2789970847b9adc01d7d4)
+---
+ src/tools/sssctl/sssctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index 855260aed..04c41aa9a 100644
+--- a/src/tools/sssctl/sssctl.c
++++ b/src/tools/sssctl/sssctl.c
+@@ -340,9 +340,9 @@ int main(int argc, const char **argv)
+         SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
+ #endif
+         SSS_TOOL_DELIMITER("Certificate related tools:"),
+-        SSS_TOOL_COMMAND("cert-show", "Print information about the certificate", 0, sssctl_cert_show),
++        SSS_TOOL_COMMAND_FLAGS("cert-show", "Print information about the certificate", 0, sssctl_cert_show, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+         SSS_TOOL_COMMAND("cert-map", "Show users mapped to the certificate", 0, sssctl_cert_map),
+-        SSS_TOOL_COMMAND("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule),
++        SSS_TOOL_COMMAND_FLAGS("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+ #ifdef BUILD_PASSKEY
+         SSS_TOOL_DELIMITER("Passkey related tools:"),
+         SSS_TOOL_COMMAND_FLAGS("passkey-register", "Perform passkey registration", 0, sssctl_passkey_register, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+-- 
+2.38.1
+
diff --git a/sys-auth/sssd/sssd-2.9.1.ebuild b/sys-auth/sssd/sssd-2.9.1.ebuild
index 3f88a61..0fbb3eb 100644
--- a/sys-auth/sssd/sssd-2.9.1.ebuild
+++ b/sys-auth/sssd/sssd-2.9.1.ebuild
@@ -14,13 +14,19 @@ inherit autotools linux-info multilib-minimal optfeature plocale \
 
 DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
 HOMEPAGE="https://github.com/SSSD/sssd"
-SRC_URI="https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz"
-SRC_URI+=" verify-sig? ( https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz.asc )"
+if [[ ${PV} != 9999 ]]; then
+	SRC_URI="https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz"
+	SRC_URI+=" verify-sig? ( https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz.asc )"
+else
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/SSSD/sssd.git"
+	EGIT_BRANCH="master"
+fi
 
 LICENSE="GPL-3"
 SLOT="0"
 KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
-IUSE="acl doc +netlink nfsv4 nls +man python samba selinux subid sudo systemd systemtap test"
+IUSE="acl doc +netlink nfsv4 nls +man python samba selinux sudo systemd systemtap test"
 REQUIRED_USE="
 	python? ( ${PYTHON_REQUIRED_USE} )
 	test? ( sudo )"
@@ -36,12 +42,13 @@ DEPEND="
 	dev-libs/libunistring:=
 	>=dev-libs/popt-1.16
 	>=dev-libs/openssl-1.0.2:=
+	dev-libs/libunistring:=
 	|| (
 		>=net-dns/bind-tools-9.9[gssapi]
 		>=net-dns/bind-9.18[gssapi]
 	)
 	>=net-dns/c-ares-1.10.0-r1:=[${MULTILIB_USEDEP}]
-	>=net-nds/openldap-2.4.30:=[sasl]
+	>=net-nds/openldap-2.4.30:=[sasl,experimental]
 	>=sys-apps/dbus-1.6
 	>=sys-apps/keyutils-1.5:=
 	>=sys-libs/pam-0-r1[${MULTILIB_USEDEP}]
@@ -102,8 +109,11 @@ BDEPEND="
 CONFIG_CHECK="~KEYS"
 
 PATCHES=(
-	"${FILESDIR}"/${PN}-2.9.1-conditional-python-install.patch
-	"${FILESDIR}"/${PN}-2.9.1-mit-krb-1.21.patch
+	"${FILESDIR}/${PN}-2.8.2-krb5_pw_locked.patch"
+	"${FILESDIR}/${PN}-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch"
+	"${FILESDIR}/${PN}-2.9.1-certmap-fix-partial-string-comparison.patch"
+	"${FILESDIR}/${PN}-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch"
+	"${FILESDIR}/${PN}-2.9.1-conditional-python-install.patch"
 )
 
 MULTILIB_WRAPPED_HEADERS=(
@@ -171,8 +181,10 @@ multilib_src_configure() {
 	local myconf=()
 
 	myconf+=(
+		--libexecdir="${EPREFIX}"/usr/libexec
 		--localstatedir="${EPREFIX}"/var
 		--runstatedir="${EPREFIX}"/run
+		--sbindir="${EPREFIX}"/usr/sbin
 		--with-pid-path="${EPREFIX}"/run
 		--with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
 		--enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir)
@@ -184,19 +196,19 @@ multilib_src_configure() {
 		--with-mcache-path="${EPREFIX}"/var/lib/sss/mc
 		--with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets
 		--with-log-path="${EPREFIX}"/var/log/sssd
+		--with-kcm
+		--enable-kcm-renewal
 		--with-os=gentoo
 		--disable-rpath
 		--disable-static
 		# Valgrind is only used for tests
 		--disable-valgrind
-		--sbindir="${EPREFIX}"/usr/sbin
-		--libexecdir="${EPREFIX}"/usr/libexec
+		$(multilib native_with files)
 		$(use_with samba)
 		--with-smb-idmap-interface-version=6
 		$(multilib_native_use_enable acl cifs-idmap-plugin)
 		$(multilib_native_use_with selinux)
 		$(multilib_native_use_with selinux semanage)
-		--with-kcm
 		--enable-krb5-locator-plugin
 		$(use_enable samba pac-responder)
 		$(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin)
@@ -322,6 +334,6 @@ multilib_src_install_all() {
 pkg_postinst() {
 	elog "You must set up sssd.conf (default installed into /etc/sssd)"
 	elog "and (optionally) configuration in /etc/pam.d in order to use SSSD"
-	elog "features. Please see howto in	https://sssd.io/docs/design_pages/smartcard_authentication_require.html"
+	elog "features."
 	optfeature "Kerberos keytab renew (see krb5_renew_interval)" app-crypt/adcli
 }