diff --git a/0002-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch b/0002-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
new file mode 100644
index 0000000..3a72436
--- /dev/null
+++ b/0002-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
@@ -0,0 +1,39 @@
+From 15d7d34b20219e2fd45c43881088f5d542e9603e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 18:56:35 +0200
+Subject: [PATCH 2/3] sssct: allow cert-show and cert-eval-rule as non-root
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The cert-show and cert-eval-rule sub-commands do not need root access and
+do not require SSSD to be configured on the host.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 8466f0e4d0c6cd2b98d2789970847b9adc01d7d4)
+---
+ src/tools/sssctl/sssctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index 855260aed..04c41aa9a 100644
+--- a/src/tools/sssctl/sssctl.c
++++ b/src/tools/sssctl/sssctl.c
+@@ -340,9 +340,9 @@ int main(int argc, const char **argv)
+         SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
+ #endif
+         SSS_TOOL_DELIMITER("Certificate related tools:"),
+-        SSS_TOOL_COMMAND("cert-show", "Print information about the certificate", 0, sssctl_cert_show),
++        SSS_TOOL_COMMAND_FLAGS("cert-show", "Print information about the certificate", 0, sssctl_cert_show, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+         SSS_TOOL_COMMAND("cert-map", "Show users mapped to the certificate", 0, sssctl_cert_map),
+-        SSS_TOOL_COMMAND("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule),
++        SSS_TOOL_COMMAND_FLAGS("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+ #ifdef BUILD_PASSKEY
+         SSS_TOOL_DELIMITER("Passkey related tools:"),
+         SSS_TOOL_COMMAND_FLAGS("passkey-register", "Perform passkey registration", 0, sssctl_passkey_register, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
+-- 
+2.38.1
+
diff --git a/0003-certmap-fix-partial-string-comparison.patch b/0003-certmap-fix-partial-string-comparison.patch
new file mode 100644
index 0000000..258940b
--- /dev/null
+++ b/0003-certmap-fix-partial-string-comparison.patch
@@ -0,0 +1,87 @@
+From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 4 Jul 2023 19:06:27 +0200
+Subject: [PATCH 3/3] certmap: fix partial string comparison
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the formatting option of the certificate digest/hash function
+contained and additional specifier separated with a '_' the comparison
+of the provided digest name and the available ones was incomplete, the
+last character was ignored and the comparison was successful if even if
+there was only a partial match.
+
+Resolves: https://github.com/SSSD/sssd/issues/6802
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc)
+---
+ src/lib/certmap/sss_certmap_ldap_mapping.c |  9 ++++++++-
+ src/tests/cmocka/test_certmap.c            | 22 ++++++++++++++++++++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c
+index 2f16837a1..354b0310b 100644
+--- a/src/lib/certmap/sss_certmap_ldap_mapping.c
++++ b/src/lib/certmap/sss_certmap_ldap_mapping.c
+@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list,
+     bool colon = false;
+     bool reverse = false;
+     char *c;
++    size_t len = 0;
+ 
+     sep = strchr(inp, '_');
++    if (sep != NULL) {
++        len = sep - inp;
++    }
+ 
+     for (d = 0; digest_list[d] != NULL; d++) {
+         if (sep == NULL) {
+             cmp = strcasecmp(digest_list[d], inp);
+         } else {
+-            cmp = strncasecmp(digest_list[d], inp, (sep - inp -1));
++            if (strlen(digest_list[d]) != len) {
++                continue;
++            }
++            cmp = strncasecmp(digest_list[d], inp, len);
+         }
+ 
+         if (cmp == 0) {
+diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
+index da312beaf..a15984d60 100644
+--- a/src/tests/cmocka/test_certmap.c
++++ b/src/tests/cmocka/test_certmap.c
+@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state)
+     assert_non_null(ctx);
+     assert_null(ctx->prio_list);
+ 
++    /* cert!sha */
++    ret = sss_certmap_add_rule(ctx, 91,
++                            "KRB5:<ISSUER>.*",
++                            "LDAP:rule91={cert!sha}", NULL);
++    assert_int_equal(ret, EINVAL);
++
++    ret = sss_certmap_add_rule(ctx, 91,
++                            "KRB5:<ISSUER>.*",
++                            "LDAPU1:rule91={cert!sha}", NULL);
++    assert_int_equal(ret, EINVAL);
++
++    /* cert!sha_u */
++    ret = sss_certmap_add_rule(ctx, 90,
++                            "KRB5:<ISSUER>.*",
++                            "LDAP:rule90={cert!sha_u}", NULL);
++    assert_int_equal(ret, EINVAL);
++
++    ret = sss_certmap_add_rule(ctx, 99,
++                            "KRB5:<ISSUER>.*",
++                            "LDAPU1:rule90={cert!sha_u}", NULL);
++    assert_int_equal(ret, EINVAL);
++
+     /* cert!sha555 */
+     ret = sss_certmap_add_rule(ctx, 89,
+                             "KRB5:<ISSUER>.*",
+-- 
+2.38.1
+
diff --git a/sssd.spec b/sssd.spec
index d9cfbed..7607722 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -43,7 +43,7 @@
 
 Name: sssd
 Version: 2.9.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: System Security Services Daemon
 License: GPL-3.0-or-later
 URL: https://github.com/SSSD/sssd/
@@ -51,6 +51,8 @@ Source0: https://github.com/SSSD/sssd/releases/download/2.9.1/sssd-2.9.1.tar.gz
 
 ### Patches ###
 Patch0001: 0001-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
+Patch0002: 0002-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
+Patch0003: 0003-certmap-fix-partial-string-comparison.patch
 
 ### Dependencies ###
 
@@ -1059,6 +1061,9 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Tue Aug 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-4
+- Resolves sss_certmap_test fail
+
 * Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild