diff --git a/SOURCES/0036-CACHE-SSSD-doesn-t-clear-cache-entries.patch b/SOURCES/0036-CACHE-SSSD-doesn-t-clear-cache-entries.patch
new file mode 100644
index 0000000..8ecab4d
--- /dev/null
+++ b/SOURCES/0036-CACHE-SSSD-doesn-t-clear-cache-entries.patch
@@ -0,0 +1,81 @@
+From fb3f1af38edff257d603da165e0d64d12d92644e Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Sun, 16 Dec 2018 08:46:24 +0100
+Subject: [PATCH] CACHE: SSSD doesn't clear cache entries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Once object is in cache it is refreshed when it is expired and
+requested by the system. Object ID is not checked before refresh,
+but config parameter ldap_(min|max)_id could be changed by admin.
+We should check object ID and not refresh objects outside min/max
+ID interval.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3905
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit d2adfcf54c3a37aeda675aec3ba3d174061fac1a)
+---
+ .../common/cache_req/cache_req_search.c       | 29 +++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c
+index 7423feb63..873214503 100644
+--- a/src/responder/common/cache_req/cache_req_search.c
++++ b/src/responder/common/cache_req/cache_req_search.c
+@@ -25,6 +25,7 @@
+ #include "util/util.h"
+ #include "responder/common/cache_req/cache_req_private.h"
+ #include "responder/common/cache_req/cache_req_plugin.h"
++#include "db/sysdb.h"
+ 
+ static errno_t cache_req_search_ncache(struct cache_req *cr)
+ {
+@@ -169,6 +170,30 @@ done:
+     return ret;
+ }
+ 
++static int
++cache_req_should_be_in_cache(struct cache_req *cr,
++                             struct ldb_result *result)
++{
++    id_t id = 0;
++
++    if (result == NULL || result->count != 1) {
++        /* can't decide so keep it */
++        return EOK;
++    }
++
++    id = ldb_msg_find_attr_as_uint(result->msgs[0], SYSDB_UIDNUM, 0);
++    if (id && OUT_OF_ID_RANGE(id, cr->domain->id_min, cr->domain->id_max)) {
++        return ERR_ID_OUTSIDE_RANGE;
++    }
++
++    id = ldb_msg_find_attr_as_uint(result->msgs[0], SYSDB_GIDNUM, 0);
++    if (id && OUT_OF_ID_RANGE(id, cr->domain->id_min, cr->domain->id_max)) {
++        return ERR_ID_OUTSIDE_RANGE;
++    }
++
++    return EOK;
++}
++
+ static errno_t cache_req_search_cache(TALLOC_CTX *mem_ctx,
+                                       struct cache_req *cr,
+                                       struct ldb_result **_result)
+@@ -191,6 +216,10 @@ static errno_t cache_req_search_cache(TALLOC_CTX *mem_ctx,
+         ret = ENOENT;
+     }
+ 
++    if (ret == EOK) {
++        ret = cache_req_should_be_in_cache(cr, result);
++    }
++
+     switch (ret) {
+     case EOK:
+         if (cr->plugin->only_one_result && result->count > 1) {
+-- 
+2.20.1
+
diff --git a/SOURCES/0036-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch b/SOURCES/0036-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch
deleted file mode 100644
index 396cfcd..0000000
--- a/SOURCES/0036-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 442cd658329251d8390dd5bd790d86c78ead88ab Mon Sep 17 00:00:00 2001
-From: Tomas Halman <thalman@redhat.com>
-Date: Mon, 24 Jun 2019 15:58:09 +0200
-Subject: [PATCH] LDAP: failover does not work on non-responsive ldaps
-
-In case ldaps:// is used, then establishing the secure socket is
-a sychronous operation. If there's nothing on the other end, then
-the process would be stuck waiting in for the crypto library
-to finish.
-
-Here we set socket read/write timeout so the operation can finish
-in reasonable time with an error. The ldap_network_timeout
-option is used for this timeout.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/2878
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 2d657dffb419640860e46ed417137b0e2cc7d9af)
----
- src/util/sss_sockets.c | 26 ++++++++++++++++++++++++--
- 1 file changed, 24 insertions(+), 2 deletions(-)
-
-diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c
-index 5e9be9ebd..0e4d8df8a 100644
---- a/src/util/sss_sockets.c
-+++ b/src/util/sss_sockets.c
-@@ -74,10 +74,11 @@ static errno_t set_fcntl_flags(int fd, int fd_flags, int fl_flags)
-     return EOK;
- }
- 
--static errno_t set_fd_common_opts(int fd)
-+static errno_t set_fd_common_opts(int fd, int timeout)
- {
-     int dummy = 1;
-     int ret;
-+    struct timeval tv;
- 
-     /* SO_KEEPALIVE and TCP_NODELAY are set by OpenLDAP client libraries but
-      * failures are ignored.*/
-@@ -97,6 +98,27 @@ static errno_t set_fd_common_opts(int fd)
-                   strerror(ret));
-     }
- 
-+    if (timeout > 0) {
-+        /* Set socket read & write timeout */
-+        tv = tevent_timeval_set(timeout, 0);
-+
-+        ret = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
-+        if (ret != 0) {
-+            ret = errno;
-+            DEBUG(SSSDBG_FUNC_DATA,
-+                  "setsockopt SO_RCVTIMEO failed.[%d][%s].\n", ret,
-+                  strerror(ret));
-+        }
-+
-+        ret = setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv));
-+        if (ret != 0) {
-+            ret = errno;
-+            DEBUG(SSSDBG_FUNC_DATA,
-+                  "setsockopt SO_SNDTIMEO failed.[%d][%s].\n", ret,
-+                  strerror(ret));
-+        }
-+    }
-+
-     return EOK;
- }
- 
-@@ -264,7 +286,7 @@ struct tevent_req *sssd_async_socket_init_send(TALLOC_CTX *mem_ctx,
-         goto fail;
-     }
- 
--    ret = set_fd_common_opts(state->sd);
-+    ret = set_fd_common_opts(state->sd, timeout);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_CRIT_FAILURE, "set_fd_common_opts failed.\n");
-         goto fail;
--- 
-2.20.1
-
diff --git a/SOURCES/0037-Add-TCP-level-timeout-to-LDAP-services.patch b/SOURCES/0037-Add-TCP-level-timeout-to-LDAP-services.patch
deleted file mode 100644
index 8c28ccb..0000000
--- a/SOURCES/0037-Add-TCP-level-timeout-to-LDAP-services.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From bad7c631b7aab50d179755ee546357e4f4faca9d Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Tue, 10 Sep 2019 14:33:37 +0000
-Subject: [PATCH] Add TCP level timeout to LDAP services
-
-In some cases the TCP connection may hang with data sent because
-of network conditions, this may cause the socket to stall for much
-longer than the timeout intended.
-Set a TCP option to forcibly timeout a socket that sees its data not
-ACKed within the ldap_network_timeout seconds.
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 7aa96458f3bec4ef6ff7385107458e6b2b0b06ac)
----
- src/util/sss_sockets.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c
-index 0e4d8df8a..b6b6dbac5 100644
---- a/src/util/sss_sockets.c
-+++ b/src/util/sss_sockets.c
-@@ -79,6 +79,7 @@ static errno_t set_fd_common_opts(int fd, int timeout)
-     int dummy = 1;
-     int ret;
-     struct timeval tv;
-+    unsigned int milli;
- 
-     /* SO_KEEPALIVE and TCP_NODELAY are set by OpenLDAP client libraries but
-      * failures are ignored.*/
-@@ -117,6 +118,16 @@ static errno_t set_fd_common_opts(int fd, int timeout)
-                   "setsockopt SO_SNDTIMEO failed.[%d][%s].\n", ret,
-                   strerror(ret));
-         }
-+
-+        milli = timeout * 1000; /* timeout in milliseconds */
-+        ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli,
-+                         sizeof(milli));
-+        if (ret != 0) {
-+            ret = errno;
-+            DEBUG(SSSDBG_FUNC_DATA,
-+                  "setsockopt TCP_USER_TIMEOUT failed.[%d][%s].\n", ret,
-+                  strerror(ret));
-+        }
-     }
- 
-     return EOK;
--- 
-2.20.1
-
diff --git a/SOURCES/0037-IPA-Allow-paging-when-fetching-external-groups.patch b/SOURCES/0037-IPA-Allow-paging-when-fetching-external-groups.patch
new file mode 100644
index 0000000..8ab7283
--- /dev/null
+++ b/SOURCES/0037-IPA-Allow-paging-when-fetching-external-groups.patch
@@ -0,0 +1,34 @@
+From 0ca64be4d6d3080e0c344f5ad61545339f64a2aa Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 5 Jul 2019 10:09:15 +0200
+Subject: [PATCH] IPA: Allow paging when fetching external groups
+
+For some reason (I guess a mistake during refactoring..) the LDAP search
+request that fetches the external groups does not enable the paging
+control. This means that the number of external groups that SSSD can
+fetch is limited to 2000.
+
+Resolves: https://pagure.io/SSSD/sssd/issue/4058
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit c2e24df4320d46577aca8d1268f0336af443d541)
+---
+ src/providers/ipa/ipa_subdomains_ext_groups.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
+index 63ff7c7d7..75963bef1 100644
+--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
++++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
+@@ -541,7 +541,7 @@ static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq)
+     subreq = sdap_search_bases_send(state, state->ev, state->sdap_id_ctx->opts,
+                             sdap_id_op_handle(state->sdap_op),
+                             state->sdap_id_ctx->opts->sdom->group_search_bases,
+-                            NULL, false,
++                            NULL, true,
+                             dp_opt_get_int(state->sdap_id_ctx->opts->basic,
+                                             SDAP_ENUM_SEARCH_TIMEOUT),
+                             IPA_EXT_GROUPS_FILTER,
+-- 
+2.20.1
+
diff --git a/SOURCES/0038-ad-remove-subdomain-that-has-been-disabled-through-a.patch b/SOURCES/0038-ad-remove-subdomain-that-has-been-disabled-through-a.patch
new file mode 100644
index 0000000..680b082
--- /dev/null
+++ b/SOURCES/0038-ad-remove-subdomain-that-has-been-disabled-through-a.patch
@@ -0,0 +1,47 @@
+From c9c2b60128b7faa29615123de79ed206491396a9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 30 May 2019 10:48:07 +0200
+Subject: [PATCH 38/44] ad: remove subdomain that has been disabled through
+ ad_enabled_domains from sysdb
+
+If previously enabled subdomain was disabled by removing it from ad_enabled_domains
+option in sssd.conf, its cached content (including the domain object itself)
+was kept in sysdb. Therefore eventhough the domain was effectively disabled in
+backed its cached data was still available in responders.
+
+Subdomains that are disabled on server side are correctly removed from sysdb in
+`ad_subdomains_refresh()` so this issue is related only to the configuration
+option.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/4009
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 815957cd10a82aca6742b0bd56c7e7f199596cd4)
+---
+ src/providers/ad/ad_subdomains.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index b4e09fb7e..a3906e994 100644
+--- a/src/providers/ad/ad_subdomains.c
++++ b/src/providers/ad/ad_subdomains.c
+@@ -825,6 +825,15 @@ static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx,
+ 
+         if (is_domain_enabled(sd_name, enabled_domains_list) == false) {
+             DEBUG(SSSDBG_TRACE_FUNC, "Disabling subdomain %s\n", sd_name);
++
++            /* The subdomain is now disabled in configuraiton file, we
++             * need to delete its cached content so it is not returned
++             * by responders. The subdomain shares sysdb with its parent
++             * domain so it is OK to use domain->sysdb. */
++            ret = sysdb_subdomain_delete(domain->sysdb, sd_name);
++            if (ret != EOK) {
++                goto fail;
++            }
+             continue;
+         } else {
+             DEBUG(SSSDBG_TRACE_FUNC, "Enabling subdomain %s\n", sd_name);
+-- 
+2.20.1
+
diff --git a/SOURCES/0038-sss_sockets-pass-pointer-instead-of-integer.patch b/SOURCES/0038-sss_sockets-pass-pointer-instead-of-integer.patch
deleted file mode 100644
index cc45b47..0000000
--- a/SOURCES/0038-sss_sockets-pass-pointer-instead-of-integer.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 191f3722f28107ccde4ce96dd88a401fb36b059a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Mon, 10 Feb 2020 11:52:35 +0100
-Subject: [PATCH] sss_sockets: pass pointer instead of integer
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-```
-/home/pbrezina/workspace/sssd/src/util/sss_sockets.c: In function ‘set_fd_common_opts’:
-/home/pbrezina/workspace/sssd/src/util/sss_sockets.c:123:61: error: passing argument 4 of ‘setsockopt’ makes pointer from integer without a cast [-Werror=int-conversion]
-  123 |         ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli,
-      |                                                             ^~~~~
-      |                                                             |
-      |                                                             unsigned int
-In file included from /home/pbrezina/workspace/sssd/src/util/sss_sockets.c:28:
-/usr/include/sys/socket.h:216:22: note: expected ‘const void *’ but argument is of type ‘unsigned int’
-  216 |          const void *__optval, socklen_t __optlen) __THROW;
-      |          ~~~~~~~~~~~~^~~~~~~~
-  CC       src/util/sssd_kcm-sss_iobuf.o
-cc1: all warnings being treated as errors
-```
-
-Introduced by 7aa96458f3bec4ef6ff7385107458e6b2b0b06ac
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 5b87af6f5b50c464ee7ea4558f73431e398e1423)
----
- src/util/sss_sockets.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c
-index b6b6dbac5..6f2b71bc8 100644
---- a/src/util/sss_sockets.c
-+++ b/src/util/sss_sockets.c
-@@ -120,7 +120,7 @@ static errno_t set_fd_common_opts(int fd, int timeout)
-         }
- 
-         milli = timeout * 1000; /* timeout in milliseconds */
--        ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli,
-+        ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, &milli,
-                          sizeof(milli));
-         if (ret != 0) {
-             ret = errno;
--- 
-2.20.1
-
diff --git a/SOURCES/0039-ipa-add-failover-to-override-lookups.patch b/SOURCES/0039-ipa-add-failover-to-override-lookups.patch
deleted file mode 100644
index 25cc1d9..0000000
--- a/SOURCES/0039-ipa-add-failover-to-override-lookups.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 4897063996b624b71823e61c73916f47832f103a Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 29 Oct 2019 12:16:40 +0100
-Subject: [PATCH] ipa: add failover to override lookups
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In the ipa_id_get_account_info request failover handling was missing.
-
-Related to https://pagure.io/SSSD/sssd/issue/4114
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
-(cherry picked from commit b9a53cfca91c9db51b1e32ac2cb0965db3ccf05b)
----
- src/providers/ipa/ipa_id.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
-index 94d5f9d90..9253514a3 100644
---- a/src/providers/ipa/ipa_id.c
-+++ b/src/providers/ipa/ipa_id.c
-@@ -640,7 +640,22 @@ static void ipa_id_get_account_info_got_override(struct tevent_req *subreq)
-     ret = ipa_get_ad_override_recv(subreq, &dp_error, state,
-                                    &state->override_attrs);
-     talloc_zfree(subreq);
-+
-     if (ret != EOK) {
-+        ret = sdap_id_op_done(state->op, ret, &dp_error);
-+
-+        if (dp_error == DP_ERR_OK && ret != EOK) {
-+            /* retry */
-+            subreq = sdap_id_op_connect_send(state->op, state, &ret);
-+            if (subreq == NULL) {
-+                DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed.\n");
-+                goto fail;
-+            }
-+            tevent_req_set_callback(subreq, ipa_id_get_account_info_connected,
-+                                    req);
-+            return;
-+        }
-+
-         DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret);
-         goto fail;
-     }
--- 
-2.21.1
-
diff --git a/SOURCES/0039-sysdb-add-sysdb_domain_set_enabled.patch b/SOURCES/0039-sysdb-add-sysdb_domain_set_enabled.patch
new file mode 100644
index 0000000..a72281d
--- /dev/null
+++ b/SOURCES/0039-sysdb-add-sysdb_domain_set_enabled.patch
@@ -0,0 +1,116 @@
+From 0e16ec74c380b35fc201ded15434184d88413dc7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 30 May 2019 12:14:58 +0200
+Subject: [PATCH 39/44] sysdb: add sysdb_domain_set_enabled()
+
+This will be used in subsequent patches to disable subdomains.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/4009
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 7a03e99890806257df1ed8a126673d6a032fee6a)
+---
+ src/db/sysdb.c            |  7 ++++++-
+ src/db/sysdb.h            |  6 ++++++
+ src/db/sysdb_subdomains.c | 31 +++++++++++++++++++++++++++++++
+ 3 files changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/src/db/sysdb.c b/src/db/sysdb.c
+index 06d7f2796..279bd5839 100644
+--- a/src/db/sysdb.c
++++ b/src/db/sysdb.c
+@@ -1135,7 +1135,7 @@ errno_t sysdb_set_bool(struct sysdb_ctx *sysdb,
+     errno_t ret;
+     int lret;
+ 
+-    if (dn == NULL || cn_value == NULL || attr_name == NULL) {
++    if (dn == NULL || attr_name == NULL) {
+         return EINVAL;
+     }
+ 
+@@ -1159,6 +1159,11 @@ errno_t sysdb_set_bool(struct sysdb_ctx *sysdb,
+     msg->dn = dn;
+ 
+     if (res->count == 0) {
++        if (cn_value == NULL) {
++            ret = ENOENT;
++            goto done;
++        }
++
+         lret = ldb_msg_add_string(msg, "cn", cn_value);
+         if (lret != LDB_SUCCESS) {
+             ret = sysdb_error_to_errno(lret);
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index 01e7554bb..574f4b120 100644
+--- a/src/db/sysdb.h
++++ b/src/db/sysdb.h
+@@ -155,6 +155,7 @@
+ #define SYSDB_SUBDOMAIN_TRUST_DIRECTION "trustDirection"
+ #define SYSDB_UPN_SUFFIXES "upnSuffixes"
+ #define SYSDB_SITE "site"
++#define SYSDB_ENABLED "enabled"
+ 
+ #define SYSDB_BASE_ID "baseID"
+ #define SYSDB_ID_RANGE_SIZE "idRangeSize"
+@@ -523,6 +524,11 @@ errno_t
+ sysdb_set_site(struct sss_domain_info *dom,
+                const char *site);
+ 
++errno_t
++sysdb_domain_set_enabled(struct sysdb_ctx *sysdb,
++                         const char *name,
++                         bool enabled);
++
+ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
+                               const char *name, const char *realm,
+                               const char *flat_name, const char *domain_id,
+diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
+index 34d052fdd..d467dfce5 100644
+--- a/src/db/sysdb_subdomains.c
++++ b/src/db/sysdb_subdomains.c
+@@ -1200,6 +1200,18 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
+         }
+     }
+ 
++    ret = ldb_msg_add_empty(msg, SYSDB_ENABLED, LDB_FLAG_MOD_REPLACE, NULL);
++    if (ret != LDB_SUCCESS) {
++        ret = sysdb_error_to_errno(ret);
++        goto done;
++    }
++
++    ret = ldb_msg_add_string(msg, SYSDB_ENABLED, "TRUE");
++    if (ret != LDB_SUCCESS) {
++        ret = sysdb_error_to_errno(ret);
++        goto done;
++    }
++
+     ret = ldb_modify(sysdb->ldb, msg);
+     if (ret != LDB_SUCCESS) {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add subdomain attributes to "
+@@ -1420,3 +1432,22 @@ done:
+     talloc_free(tmp_ctx);
+     return ret;
+ }
++
++errno_t
++sysdb_domain_set_enabled(struct sysdb_ctx *sysdb,
++                         const char *name,
++                         bool enabled)
++{
++    struct ldb_dn *dn;
++    errno_t ret;
++
++    dn = ldb_dn_new_fmt(NULL, sysdb->ldb, SYSDB_DOM_BASE, name);
++    if (dn == NULL) {
++        return ENOMEM;
++    }
++
++    ret = sysdb_set_bool(sysdb, dn, NULL, SYSDB_ENABLED, enabled);
++    talloc_free(dn);
++
++    return ret;
++}
+-- 
+2.20.1
+
diff --git a/SOURCES/0040-ad-set-enabled-false-attribute-for-subdomains-that-n.patch b/SOURCES/0040-ad-set-enabled-false-attribute-for-subdomains-that-n.patch
new file mode 100644
index 0000000..c1176cb
--- /dev/null
+++ b/SOURCES/0040-ad-set-enabled-false-attribute-for-subdomains-that-n.patch
@@ -0,0 +1,53 @@
+From 800d24dccbf655b2c65521727256c4e6c4a540d5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 30 May 2019 12:51:47 +0200
+Subject: [PATCH 40/44] ad: set enabled=false attribute for subdomains that no
+ longer exists
+
+Only forest root domain needs to be disabled because it has to be available
+for other tasks. All other non-root domains are removed from cache completely
+so it does not make sense for them.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/4009
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 6882bc5f5c8805abff3511d55c0ed60cad84faab)
+---
+ src/providers/ad/ad_subdomains.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index a3906e994..57438fdd5 100644
+--- a/src/providers/ad/ad_subdomains.c
++++ b/src/providers/ad/ad_subdomains.c
+@@ -696,6 +696,13 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
+             if (sss_domain_is_forest_root(dom)) {
+                 DEBUG(SSSDBG_TRACE_ALL,
+                       "Skipping removal of forest root sdap data.\n");
++
++                ret = sysdb_domain_set_enabled(dom->sysdb, dom->name, false);
++                if (ret != EOK && ret != ENOENT) {
++                    DEBUG(SSSDBG_OP_FAILURE, "Unable to disable domain %s "
++                          "[%d]: %s\n", dom->name, ret, sss_strerror(ret));
++                    goto done;
++                }
+                 continue;
+             }
+ 
+@@ -864,6 +871,12 @@ static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx,
+         } else {
+             DEBUG(SSSDBG_TRACE_FUNC, "Disabling forest root domain %s\n",
+                                      root_name);
++            ret = sysdb_domain_set_enabled(domain->sysdb, root_name, false);
++            if (ret != EOK && ret != ENOENT) {
++                DEBUG(SSSDBG_OP_FAILURE, "Unable to disable domain %s "
++                      "[%d]: %s\n", root_name, ret, sss_strerror(ret));
++                goto fail;
++            }
+         }
+     }
+ 
+-- 
+2.20.1
+
diff --git a/SOURCES/0040-ipa-add-failover-to-access-checks.patch b/SOURCES/0040-ipa-add-failover-to-access-checks.patch
deleted file mode 100644
index 76f63a0..0000000
--- a/SOURCES/0040-ipa-add-failover-to-access-checks.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From a4dd1eb5087c2f8a3a9133f42efa025221edc1c9 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 30 Oct 2019 14:23:12 +0100
-Subject: [PATCH] ipa: add failover to access checks
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-While reading the different components of the HBAC rules failover
-handling was missing. Since the access control is typically the second
-step after authentication SSSD would have already switched to a working
-server or into offline mode during authentication. But if e.g. ssh keys
-are used for authentication and user data are read from cache the HABC
-rule searches might have to handle failover as well.
-
-Related to https://pagure.io/SSSD/sssd/issue/4114
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
-(cherry picked from commit 707fdf0406644de08cfb7f59fa4eec393be5c62a)
----
- src/providers/ipa/ipa_access.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
-index de9f68170..375b6f885 100644
---- a/src/providers/ipa/ipa_access.c
-+++ b/src/providers/ipa/ipa_access.c
-@@ -296,6 +296,7 @@ static void ipa_fetch_hbac_hostinfo_done(struct tevent_req *subreq)
-     struct ipa_fetch_hbac_state *state = NULL;
-     struct tevent_req *req = NULL;
-     errno_t ret;
-+    int dp_error;
- 
-     req = tevent_req_callback_data(subreq, struct tevent_req);
-     state = tevent_req_data(req, struct ipa_fetch_hbac_state);
-@@ -308,7 +309,22 @@ static void ipa_fetch_hbac_hostinfo_done(struct tevent_req *subreq)
-     state->hosts->entry_subdir = HBAC_HOSTS_SUBDIR;
-     state->hosts->group_subdir = HBAC_HOSTGROUPS_SUBDIR;
-     talloc_zfree(subreq);
-+
-     if (ret != EOK) {
-+        /* Only call sdap_id_op_done in case of an error to trigger a
-+         * failover. In general changing the tevent_req layout would be better
-+         * so that all searches are in another sub-request so that we can
-+         * error out at any step and the parent request can call
-+         * sdap_id_op_done just once. */
-+        ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
-+        if (dp_error == DP_ERR_OK && ret != EOK) {
-+            /* retry */
-+            ret = ipa_fetch_hbac_retry(req);
-+            if (ret != EAGAIN) {
-+                goto done;
-+            }
-+            return;
-+        }
-         goto done;
-     }
- 
--- 
-2.21.1
-
diff --git a/SOURCES/0041-sysdb-read-and-interpret-domain-s-enabled-attribute.patch b/SOURCES/0041-sysdb-read-and-interpret-domain-s-enabled-attribute.patch
new file mode 100644
index 0000000..50e9000
--- /dev/null
+++ b/SOURCES/0041-sysdb-read-and-interpret-domain-s-enabled-attribute.patch
@@ -0,0 +1,229 @@
+From b2cd4a74e231611f7862a8bb39a655c5194a035a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 30 May 2019 12:52:33 +0200
+Subject: [PATCH 41/44] sysdb: read and interpret domain's enabled attribute
+
+Disable domain if its sysdb object has enabled=false.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/4009
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit d278704d85fea74c229b67e6a63b650b0d776c88)
+---
+ src/db/sysdb_private.h                      |  3 ++-
+ src/db/sysdb_subdomains.c                   | 29 ++++++++++++++++++---
+ src/tests/cmocka/test_fqnames.c             |  2 +-
+ src/tests/cmocka/test_negcache.c            |  2 +-
+ src/tests/cmocka/test_nss_srv.c             |  2 +-
+ src/tests/cmocka/test_responder_cache_req.c |  2 +-
+ src/tests/sysdb-tests.c                     |  8 +++---
+ 7 files changed, 35 insertions(+), 13 deletions(-)
+
+diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
+index 58544d826..f3d34dd6f 100644
+--- a/src/db/sysdb_private.h
++++ b/src/db/sysdb_private.h
+@@ -206,7 +206,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
+                                       const char *forest,
+                                       const char **upn_suffixes,
+                                       uint32_t trust_direction,
+-                                      struct confdb_ctx *confdb);
++                                      struct confdb_ctx *confdb,
++                                      bool enabled);
+ 
+ /* Helper functions to deal with the timestamp cache should not be used
+  * outside the sysdb itself. The timestamp cache should be completely
+diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
+index d467dfce5..cf09b424e 100644
+--- a/src/db/sysdb_subdomains.c
++++ b/src/db/sysdb_subdomains.c
+@@ -39,7 +39,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
+                                       const char *forest,
+                                       const char **upn_suffixes,
+                                       uint32_t trust_direction,
+-                                      struct confdb_ctx *confdb)
++                                      struct confdb_ctx *confdb,
++                                      bool enabled)
+ {
+     struct sss_domain_info *dom;
+     bool inherit_option;
+@@ -127,7 +128,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
+     dom->enumerate = enumerate;
+     dom->fqnames = true;
+     dom->mpg_mode = mpg_mode;
+-    dom->state = DOM_ACTIVE;
++    dom->state = enabled ? DOM_ACTIVE : DOM_DISABLED;
+ 
+     /* use fully qualified names as output in order to avoid causing
+      * conflicts with users who have the same name and either the
+@@ -313,6 +314,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
+                            SYSDB_SUBDOMAIN_FOREST,
+                            SYSDB_SUBDOMAIN_TRUST_DIRECTION,
+                            SYSDB_UPN_SUFFIXES,
++                           SYSDB_ENABLED,
+                            NULL};
+     struct sss_domain_info *dom;
+     struct ldb_dn *basedn;
+@@ -322,6 +324,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
+     const char *id;
+     const char *forest;
+     const char *str_mpg_mode;
++    bool enabled;
+     enum sss_domain_mpg_mode mpg_mode;
+     bool enumerate;
+     uint32_t trust_direction;
+@@ -406,10 +409,14 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
+                                              SYSDB_SUBDOMAIN_TRUST_DIRECTION,
+                                              0);
+ 
++        enabled = ldb_msg_find_attr_as_bool(res->msgs[i], SYSDB_ENABLED, true);
++
+         for (dom = domain->subdomains; dom;
+                 dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) {
+             if (strcasecmp(dom->name, name) == 0) {
+-                sss_domain_set_state(dom, DOM_ACTIVE);
++                if (enabled) {
++                    sss_domain_set_state(dom, DOM_ACTIVE);
++                }
+ 
+                 /* in theory these may change, but it should never happen */
+                 if (strcasecmp(dom->realm, realm) != 0) {
+@@ -522,7 +529,8 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
+         if (dom == NULL) {
+             dom = new_subdomain(domain, domain, name, realm,
+                                 flat, id, mpg_mode, enumerate, forest,
+-                                upn_suffixes, trust_direction, confdb);
++                                upn_suffixes, trust_direction, confdb,
++                                enabled);
+             if (dom == NULL) {
+                 ret = ENOMEM;
+                 goto done;
+@@ -548,12 +556,15 @@ errno_t sysdb_master_domain_update(struct sss_domain_info *domain)
+     struct ldb_message_element *tmp_el;
+     struct ldb_dn *basedn;
+     struct ldb_result *res;
++    enum sss_domain_state state;
++    bool enabled;
+     const char *attrs[] = {"cn",
+                            SYSDB_SUBDOMAIN_REALM,
+                            SYSDB_SUBDOMAIN_FLAT,
+                            SYSDB_SUBDOMAIN_ID,
+                            SYSDB_SUBDOMAIN_FOREST,
+                            SYSDB_UPN_SUFFIXES,
++                           SYSDB_ENABLED,
+                            NULL};
+     char *view_name = NULL;
+ 
+@@ -650,6 +661,16 @@ errno_t sysdb_master_domain_update(struct sss_domain_info *domain)
+         talloc_zfree(domain->upn_suffixes);
+     }
+ 
++    state = sss_domain_get_state(domain);
++    enabled = ldb_msg_find_attr_as_bool(res->msgs[0], SYSDB_ENABLED, true);
++    if (!enabled) {
++        sss_domain_set_state(domain, DOM_DISABLED);
++    } else if (state == DOM_DISABLED) {
++        /* We do not want to enable INACTIVE or INCONSISTENT domain. This
++         * is managed by data provider. */
++        sss_domain_set_state(domain, DOM_ACTIVE);
++    }
++
+     ret = sysdb_get_view_name(tmp_ctx, domain->sysdb, &view_name);
+     if (ret != EOK && ret != ENOENT) {
+         DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_view_name failed.\n");
+diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c
+index 09f7db0d1..770c0d7bf 100644
+--- a/src/tests/cmocka/test_fqnames.c
++++ b/src/tests/cmocka/test_fqnames.c
+@@ -310,7 +310,7 @@ static int parse_name_test_setup(void **state)
+      */
+     test_ctx->subdom = new_subdomain(dom, dom, SUBDOMNAME, NULL, SUBFLATNAME,
+                                      NULL, MPG_DISABLED, false,
+-                                     NULL, NULL, 0, NULL);
++                                     NULL, NULL, 0, NULL, true);
+     assert_non_null(test_ctx->subdom);
+ 
+     check_leaks_push(test_ctx);
+diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
+index 0a7e563e0..0876cfdaf 100644
+--- a/src/tests/cmocka/test_negcache.c
++++ b/src/tests/cmocka/test_negcache.c
+@@ -645,7 +645,7 @@ static void test_sss_ncache_prepopulate(void **state)
+     subdomain = new_subdomain(tc, tc->dom,
+                               testdom[0], testdom[1], testdom[2], testdom[3],
+                               false, false, NULL, NULL, 0,
+-                              tc->confdb);
++                              tc->confdb, true);
+     assert_non_null(subdomain);
+ 
+     ret = sysdb_subdomain_store(tc->sysdb,
+diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
+index 0ae177571..95c080caf 100644
+--- a/src/tests/cmocka/test_nss_srv.c
++++ b/src/tests/cmocka/test_nss_srv.c
+@@ -3475,7 +3475,7 @@ static int nss_subdom_test_setup_common(void **state, bool nonfqnames)
+     subdomain = new_subdomain(nss_test_ctx, nss_test_ctx->tctx->dom,
+                               testdom[0], testdom[1], testdom[2], testdom[3],
+                               false, false, NULL, NULL, 0,
+-                              nss_test_ctx->tctx->confdb);
++                              nss_test_ctx->tctx->confdb, true);
+     assert_non_null(subdomain);
+ 
+     ret = sysdb_subdomain_store(nss_test_ctx->tctx->sysdb,
+diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
+index 47d9aab54..9f3b49cd9 100644
+--- a/src/tests/cmocka/test_responder_cache_req.c
++++ b/src/tests/cmocka/test_responder_cache_req.c
+@@ -687,7 +687,7 @@ static int test_subdomain_setup(void **state)
+     test_ctx->subdomain = new_subdomain(test_ctx, test_ctx->tctx->dom,
+                               testdom[0], testdom[1], testdom[2], testdom[3],
+                               MPG_DISABLED, false, NULL, NULL, 0,
+-                              test_ctx->tctx->confdb);
++                              test_ctx->tctx->confdb, true);
+     assert_non_null(test_ctx->subdomain);
+ 
+     ret = sysdb_subdomain_store(test_ctx->tctx->sysdb,
+diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
+index ed98fe6ce..832d60466 100644
+--- a/src/tests/sysdb-tests.c
++++ b/src/tests/sysdb-tests.c
+@@ -1541,7 +1541,7 @@ START_TEST (test_sysdb_get_user_attr_subdomain)
+     /* Create subdomain */
+     subdomain = new_subdomain(test_ctx, test_ctx->domain,
+                               "test.sub", "TEST.SUB", "test", "S-3",
+-                              MPG_DISABLED, false, NULL, NULL, 0, NULL);
++                              MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
+     fail_if(subdomain == NULL, "Failed to create new subdomain.");
+ 
+     ret = sss_names_init_from_args(test_ctx,
+@@ -6143,7 +6143,7 @@ START_TEST(test_sysdb_subdomain_store_user)
+ 
+     subdomain = new_subdomain(test_ctx, test_ctx->domain,
+                               testdom[0], testdom[1], testdom[2], testdom[3],
+-                              MPG_DISABLED, false, NULL, NULL, 0, NULL);
++                              MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
+     fail_unless(subdomain != NULL, "Failed to create new subdomain.");
+     ret = sysdb_subdomain_store(test_ctx->sysdb,
+                                 testdom[0], testdom[1], testdom[2], testdom[3],
+@@ -6222,7 +6222,7 @@ START_TEST(test_sysdb_subdomain_user_ops)
+ 
+     subdomain = new_subdomain(test_ctx, test_ctx->domain,
+                               testdom[0], testdom[1], testdom[2], testdom[3],
+-                              MPG_DISABLED, false, NULL, NULL, 0, NULL);
++                              MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
+     fail_unless(subdomain != NULL, "Failed to create new subdomain.");
+     ret = sysdb_subdomain_store(test_ctx->sysdb,
+                                 testdom[0], testdom[1], testdom[2], testdom[3],
+@@ -6295,7 +6295,7 @@ START_TEST(test_sysdb_subdomain_group_ops)
+ 
+     subdomain = new_subdomain(test_ctx, test_ctx->domain,
+                               testdom[0], testdom[1], testdom[2], testdom[3],
+-                              MPG_DISABLED, false, NULL, NULL, 0, NULL);
++                              MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
+     fail_unless(subdomain != NULL, "Failed to create new subdomain.");
+     ret = sysdb_subdomain_store(test_ctx->sysdb,
+                                 testdom[0], testdom[1], testdom[2], testdom[3],
+-- 
+2.20.1
+
diff --git a/SOURCES/0042-sysdb-add-sysdb_list_subdomains.patch b/SOURCES/0042-sysdb-add-sysdb_list_subdomains.patch
new file mode 100644
index 0000000..fea5b49
--- /dev/null
+++ b/SOURCES/0042-sysdb-add-sysdb_list_subdomains.patch
@@ -0,0 +1,104 @@
+From 3c6c9d4d939bb2f1f629421e347285bea9a59341 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 11 Jun 2019 12:17:55 +0200
+Subject: [PATCH 42/44] sysdb: add sysdb_list_subdomains()
+
+To list all cached subdomains names.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/4009
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit c7e6530d642f746982c5306cf3455608d1980d1f)
+---
+ src/db/sysdb.h            |  5 ++++
+ src/db/sysdb_subdomains.c | 60 +++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 65 insertions(+)
+
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index 574f4b120..56468a169 100644
+--- a/src/db/sysdb.h
++++ b/src/db/sysdb.h
+@@ -529,6 +529,11 @@ sysdb_domain_set_enabled(struct sysdb_ctx *sysdb,
+                          const char *name,
+                          bool enabled);
+ 
++errno_t
++sysdb_list_subdomains(TALLOC_CTX *mem_ctx,
++                      struct sysdb_ctx *sysdb,
++                      const char ***_names);
++
+ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb,
+                               const char *name, const char *realm,
+                               const char *flat_name, const char *domain_id,
+diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
+index cf09b424e..af838b44c 100644
+--- a/src/db/sysdb_subdomains.c
++++ b/src/db/sysdb_subdomains.c
+@@ -1472,3 +1472,63 @@ sysdb_domain_set_enabled(struct sysdb_ctx *sysdb,
+ 
+     return ret;
+ }
++
++errno_t
++sysdb_list_subdomains(TALLOC_CTX *mem_ctx,
++                      struct sysdb_ctx *sysdb,
++                      const char ***_names)
++{
++    TALLOC_CTX *tmp_ctx;
++    struct ldb_dn *base_dn;
++    const char *attrs[] = {"cn", NULL};
++    struct ldb_message **msgs;
++    const char *name;
++    size_t count;
++    const char **names;
++    errno_t ret;
++    size_t i;
++
++    tmp_ctx = talloc_new(NULL);
++    if (tmp_ctx == NULL) {
++        return ENOMEM;
++    }
++
++    base_dn = sysdb_base_dn(sysdb, tmp_ctx);
++    if (base_dn == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++
++    ret = sysdb_search_entry(tmp_ctx, sysdb, base_dn, LDB_SCOPE_ONELEVEL,
++                             "("SYSDB_OBJECTCLASS"="SYSDB_SUBDOMAIN_CLASS")",
++                             attrs, &count, &msgs);
++    if (ret != EOK && ret != ENOENT) {
++        goto done;
++    }
++
++    names = talloc_zero_array(tmp_ctx, const char *, count + 1);
++    if (names == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    for (i = 0; i < count; i++) {
++        name = ldb_msg_find_attr_as_string(msgs[i], "cn", NULL);
++        if (name == NULL) {
++            ret = EINVAL;
++            goto done;
++        }
++
++        names[i] = talloc_steal(names, name);
++    }
++
++    *_names = talloc_steal(mem_ctx, names);
++
++    ret = EOK;
++
++done:
++    talloc_free(tmp_ctx);
++
++    return ret;
++}
+-- 
+2.20.1
+
diff --git a/SOURCES/0043-ad-remove-all-subdomains-if-only-master-domain-is-en.patch b/SOURCES/0043-ad-remove-all-subdomains-if-only-master-domain-is-en.patch
new file mode 100644
index 0000000..2ef0ad9
--- /dev/null
+++ b/SOURCES/0043-ad-remove-all-subdomains-if-only-master-domain-is-en.patch
@@ -0,0 +1,62 @@
+From 5605fa5f8adf79fa60286f5427aa2f989e663de0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 11 Jun 2019 12:18:34 +0200
+Subject: [PATCH 43/44] ad: remove all subdomains if only master domain is
+ enabled
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/4009
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit d0bdaabbc95bc9ee3253e1376d849e6a8bd6c6f0)
+---
+ src/providers/ad/ad_subdomains.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index 57438fdd5..0f6d781ae 100644
+--- a/src/providers/ad/ad_subdomains.c
++++ b/src/providers/ad/ad_subdomains.c
+@@ -1804,9 +1804,11 @@ static void ad_subdomains_refresh_gc_check_done(struct tevent_req *subreq)
+ {
+     struct ad_subdomains_refresh_state *state;
+     struct tevent_req *req;
++    const char **subdoms;
+     const char *ad_domain;
+     bool is_gc_usable;
+     errno_t ret;
++    int i;
+ 
+     req = tevent_req_callback_data(subreq, struct tevent_req);
+     state = tevent_req_data(req, struct ad_subdomains_refresh_state);
+@@ -1832,6 +1834,27 @@ static void ad_subdomains_refresh_gc_check_done(struct tevent_req *subreq)
+                            state->be_ctx->domain->name) == 0) {
+                 DEBUG(SSSDBG_TRACE_FUNC,
+                       "No other enabled domain than master.\n");
++
++                ret = sysdb_list_subdomains(state, state->be_ctx->domain->sysdb,
++                                            &subdoms);
++                if (ret != EOK) {
++                    DEBUG(SSSDBG_OP_FAILURE, "Unable to list subdomains "
++                          "[%d]: %s\n", ret, sss_strerror(ret));
++                    tevent_req_error(req, ret);
++                    return;
++                }
++
++                for (i = 0; subdoms[i] != NULL; i++) {
++                    ret = sysdb_subdomain_delete(state->be_ctx->domain->sysdb,
++                                                 subdoms[i]);
++                    if (ret != EOK) {
++                        DEBUG(SSSDBG_OP_FAILURE, "Unable to remove subdomain "
++                              "[%d]: %s\n", ret, sss_strerror(ret));
++                        tevent_req_error(req, ret);
++                        return;
++                    }
++                }
++
+                 tevent_req_done(req);
+                 return;
+             }
+-- 
+2.20.1
+
diff --git a/SOURCES/0044-ad-make-ad_enabled_domains-case-insensitive.patch b/SOURCES/0044-ad-make-ad_enabled_domains-case-insensitive.patch
new file mode 100644
index 0000000..937926a
--- /dev/null
+++ b/SOURCES/0044-ad-make-ad_enabled_domains-case-insensitive.patch
@@ -0,0 +1,30 @@
+From 0b6f144084ec3ed96eb2c60bed7bea5d6c15f15c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Mon, 12 Aug 2019 09:40:28 +0200
+Subject: [PATCH 44/44] ad: make ad_enabled_domains case insensitive
+
+The rest of the code that works with ad_enabled_domains options
+is case insensitive so we rather should be consistent.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit b3c3542188e50770b431942c0b603e6f2733cb33)
+---
+ src/providers/ad/ad_subdomains.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index 0f6d781ae..e3e3d3ece 100644
+--- a/src/providers/ad/ad_subdomains.c
++++ b/src/providers/ad/ad_subdomains.c
+@@ -190,7 +190,7 @@ static errno_t ad_get_enabled_domains(TALLOC_CTX *mem_ctx,
+ 
+     is_ad_in_domains = false;
+     for (int i = 0; i < count; i++) {
+-        is_ad_in_domains += strcmp(ad_domain, domains[i]) == 0 ? true : false;
++        is_ad_in_domains += strcasecmp(ad_domain, domains[i]) == 0 ? true : false;
+     }
+ 
+     if (is_ad_in_domains == false) {
+-- 
+2.20.1
+
diff --git a/SOURCES/0045-SYSDB-Add-sysdb_search_with_ts_attr.patch b/SOURCES/0045-SYSDB-Add-sysdb_search_with_ts_attr.patch
new file mode 100644
index 0000000..cfd84d9
--- /dev/null
+++ b/SOURCES/0045-SYSDB-Add-sysdb_search_with_ts_attr.patch
@@ -0,0 +1,595 @@
+From e935d41ec6c187c61e0a6f8c353276fbf69780a5 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 28 May 2019 14:56:05 +0200
+Subject: [PATCH 45/64] SYSDB: Add sysdb_search_with_ts_attr
+
+Adds a new public sysdb call sysdb_search_with_ts_attr() that allows to
+search on the timestamp cache attributes, but merge back persistent
+cache attributes. The converse also works, when searching the persistent
+cache the timestamp attributes or even entries matches only in the
+timestamp cache are merged.
+
+What does not work is AND-ed complex filter that contains both
+attributes from the timestamp cache and the persistent cache because
+the searches use the same filter, which doesn't match. We would need to
+decompose the filter ourselves.
+
+Because matching and merging the results can be time-consuming, two
+flags are provided:
+    SYSDB_SEARCH_WITH_TS_ONLY_TS_FILTER that only searches the timestamp
+    cache, but merges back the corresponding entries from the persistent
+    cache
+    SYSDB_SEARCH_WITH_TS_ONLY_SYSDB_FILTER that only searches the
+    persistent cache but merges back the attributes from the timestamp
+    cache
+
+Related:
+https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit db99504a5295ae1f9bc5166133c8f21e4510c676)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/db/sysdb.h                         |  12 ++
+ src/db/sysdb_ops.c                     |  16 +-
+ src/db/sysdb_private.h                 |  10 ++
+ src/db/sysdb_search.c                  | 231 +++++++++++++++++++++++--
+ src/tests/cmocka/test_sysdb_ts_cache.c | 198 +++++++++++++++++++++
+ 5 files changed, 446 insertions(+), 21 deletions(-)
+
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index 56468a169..15df1a726 100644
+--- a/src/db/sysdb.h
++++ b/src/db/sysdb.h
+@@ -1190,6 +1190,18 @@ int sysdb_search_users(TALLOC_CTX *mem_ctx,
+                        size_t *msgs_count,
+                        struct ldb_message ***msgs);
+ 
++#define SYSDB_SEARCH_WITH_TS_ONLY_TS_FILTER     0x0001
++#define SYSDB_SEARCH_WITH_TS_ONLY_SYSDB_FILTER  0x0002
++
++errno_t sysdb_search_with_ts_attr(TALLOC_CTX *mem_ctx,
++                                  struct sss_domain_info *domain,
++                                  struct ldb_dn *base_dn,
++                                  enum ldb_scope scope,
++                                  int optflags,
++                                  const char *filter,
++                                  const char *attrs[],
++                                  struct ldb_result **_result);
++
+ int sysdb_search_users_by_timestamp(TALLOC_CTX *mem_ctx,
+                                     struct sss_domain_info *domain,
+                                     const char *sub_filter,
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index d05950732..340062f6f 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -261,14 +261,14 @@ done:
+ 
+ /* =Search-Entry========================================================== */
+ 
+-static int sysdb_cache_search_entry(TALLOC_CTX *mem_ctx,
+-                                    struct ldb_context *ldb,
+-                                    struct ldb_dn *base_dn,
+-                                    enum ldb_scope scope,
+-                                    const char *filter,
+-                                    const char **attrs,
+-                                    size_t *_msgs_count,
+-                                    struct ldb_message ***_msgs)
++int sysdb_cache_search_entry(TALLOC_CTX *mem_ctx,
++                             struct ldb_context *ldb,
++                             struct ldb_dn *base_dn,
++                             enum ldb_scope scope,
++                             const char *filter,
++                             const char **attrs,
++                             size_t *_msgs_count,
++                             struct ldb_message ***_msgs)
+ {
+     TALLOC_CTX *tmp_ctx;
+     struct ldb_result *res;
+diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
+index f3d34dd6f..7063d4594 100644
+--- a/src/db/sysdb_private.h
++++ b/src/db/sysdb_private.h
+@@ -253,6 +253,16 @@ errno_t sysdb_merge_msg_list_ts_attrs(struct sysdb_ctx *ctx,
+ struct ldb_result *sss_merge_ldb_results(struct ldb_result *res,
+                                          struct ldb_result *subres);
+ 
++/* Search Entry in an ldb cache */
++int sysdb_cache_search_entry(TALLOC_CTX *mem_ctx,
++                             struct ldb_context *ldb,
++                             struct ldb_dn *base_dn,
++                             enum ldb_scope scope,
++                             const char *filter,
++                             const char **attrs,
++                             size_t *_msgs_count,
++                             struct ldb_message ***_msgs);
++
+ /* Search Entry in the timestamp cache */
+ int sysdb_search_ts_entry(TALLOC_CTX *mem_ctx,
+                           struct sysdb_ctx *sysdb,
+diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
+index f0918bf9a..a71c43112 100644
+--- a/src/db/sysdb_search.c
++++ b/src/db/sysdb_search.c
+@@ -68,6 +68,29 @@ static errno_t merge_ts_attr(struct ldb_message *ts_msg,
+     return EOK;
+ }
+ 
++static errno_t merge_all_ts_attrs(struct ldb_message *ts_msg,
++                                  struct ldb_message *sysdb_msg,
++                                  const char *want_attrs[])
++{
++    int ret;
++
++    /* Deliberately start from 2 in order to not merge
++     * objectclass/objectcategory and avoid breaking MPGs where the OC might
++     * be made up
++     */
++    for (size_t c = 2; sysdb_ts_cache_attrs[c]; c++) {
++        ret = merge_ts_attr(ts_msg, sysdb_msg,
++                            sysdb_ts_cache_attrs[c], want_attrs);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_MINOR_FAILURE,
++                  "Cannot merge ts attr %s\n", sysdb_ts_cache_attrs[c]);
++            return ret;
++        }
++    }
++
++    return EOK;
++}
++
+ static errno_t merge_msg_ts_attrs(struct sysdb_ctx *sysdb,
+                                   struct ldb_message *sysdb_msg,
+                                   const char *attrs[])
+@@ -114,21 +137,46 @@ static errno_t merge_msg_ts_attrs(struct sysdb_ctx *sysdb,
+         return EIO;
+     }
+ 
+-    /* Deliberately start from 2 in order to not merge
+-     * objectclass/objectcategory and avoid breaking MPGs where the OC might
+-     * be made up
+-     */
+-    for (size_t c = 2; sysdb_ts_cache_attrs[c]; c++) {
+-        ret = merge_ts_attr(ts_msgs[0], sysdb_msg,
+-                            sysdb_ts_cache_attrs[c], attrs);
+-        if (ret != EOK) {
+-            DEBUG(SSSDBG_MINOR_FAILURE,
+-                  "Cannot merge ts attr %s\n", sysdb_ts_cache_attrs[c]);
+-            goto done;
+-        }
++    ret = merge_all_ts_attrs(ts_msgs[0], sysdb_msg, attrs);
++done:
++    talloc_zfree(tmp_ctx);
++    return ret;
++}
++
++static errno_t merge_msg_sysdb_attrs(TALLOC_CTX *mem_ctx,
++                                     struct sysdb_ctx *sysdb,
++                                     struct ldb_message *ts_msg,
++                                     struct ldb_message **_sysdb_msg,
++                                     const char *attrs[])
++{
++    errno_t ret;
++    TALLOC_CTX *tmp_ctx;
++    size_t msgs_count;
++    struct ldb_message **sysdb_msgs;
++
++    tmp_ctx = talloc_new(NULL);
++    if (tmp_ctx == NULL) {
++        return ENOMEM;
+     }
+ 
+-    ret = EOK;
++    ret = sysdb_cache_search_entry(tmp_ctx, sysdb->ldb, ts_msg->dn, LDB_SCOPE_BASE,
++                                   NULL, attrs, &msgs_count, &sysdb_msgs);
++    if (ret != EOK) {
++        goto done;
++    }
++
++    if (msgs_count != 1) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              "Expected 1 result for base search, got %zu\n", msgs_count);
++        goto done;
++    }
++
++    ret = merge_all_ts_attrs(ts_msg, sysdb_msgs[0], attrs);
++    if (ret != EOK) {
++        goto done;
++    }
++
++    *_sysdb_msg = talloc_steal(mem_ctx, sysdb_msgs[0]);
+ done:
+     talloc_zfree(tmp_ctx);
+     return ret;
+@@ -166,6 +214,50 @@ errno_t sysdb_merge_res_ts_attrs(struct sysdb_ctx *ctx,
+     return EOK;
+ }
+ 
++static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
++                                     struct sysdb_ctx *ctx,
++                                     struct ldb_result *ts_res,
++                                     struct ldb_result **_ts_cache_res,
++                                     const char *attrs[])
++{
++    errno_t ret;
++    struct ldb_result *ts_cache_res = NULL;
++
++    if (ts_res == NULL || ctx->ldb_ts == NULL) {
++        return EOK;
++    }
++
++    ts_cache_res = talloc_zero(mem_ctx, struct ldb_result);
++    if (ts_cache_res == NULL) {
++        return ENOMEM;
++    }
++    ts_cache_res->count = ts_res->count;
++    ts_cache_res->msgs = talloc_zero_array(ts_cache_res,
++                                           struct ldb_message *,
++                                           ts_res->count);
++    if (ts_cache_res->msgs == NULL) {
++        talloc_free(ts_cache_res);
++        return ENOMEM;
++    }
++
++    for (size_t c = 0; c < ts_res->count; c++) {
++        ret = merge_msg_sysdb_attrs(ts_cache_res->msgs,
++                                    ctx,
++                                    ts_res->msgs[c],
++                                    &ts_cache_res->msgs[c], attrs);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_MINOR_FAILURE,
++                  "Cannot merge sysdb cache values for %s\n",
++                  ldb_dn_get_linearized(ts_res->msgs[c]->dn));
++            /* non-fatal, we just get only the non-timestamp attrs */
++            continue;
++        }
++    }
++
++    *_ts_cache_res = ts_cache_res;
++    return EOK;
++}
++
+ errno_t sysdb_merge_msg_list_ts_attrs(struct sysdb_ctx *ctx,
+                                       size_t msgs_count,
+                                       struct ldb_message **msgs,
+@@ -543,6 +635,119 @@ done:
+     return ret;
+ }
+ 
++errno_t sysdb_search_with_ts_attr(TALLOC_CTX *mem_ctx,
++                                  struct sss_domain_info *domain,
++                                  struct ldb_dn *base_dn,
++                                  enum ldb_scope scope,
++                                  int optflags,
++                                  const char *filter,
++                                  const char *attrs[],
++                                  struct ldb_result **_res)
++{
++    TALLOC_CTX *tmp_ctx = NULL;
++    struct ldb_result *res;
++    errno_t ret;
++    struct ldb_message **ts_msgs = NULL;
++    struct ldb_result *ts_cache_res = NULL;
++    size_t ts_count;
++
++    if (filter == NULL) {
++        return EINVAL;
++    }
++
++    tmp_ctx = talloc_new(NULL);
++    if (tmp_ctx == NULL) {
++        return ENOMEM;
++    }
++
++    res = talloc_zero(tmp_ctx, struct ldb_result);
++    if (res == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    if (optflags & SYSDB_SEARCH_WITH_TS_ONLY_SYSDB_FILTER) {
++        /* We only care about searching the persistent db */
++        ts_cache_res = talloc_zero(tmp_ctx, struct ldb_result);
++        if (ts_cache_res == NULL) {
++            ret = ENOMEM;
++            goto done;
++        }
++        ts_cache_res->count = 0;
++        ts_cache_res->msgs = NULL;
++    } else {
++        /* Because the timestamp database does not contain all the
++         * attributes, we need to search the persistent db for each
++         * of the entries found and merge the results
++         */
++        struct ldb_result ts_res;
++
++        /* We assume that some of the attributes are more up-to-date in
++         * timestamps db and we're supposed to search by them, so let's
++         * first search the timestamp db
++         */
++        ret = sysdb_search_ts_entry(tmp_ctx, domain->sysdb, base_dn,
++                                    scope, filter, attrs,
++                                    &ts_count, &ts_msgs);
++        if (ret == ENOENT) {
++            ts_count = 0;
++        } else if (ret != EOK) {
++            goto done;
++        }
++
++        memset(&ts_res, 0, sizeof(struct ldb_result));
++        ts_res.count = ts_count;
++        ts_res.msgs = ts_msgs;
++
++        /* Overlay the results from the main cache with the ts attrs */
++        ret = merge_res_sysdb_attrs(tmp_ctx,
++                                    domain->sysdb,
++                                    &ts_res,
++                                    &ts_cache_res,
++                                    attrs);
++        if (ret != EOK) {
++            goto done;
++        }
++    }
++
++    if (optflags & SYSDB_SEARCH_WITH_TS_ONLY_TS_FILTER) {
++        /* The filter only contains timestamp attrs, no need to search the
++         * persistent db
++         */
++        if (ts_cache_res) {
++            res->count = ts_cache_res->count;
++            res->msgs = talloc_steal(res, ts_cache_res->msgs);
++        }
++    } else {
++        /* Because some of the attributes being searched might exist in the persistent
++         * database only, we also search the persistent db
++         */
++        size_t count;
++
++        ret = sysdb_search_entry(res, domain->sysdb, base_dn, scope,
++                                 filter, attrs, &count, &res->msgs);
++        if (ret == ENOENT) {
++            res->count = 0;
++        } else if (ret != EOK) {
++            goto done;
++        }
++        res->count = count; /* Just to cleanly assign size_t to unsigned */
++
++        res = sss_merge_ldb_results(res, ts_cache_res);
++        if (res == NULL) {
++            ret = ENOMEM;
++            goto done;
++        }
++    }
++
++    *_res = talloc_steal(mem_ctx, res);
++    ret = EOK;
++
++done:
++    talloc_zfree(tmp_ctx);
++    return ret;
++}
++
+ static errno_t sysdb_enum_dn_filter(TALLOC_CTX *mem_ctx,
+                                     struct ldb_result *ts_res,
+                                     const char *name_filter,
+diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c
+index fdf9935da..d2296d1b8 100644
+--- a/src/tests/cmocka/test_sysdb_ts_cache.c
++++ b/src/tests/cmocka/test_sysdb_ts_cache.c
+@@ -1411,6 +1411,201 @@ static void test_sysdb_zero_now(void **state)
+     assert_true(cache_expire_ts > TEST_CACHE_TIMEOUT);
+ }
+ 
++static void test_sysdb_search_with_ts(void **state)
++{
++    int ret;
++    struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
++                                                     struct sysdb_ts_test_ctx);
++    struct ldb_result *res = NULL;
++    struct ldb_dn *base_dn;
++    const char *attrs[] = { SYSDB_NAME,
++                            SYSDB_OBJECTCATEGORY,
++                            SYSDB_GIDNUM,
++                            SYSDB_CACHE_EXPIRE,
++                            NULL };
++    struct sysdb_attrs *group_attrs = NULL;
++    char *filter;
++    uint64_t cache_expire_sysdb;
++    uint64_t cache_expire_ts;
++    size_t count;
++    struct ldb_message **msgs;
++
++    base_dn = sysdb_base_dn(test_ctx->tctx->dom->sysdb, test_ctx);
++    assert_non_null(base_dn);
++
++    /* Nothing must be stored in either cache at the beginning of the test */
++    ret = sysdb_search_with_ts_attr(test_ctx,
++                                    test_ctx->tctx->dom,
++                                    base_dn,
++                                    LDB_SCOPE_SUBTREE,
++                                    0,
++                                    SYSDB_NAME"=*",
++                                    attrs,
++                                    &res);
++    assert_int_equal(ret, EOK);
++    assert_int_equal(res->count, 0);
++    talloc_free(res);
++
++    group_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1);
++    assert_non_null(group_attrs);
++
++    ret = sysdb_store_group(test_ctx->tctx->dom,
++                            TEST_GROUP_NAME,
++                            TEST_GROUP_GID,
++                            group_attrs,
++                            TEST_CACHE_TIMEOUT,
++                            TEST_NOW_1);
++    assert_int_equal(ret, EOK);
++    talloc_zfree(group_attrs);
++
++    group_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1);
++    assert_non_null(group_attrs);
++
++    ret = sysdb_store_group(test_ctx->tctx->dom,
++                            TEST_GROUP_NAME_2,
++                            TEST_GROUP_GID_2,
++                            group_attrs,
++                            TEST_CACHE_TIMEOUT,
++                            TEST_NOW_2);
++    assert_int_equal(ret, EOK);
++    talloc_zfree(group_attrs);
++
++    /* Bump the timestamps in the cache so that the ts cache
++     * and sysdb differ
++     */
++
++    group_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1);
++    assert_non_null(group_attrs);
++
++    ret = sysdb_store_group(test_ctx->tctx->dom,
++                            TEST_GROUP_NAME,
++                            TEST_GROUP_GID,
++                            group_attrs,
++                            TEST_CACHE_TIMEOUT,
++                            TEST_NOW_3);
++    assert_int_equal(ret, EOK);
++
++    talloc_zfree(group_attrs);
++
++
++    group_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1);
++    assert_non_null(group_attrs);
++
++    ret = sysdb_store_group(test_ctx->tctx->dom,
++                            TEST_GROUP_NAME_2,
++                            TEST_GROUP_GID_2,
++                            group_attrs,
++                            TEST_CACHE_TIMEOUT,
++                            TEST_NOW_4);
++    assert_int_equal(ret, EOK);
++
++    talloc_zfree(group_attrs);
++
++    get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME,
++                           &cache_expire_sysdb, &cache_expire_ts);
++    assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_1);
++    assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_3);
++
++    get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME_2,
++                           &cache_expire_sysdb, &cache_expire_ts);
++    assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_2);
++    assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_4);
++
++    /* Search for groups that don't expire until TEST_NOW_4 */
++    filter = talloc_asprintf(test_ctx, SYSDB_CACHE_EXPIRE">=%d", TEST_NOW_4);
++    assert_non_null(filter);
++
++    /* This search should yield only one group (so, it needs to search the ts
++     * cache to hit the TEST_NOW_4), but should return attributes merged from
++     * both caches
++     */
++    ret = sysdb_search_with_ts_attr(test_ctx,
++                                    test_ctx->tctx->dom,
++                                    base_dn,
++                                    LDB_SCOPE_SUBTREE,
++                                    0,
++                                    filter,
++                                    attrs,
++                                    &res);
++    assert_int_equal(ret, EOK);
++    assert_int_equal(res->count, 1);
++    assert_int_equal(TEST_GROUP_GID_2, ldb_msg_find_attr_as_uint64(res->msgs[0],
++                                                                   SYSDB_GIDNUM, 0));
++    talloc_free(res);
++
++    /*
++     * In contrast, sysdb_search_entry merges the timestamp attributes, but does
++     * not search the timestamp cache
++     */
++    ret = sysdb_search_entry(test_ctx,
++                             test_ctx->tctx->dom->sysdb,
++                             base_dn,
++                             LDB_SCOPE_SUBTREE,
++                             filter,
++                             attrs,
++                             &count,
++                             &msgs);
++    assert_int_equal(ret, ENOENT);
++
++    /* Should get the same result when searching by ts attrs only */
++    ret = sysdb_search_with_ts_attr(test_ctx,
++                                    test_ctx->tctx->dom,
++                                    base_dn,
++                                    LDB_SCOPE_SUBTREE,
++                                    SYSDB_SEARCH_WITH_TS_ONLY_TS_FILTER,
++                                    filter,
++                                    attrs,
++                                    &res);
++    talloc_zfree(filter);
++    assert_int_equal(ret, EOK);
++    assert_int_equal(res->count, 1);
++    assert_int_equal(TEST_GROUP_GID_2, ldb_msg_find_attr_as_uint64(res->msgs[0],
++                                                                   SYSDB_GIDNUM, 0));
++    talloc_free(res);
++
++    /* We can also search in sysdb only as well, we should get back ts attrs */
++    filter = talloc_asprintf(test_ctx, SYSDB_GIDNUM"=%d", TEST_GROUP_GID);
++    assert_non_null(filter);
++
++    ret = sysdb_search_with_ts_attr(test_ctx,
++                                    test_ctx->tctx->dom,
++                                    base_dn,
++                                    LDB_SCOPE_SUBTREE,
++                                    SYSDB_SEARCH_WITH_TS_ONLY_SYSDB_FILTER,
++                                    filter,
++                                    attrs,
++                                    &res);
++    talloc_zfree(filter);
++    assert_int_equal(ret, EOK);
++    assert_int_equal(res->count, 1);
++    assert_int_equal(TEST_GROUP_GID, ldb_msg_find_attr_as_uint64(res->msgs[0],
++                                                                 SYSDB_GIDNUM, 0));
++    assert_int_equal(TEST_CACHE_TIMEOUT + TEST_NOW_3,
++                     ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_CACHE_EXPIRE, 0));
++    talloc_free(res);
++
++    /* We can also search in both using an OR-filter. Note that an AND-filter is not possible
++     * unless we deconstruct the filter..
++     */
++    filter = talloc_asprintf(test_ctx, "(|("SYSDB_GIDNUM"=%d)"
++                                         "("SYSDB_CACHE_EXPIRE">=%d))",
++                                         TEST_GROUP_GID, TEST_NOW_4);
++    assert_non_null(filter);
++
++    ret = sysdb_search_with_ts_attr(test_ctx,
++                                    test_ctx->tctx->dom,
++                                    base_dn,
++                                    LDB_SCOPE_SUBTREE,
++                                    0,
++                                    filter,
++                                    attrs,
++                                    &res);
++    talloc_zfree(filter);
++    assert_int_equal(ret, EOK);
++    assert_int_equal(res->count, 2);
++    talloc_free(res);
++}
++
+ int main(int argc, const char *argv[])
+ {
+     int rv;
+@@ -1462,6 +1657,9 @@ int main(int argc, const char *argv[])
+         cmocka_unit_test_setup_teardown(test_sysdb_zero_now,
+                                         test_sysdb_ts_setup,
+                                         test_sysdb_ts_teardown),
++        cmocka_unit_test_setup_teardown(test_sysdb_search_with_ts,
++                                        test_sysdb_ts_setup,
++                                        test_sysdb_ts_teardown),
+     };
+ 
+     /* Set debug level to invalid value so we can decide if -d 0 was used. */
+-- 
+2.20.1
+
diff --git a/SOURCES/0046-BE-search-with-sysdb_search_with_ts_attr.patch b/SOURCES/0046-BE-search-with-sysdb_search_with_ts_attr.patch
new file mode 100644
index 0000000..78e583d
--- /dev/null
+++ b/SOURCES/0046-BE-search-with-sysdb_search_with_ts_attr.patch
@@ -0,0 +1,72 @@
+From 77b4d7a26d92f9aa114d6e8d1073539afeb17fd8 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 28 May 2019 14:56:15 +0200
+Subject: [PATCH 46/64] BE: search with sysdb_search_with_ts_attr
+
+Previously, the background refresh code had used sysdb_search_entry()
+which does not run the search on the timestamp cache. Instead, this
+patch changes to using sysdb_search_with_ts_attr with the
+SYSDB_SEARCH_WITH_TS_ONLY_TS_FILTER optimization because currently only
+the dataExpireTimestamp attribute is included in the filter.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit f27955297603dd7bcbab2569394853d5d9ca90ea)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/be_refresh.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
+index e8cf5da75..c6bb66b68 100644
+--- a/src/providers/be_refresh.c
++++ b/src/providers/be_refresh.c
+@@ -40,9 +40,8 @@ static errno_t be_refresh_get_values_ex(TALLOC_CTX *mem_ctx,
+     const char *attrs[] = {attr, NULL};
+     const char *filter = NULL;
+     char **values = NULL;
+-    struct ldb_message **msgs = NULL;
+     struct sysdb_attrs **records = NULL;
+-    size_t count;
++    struct ldb_result *res;
+     time_t now = time(NULL);
+     errno_t ret;
+ 
+@@ -58,23 +57,23 @@ static errno_t be_refresh_get_values_ex(TALLOC_CTX *mem_ctx,
+         goto done;
+     }
+ 
+-    ret = sysdb_search_entry(tmp_ctx, domain->sysdb, base_dn,
+-                             LDB_SCOPE_SUBTREE, filter, attrs,
+-                             &count, &msgs);
+-    if (ret == ENOENT) {
+-        count = 0;
+-    } else if (ret != EOK) {
++    ret = sysdb_search_with_ts_attr(tmp_ctx, domain, base_dn,
++                                    LDB_SCOPE_SUBTREE,
++                                    SYSDB_SEARCH_WITH_TS_ONLY_TS_FILTER,
++                                    filter, attrs,
++                                    &res);
++    if (ret != EOK) {
+         goto done;
+     }
+ 
+-    ret = sysdb_msg2attrs(tmp_ctx, count, msgs, &records);
++    ret = sysdb_msg2attrs(tmp_ctx, res->count, res->msgs, &records);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_CRIT_FAILURE,
+               "Could not convert ldb message to sysdb_attrs\n");
+         goto done;
+     }
+ 
+-    ret = sysdb_attrs_to_list(tmp_ctx, records, count, attr, &values);
++    ret = sysdb_attrs_to_list(tmp_ctx, records, res->count, attr, &values);
+     if (ret != EOK) {
+         goto done;
+     }
+-- 
+2.20.1
+
diff --git a/SOURCES/0047-BE-Enable-refresh-for-multiple-domains.patch b/SOURCES/0047-BE-Enable-refresh-for-multiple-domains.patch
new file mode 100644
index 0000000..d23105a
--- /dev/null
+++ b/SOURCES/0047-BE-Enable-refresh-for-multiple-domains.patch
@@ -0,0 +1,37 @@
+From 896cc774f959b1b6ee1f0c409fa837ad64ee52d4 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 24 Apr 2019 21:09:53 +0200
+Subject: [PATCH 47/64] BE: Enable refresh for multiple domains
+
+Descend into subdomains on back end refresh and make sure to start from
+users again.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 1a08b53defa7f921a9b0f9e839ca90f91b5f86d2)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/be_refresh.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
+index c6bb66b68..02e478c95 100644
+--- a/src/providers/be_refresh.c
++++ b/src/providers/be_refresh.c
+@@ -255,7 +255,9 @@ static errno_t be_refresh_step(struct tevent_req *req)
+ 
+         /* if not found than continue with next domain */
+         if (state->index == BE_REFRESH_TYPE_SENTINEL) {
+-            state->domain = get_next_domain(state->domain, 0);
++            state->domain = get_next_domain(state->domain,
++                                            SSS_GND_DESCEND);
++            state->index = 0;
+             continue;
+         }
+ 
+-- 
+2.20.1
+
diff --git a/SOURCES/0048-BE-Make-be_refresh_ctx_init-set-up-the-periodical-ta.patch b/SOURCES/0048-BE-Make-be_refresh_ctx_init-set-up-the-periodical-ta.patch
new file mode 100644
index 0000000..79ea4b8
--- /dev/null
+++ b/SOURCES/0048-BE-Make-be_refresh_ctx_init-set-up-the-periodical-ta.patch
@@ -0,0 +1,114 @@
+From 739910de98cfc6c1c8764855703a6a8315bb09c6 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Mon, 20 May 2019 22:32:13 +0200
+Subject: [PATCH 48/64] BE: Make be_refresh_ctx_init set up the periodical
+ task, too
+
+This is mostly a preparatory patch that rolls in setting up the ptask
+into be_refresh_ctx_init. Since in later patches we will call
+be_refresh_ctx_init from several different places, this will prevent
+code duplication.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit bb0bd61ac54dca429b6562e808755152d4c90ce7)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/be_refresh.c       | 21 +++++++++++++++++++--
+ src/providers/be_refresh.h       |  2 +-
+ src/providers/data_provider_be.c | 14 --------------
+ 3 files changed, 20 insertions(+), 17 deletions(-)
+
+diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
+index 02e478c95..c7b048a95 100644
+--- a/src/providers/be_refresh.c
++++ b/src/providers/be_refresh.c
+@@ -134,11 +134,13 @@ struct be_refresh_ctx {
+     struct be_refresh_cb callbacks[BE_REFRESH_TYPE_SENTINEL];
+ };
+ 
+-struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx)
++struct be_refresh_ctx *be_refresh_ctx_init(struct be_ctx *be_ctx)
+ {
+     struct be_refresh_ctx *ctx = NULL;
++    uint32_t refresh_interval;
++    errno_t ret;
+ 
+-    ctx = talloc_zero(mem_ctx, struct be_refresh_ctx);
++    ctx = talloc_zero(be_ctx, struct be_refresh_ctx);
+     if (ctx == NULL) {
+         return NULL;
+     }
+@@ -147,6 +149,21 @@ struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx)
+     ctx->callbacks[BE_REFRESH_TYPE_GROUPS].name = "groups";
+     ctx->callbacks[BE_REFRESH_TYPE_NETGROUPS].name = "netgroups";
+ 
++    refresh_interval = be_ctx->domain->refresh_expired_interval;
++    if (refresh_interval > 0) {
++        ret = be_ptask_create(be_ctx, be_ctx, refresh_interval, 30, 5, 0,
++                              refresh_interval, BE_PTASK_OFFLINE_SKIP, 0,
++                              be_refresh_send, be_refresh_recv,
++                              be_ctx->refresh_ctx, "Refresh Records", NULL);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_FATAL_FAILURE,
++                  "Unable to initialize refresh periodic task [%d]: %s\n",
++                  ret, sss_strerror(ret));
++            talloc_free(ctx);
++            return NULL;
++        }
++    }
++
+     return ctx;
+ }
+ 
+diff --git a/src/providers/be_refresh.h b/src/providers/be_refresh.h
+index 927fa4a33..664f01816 100644
+--- a/src/providers/be_refresh.h
++++ b/src/providers/be_refresh.h
+@@ -52,7 +52,7 @@ enum be_refresh_type {
+ 
+ struct be_refresh_ctx;
+ 
+-struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx);
++struct be_refresh_ctx *be_refresh_ctx_init(struct be_ctx *be_ctx);
+ 
+ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+                           enum be_refresh_type type,
+diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
+index 17513111c..8dbddbb5f 100644
+--- a/src/providers/data_provider_be.c
++++ b/src/providers/data_provider_be.c
+@@ -431,7 +431,6 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx,
+                         struct tevent_context *ev,
+                         struct confdb_ctx *cdb)
+ {
+-    uint32_t refresh_interval;
+     struct tevent_signal *tes;
+     struct be_ctx *be_ctx;
+     char *str = NULL;
+@@ -531,19 +530,6 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx,
+         goto done;
+     }
+ 
+-    refresh_interval = be_ctx->domain->refresh_expired_interval;
+-    if (refresh_interval > 0) {
+-        ret = be_ptask_create(be_ctx, be_ctx, refresh_interval, 30, 5, 0,
+-                              refresh_interval, BE_PTASK_OFFLINE_SKIP, 0,
+-                              be_refresh_send, be_refresh_recv,
+-                              be_ctx->refresh_ctx, "Refresh Records", NULL);
+-        if (ret != EOK) {
+-            DEBUG(SSSDBG_FATAL_FAILURE,
+-                  "Unable to initialize refresh periodic task\n");
+-            goto done;
+-        }
+-    }
+-
+     ret = dp_init(be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Unable to setup data provider "
+-- 
+2.20.1
+
diff --git a/SOURCES/0049-BE-LDAP-Call-be_refresh_ctx_init-in-the-provider-lib.patch b/SOURCES/0049-BE-LDAP-Call-be_refresh_ctx_init-in-the-provider-lib.patch
new file mode 100644
index 0000000..d11eeb2
--- /dev/null
+++ b/SOURCES/0049-BE-LDAP-Call-be_refresh_ctx_init-in-the-provider-lib.patch
@@ -0,0 +1,146 @@
+From 106d93c6e03bfdf1bfc4f2691562b4855a1d4763 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Mon, 20 May 2019 22:42:47 +0200
+Subject: [PATCH 49/64] BE/LDAP: Call be_refresh_ctx_init() in the provider
+ libraries, not in back end
+
+Since later patches will pass different parameters to
+be_refresh_ctx_init(), let's call the init function in the provider
+libraries not directly in the back end.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 9d49c90ceb7388333c8682f4cbd6842ec236b9de)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/ad/ad_init.c        |  2 +-
+ src/providers/data_provider_be.c  |  8 --------
+ src/providers/ipa/ipa_init.c      |  2 +-
+ src/providers/ldap/ldap_common.h  |  2 +-
+ src/providers/ldap/ldap_init.c    |  2 +-
+ src/providers/ldap/sdap_refresh.c | 17 +++++++++++++----
+ 6 files changed, 17 insertions(+), 16 deletions(-)
+
+diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
+index 302bcae7d..42c2f150a 100644
+--- a/src/providers/ad/ad_init.c
++++ b/src/providers/ad/ad_init.c
+@@ -408,7 +408,7 @@ static errno_t ad_init_misc(struct be_ctx *be_ctx,
+         return ret;
+     }
+ 
+-    ret = sdap_refresh_init(be_ctx->refresh_ctx, sdap_id_ctx);
++    ret = sdap_refresh_init(be_ctx, sdap_id_ctx);
+     if (ret != EOK && ret != EEXIST) {
+         DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh "
+               "will not work [%d]: %s\n", ret, sss_strerror(ret));
+diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
+index 8dbddbb5f..d13654b8b 100644
+--- a/src/providers/data_provider_be.c
++++ b/src/providers/data_provider_be.c
+@@ -522,14 +522,6 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx,
+         goto done;
+     }
+ 
+-    /* Initialize be_refresh periodic task. */
+-    be_ctx->refresh_ctx = be_refresh_ctx_init(be_ctx);
+-    if (be_ctx->refresh_ctx == NULL) {
+-        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize refresh_ctx\n");
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+     ret = dp_init(be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Unable to setup data provider "
+diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
+index 6818e2171..b3060e228 100644
+--- a/src/providers/ipa/ipa_init.c
++++ b/src/providers/ipa/ipa_init.c
+@@ -594,7 +594,7 @@ static errno_t ipa_init_misc(struct be_ctx *be_ctx,
+         }
+     }
+ 
+-    ret = sdap_refresh_init(be_ctx->refresh_ctx, sdap_id_ctx);
++    ret = sdap_refresh_init(be_ctx, sdap_id_ctx);
+     if (ret != EOK && ret != EEXIST) {
+         DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh "
+               "will not work [%d]: %s\n", ret, sss_strerror(ret));
+diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
+index 04548a388..f30b67eb3 100644
+--- a/src/providers/ldap/ldap_common.h
++++ b/src/providers/ldap/ldap_common.h
+@@ -362,7 +362,7 @@ struct sdap_id_ctx *
+ sdap_id_ctx_new(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
+                 struct sdap_service *sdap_service);
+ 
+-errno_t sdap_refresh_init(struct be_refresh_ctx *refresh_ctx,
++errno_t sdap_refresh_init(struct be_ctx *be_ctx,
+                           struct sdap_id_ctx *id_ctx);
+ 
+ errno_t sdap_init_certmap(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx);
+diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
+index 352f0b656..489e1c225 100644
+--- a/src/providers/ldap/ldap_init.c
++++ b/src/providers/ldap/ldap_init.c
+@@ -432,7 +432,7 @@ static errno_t ldap_init_misc(struct be_ctx *be_ctx,
+     }
+ 
+     /* Setup periodical refresh of expired records */
+-    ret = sdap_refresh_init(be_ctx->refresh_ctx, id_ctx);
++    ret = sdap_refresh_init(be_ctx, id_ctx);
+     if (ret != EOK && ret != EEXIST) {
+         DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh will not work "
+               "[%d]: %s\n", ret, sss_strerror(ret));
+diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c
+index 6d6c43e20..457df8be2 100644
+--- a/src/providers/ldap/sdap_refresh.c
++++ b/src/providers/ldap/sdap_refresh.c
+@@ -255,12 +255,19 @@ static errno_t sdap_refresh_netgroups_recv(struct tevent_req *req)
+     return sdap_refresh_recv(req);
+ }
+ 
+-errno_t sdap_refresh_init(struct be_refresh_ctx *refresh_ctx,
++errno_t sdap_refresh_init(struct be_ctx *be_ctx,
+                           struct sdap_id_ctx *id_ctx)
+ {
+     errno_t ret;
+ 
+-    ret = be_refresh_add_cb(refresh_ctx, BE_REFRESH_TYPE_USERS,
++    be_ctx->refresh_ctx = be_refresh_ctx_init(be_ctx);
++    if (be_ctx->refresh_ctx == NULL) {
++        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize refresh_ctx\n");
++        return ENOMEM;
++    }
++
++    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
++                            BE_REFRESH_TYPE_USERS,
+                             sdap_refresh_users_send,
+                             sdap_refresh_users_recv,
+                             id_ctx);
+@@ -269,7 +276,8 @@ errno_t sdap_refresh_init(struct be_refresh_ctx *refresh_ctx,
+               "will not work [%d]: %s\n", ret, strerror(ret));
+     }
+ 
+-    ret = be_refresh_add_cb(refresh_ctx, BE_REFRESH_TYPE_GROUPS,
++    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
++                            BE_REFRESH_TYPE_USERS,
+                             sdap_refresh_groups_send,
+                             sdap_refresh_groups_recv,
+                             id_ctx);
+@@ -278,7 +286,8 @@ errno_t sdap_refresh_init(struct be_refresh_ctx *refresh_ctx,
+               "will not work [%d]: %s\n", ret, strerror(ret));
+     }
+ 
+-    ret = be_refresh_add_cb(refresh_ctx, BE_REFRESH_TYPE_NETGROUPS,
++    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
++                            BE_REFRESH_TYPE_USERS,
+                             sdap_refresh_netgroups_send,
+                             sdap_refresh_netgroups_recv,
+                             id_ctx);
+-- 
+2.20.1
+
diff --git a/SOURCES/0050-BE-Pass-in-attribute-to-look-up-with-instead-of-hard.patch b/SOURCES/0050-BE-Pass-in-attribute-to-look-up-with-instead-of-hard.patch
new file mode 100644
index 0000000..60dc44a
--- /dev/null
+++ b/SOURCES/0050-BE-Pass-in-attribute-to-look-up-with-instead-of-hard.patch
@@ -0,0 +1,111 @@
+From f035dee4d63ebe96a8435778e4c8ce413e8c025b Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 21 May 2019 12:09:24 +0200
+Subject: [PATCH 50/64] BE: Pass in attribute to look up with instead of
+ hardcoding SYSDB_NAME
+
+In later patches, we will implement refreshes for AD or IPA which might
+refresh objects that do not have a name yet, but always do have a different
+attribute, like a SID or a uniqueID. In this case, it's better to use that
+different attribute instead of name.
+
+This patch allows the caller to tell the refresh module which attribute
+to use.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit d1eb0a70de3c98ca9dc03a0b79287f4ce6ee4855)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/be_refresh.c        | 12 ++++++++----
+ src/providers/be_refresh.h        |  3 ++-
+ src/providers/ldap/sdap_refresh.c |  2 +-
+ 3 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
+index c7b048a95..66cc4cf98 100644
+--- a/src/providers/be_refresh.c
++++ b/src/providers/be_refresh.c
+@@ -89,6 +89,7 @@ done:
+ 
+ static errno_t be_refresh_get_values(TALLOC_CTX *mem_ctx,
+                                      enum be_refresh_type type,
++                                     const char *attr_name,
+                                      struct sss_domain_info *domain,
+                                      time_t period,
+                                      char ***_values)
+@@ -116,7 +117,7 @@ static errno_t be_refresh_get_values(TALLOC_CTX *mem_ctx,
+     }
+ 
+     ret = be_refresh_get_values_ex(mem_ctx, domain, period,
+-                                   base_dn, SYSDB_NAME, _values);
++                                   base_dn, attr_name, _values);
+ 
+     talloc_free(base_dn);
+     return ret;
+@@ -131,10 +132,12 @@ struct be_refresh_cb {
+ };
+ 
+ struct be_refresh_ctx {
++    const char *attr_name;
+     struct be_refresh_cb callbacks[BE_REFRESH_TYPE_SENTINEL];
+ };
+ 
+-struct be_refresh_ctx *be_refresh_ctx_init(struct be_ctx *be_ctx)
++struct be_refresh_ctx *be_refresh_ctx_init(struct be_ctx *be_ctx,
++                                           const char *attr_name)
+ {
+     struct be_refresh_ctx *ctx = NULL;
+     uint32_t refresh_interval;
+@@ -145,6 +148,7 @@ struct be_refresh_ctx *be_refresh_ctx_init(struct be_ctx *be_ctx)
+         return NULL;
+     }
+ 
++    ctx->attr_name = attr_name;
+     ctx->callbacks[BE_REFRESH_TYPE_USERS].name = "users";
+     ctx->callbacks[BE_REFRESH_TYPE_GROUPS].name = "groups";
+     ctx->callbacks[BE_REFRESH_TYPE_NETGROUPS].name = "netgroups";
+@@ -284,8 +288,8 @@ static errno_t be_refresh_step(struct tevent_req *req)
+             goto done;
+         }
+ 
+-        ret = be_refresh_get_values(state, state->index, state->domain,
+-                                    state->period, &values);
++        ret = be_refresh_get_values(state, state->index, state->ctx->attr_name,
++                                    state->domain, state->period, &values);
+         if (ret != EOK) {
+             DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain DN list [%d]: %s\n",
+                                         ret, sss_strerror(ret));
+diff --git a/src/providers/be_refresh.h b/src/providers/be_refresh.h
+index 664f01816..8c7b1d0ba 100644
+--- a/src/providers/be_refresh.h
++++ b/src/providers/be_refresh.h
+@@ -52,7 +52,8 @@ enum be_refresh_type {
+ 
+ struct be_refresh_ctx;
+ 
+-struct be_refresh_ctx *be_refresh_ctx_init(struct be_ctx *be_ctx);
++struct be_refresh_ctx *be_refresh_ctx_init(struct be_ctx *be_ctx,
++                                           const char *attr_name);
+ 
+ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+                           enum be_refresh_type type,
+diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c
+index 457df8be2..ed04da36a 100644
+--- a/src/providers/ldap/sdap_refresh.c
++++ b/src/providers/ldap/sdap_refresh.c
+@@ -260,7 +260,7 @@ errno_t sdap_refresh_init(struct be_ctx *be_ctx,
+ {
+     errno_t ret;
+ 
+-    be_ctx->refresh_ctx = be_refresh_ctx_init(be_ctx);
++    be_ctx->refresh_ctx = be_refresh_ctx_init(be_ctx, SYSDB_NAME);
+     if (be_ctx->refresh_ctx == NULL) {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize refresh_ctx\n");
+         return ENOMEM;
+-- 
+2.20.1
+
diff --git a/SOURCES/0051-BE-Change-be_refresh_ctx_init-to-return-errno-and-se.patch b/SOURCES/0051-BE-Change-be_refresh_ctx_init-to-return-errno-and-se.patch
new file mode 100644
index 0000000..079b737
--- /dev/null
+++ b/SOURCES/0051-BE-Change-be_refresh_ctx_init-to-return-errno-and-se.patch
@@ -0,0 +1,102 @@
+From d5808eab7a3ab48318d26ae633c8650bab761c84 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 21 May 2019 12:07:34 +0200
+Subject: [PATCH 51/64] BE: Change be_refresh_ctx_init to return errno and set
+ be_ctx->refresh_ctx
+
+It is a bit odd that a caller to a be_ function would set a property of
+be_ctx. IMO it is cleaner if the function has a side-effect and sets the
+property internally and rather returns errno.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 41305ef5a0ef2f4796e322190ffcc12331151643)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/be_refresh.c        | 13 +++++++------
+ src/providers/be_refresh.h        |  4 ++--
+ src/providers/ldap/sdap_refresh.c |  4 ++--
+ 3 files changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
+index 66cc4cf98..8a6e1ba58 100644
+--- a/src/providers/be_refresh.c
++++ b/src/providers/be_refresh.c
+@@ -136,8 +136,8 @@ struct be_refresh_ctx {
+     struct be_refresh_cb callbacks[BE_REFRESH_TYPE_SENTINEL];
+ };
+ 
+-struct be_refresh_ctx *be_refresh_ctx_init(struct be_ctx *be_ctx,
+-                                           const char *attr_name)
++errno_t be_refresh_ctx_init(struct be_ctx *be_ctx,
++                            const char *attr_name)
+ {
+     struct be_refresh_ctx *ctx = NULL;
+     uint32_t refresh_interval;
+@@ -145,7 +145,7 @@ struct be_refresh_ctx *be_refresh_ctx_init(struct be_ctx *be_ctx,
+ 
+     ctx = talloc_zero(be_ctx, struct be_refresh_ctx);
+     if (ctx == NULL) {
+-        return NULL;
++        return ENOMEM;
+     }
+ 
+     ctx->attr_name = attr_name;
+@@ -158,17 +158,18 @@ struct be_refresh_ctx *be_refresh_ctx_init(struct be_ctx *be_ctx,
+         ret = be_ptask_create(be_ctx, be_ctx, refresh_interval, 30, 5, 0,
+                               refresh_interval, BE_PTASK_OFFLINE_SKIP, 0,
+                               be_refresh_send, be_refresh_recv,
+-                              be_ctx->refresh_ctx, "Refresh Records", NULL);
++                              ctx, "Refresh Records", NULL);
+         if (ret != EOK) {
+             DEBUG(SSSDBG_FATAL_FAILURE,
+                   "Unable to initialize refresh periodic task [%d]: %s\n",
+                   ret, sss_strerror(ret));
+             talloc_free(ctx);
+-            return NULL;
++            return ret;
+         }
+     }
+ 
+-    return ctx;
++    be_ctx->refresh_ctx = ctx;
++    return EOK;
+ }
+ 
+ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+diff --git a/src/providers/be_refresh.h b/src/providers/be_refresh.h
+index 8c7b1d0ba..980ac7d06 100644
+--- a/src/providers/be_refresh.h
++++ b/src/providers/be_refresh.h
+@@ -52,8 +52,8 @@ enum be_refresh_type {
+ 
+ struct be_refresh_ctx;
+ 
+-struct be_refresh_ctx *be_refresh_ctx_init(struct be_ctx *be_ctx,
+-                                           const char *attr_name);
++errno_t be_refresh_ctx_init(struct be_ctx *be_ctx,
++                            const char *attr_name);
+ 
+ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+                           enum be_refresh_type type,
+diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c
+index ed04da36a..baa7fa59f 100644
+--- a/src/providers/ldap/sdap_refresh.c
++++ b/src/providers/ldap/sdap_refresh.c
+@@ -260,8 +260,8 @@ errno_t sdap_refresh_init(struct be_ctx *be_ctx,
+ {
+     errno_t ret;
+ 
+-    be_ctx->refresh_ctx = be_refresh_ctx_init(be_ctx, SYSDB_NAME);
+-    if (be_ctx->refresh_ctx == NULL) {
++    ret = be_refresh_ctx_init(be_ctx, SYSDB_NAME);
++    if (ret != EOK) {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize refresh_ctx\n");
+         return ENOMEM;
+     }
+-- 
+2.20.1
+
diff --git a/SOURCES/0052-BE-LDAP-Split-out-a-helper-function-from-sdap_refres.patch b/SOURCES/0052-BE-LDAP-Split-out-a-helper-function-from-sdap_refres.patch
new file mode 100644
index 0000000..3258df8
--- /dev/null
+++ b/SOURCES/0052-BE-LDAP-Split-out-a-helper-function-from-sdap_refres.patch
@@ -0,0 +1,134 @@
+From 080b154402ad076a562e0ea6d6e8c5d2fbcef5f5 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 8 May 2019 14:38:44 +0200
+Subject: [PATCH 52/64] BE/LDAP: Split out a helper function from sdap_refresh
+ for later reuse
+
+Every refresh request will send a similar account_req. Let's split out
+the function that creates the account_req into a reusable one.
+
+Also removes the type string as it was only used in DEBUG messages and
+there is already a function in the back end API that provides the same
+functionality.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit ac72bb4ab1a8d3d13f0d459efe5f23cf010c2790)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/be_refresh.c        | 18 ++++++++++++++++++
+ src/providers/be_refresh.h        |  4 ++++
+ src/providers/ldap/sdap_refresh.c | 29 +++++------------------------
+ 3 files changed, 27 insertions(+), 24 deletions(-)
+
+diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
+index 8a6e1ba58..c49229e71 100644
+--- a/src/providers/be_refresh.c
++++ b/src/providers/be_refresh.c
+@@ -362,3 +362,21 @@ errno_t be_refresh_recv(struct tevent_req *req)
+ 
+     return EOK;
+ }
++
++struct dp_id_data *be_refresh_acct_req(TALLOC_CTX *mem_ctx,
++                                       uint32_t entry_type,
++                                       struct sss_domain_info *domain)
++{
++    struct dp_id_data *account_req;
++
++    account_req = talloc_zero(mem_ctx, struct dp_id_data);
++    if (account_req == NULL) {
++        return NULL;
++    }
++
++    account_req->entry_type = entry_type;
++    account_req->filter_type = BE_FILTER_NAME;
++    account_req->extra_value = NULL;
++    account_req->domain = domain->name;
++    return account_req;
++}
+diff --git a/src/providers/be_refresh.h b/src/providers/be_refresh.h
+index 980ac7d06..b7ba5d4c2 100644
+--- a/src/providers/be_refresh.h
++++ b/src/providers/be_refresh.h
+@@ -69,4 +69,8 @@ struct tevent_req *be_refresh_send(TALLOC_CTX *mem_ctx,
+ 
+ errno_t be_refresh_recv(struct tevent_req *req);
+ 
++struct dp_id_data *be_refresh_acct_req(TALLOC_CTX *mem_ctx,
++                                       uint32_t entry_type,
++                                       struct sss_domain_info *domain);
++
+ #endif /* _DP_REFRESH_H_ */
+diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c
+index baa7fa59f..af39d8686 100644
+--- a/src/providers/ldap/sdap_refresh.c
++++ b/src/providers/ldap/sdap_refresh.c
+@@ -30,7 +30,6 @@ struct sdap_refresh_state {
+     struct dp_id_data *account_req;
+     struct sdap_id_ctx *id_ctx;
+     struct sdap_domain *sdom;
+-    const char *type;
+     char **names;
+     size_t index;
+ };
+@@ -74,32 +73,12 @@ static struct tevent_req *sdap_refresh_send(TALLOC_CTX *mem_ctx,
+         goto immediately;
+     }
+ 
+-    switch (entry_type) {
+-    case BE_REQ_USER:
+-        state->type = "user";
+-        break;
+-    case BE_REQ_GROUP:
+-        state->type = "group";
+-        break;
+-    case BE_REQ_NETGROUP:
+-        state->type = "netgroup";
+-        break;
+-    default:
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Invalid entry type [%d]!\n", entry_type);
+-    }
+-
+-    state->account_req = talloc_zero(state, struct dp_id_data);
++    state->account_req = be_refresh_acct_req(state, entry_type, domain);
+     if (state->account_req == NULL) {
+         ret = ENOMEM;
+         goto immediately;
+     }
+ 
+-    state->account_req->entry_type = entry_type;
+-    state->account_req->filter_type = BE_FILTER_NAME;
+-    state->account_req->extra_value = NULL;
+-    state->account_req->domain = domain->name;
+-    /* filter will be filled later */
+-
+     ret = sdap_refresh_step(req);
+     if (ret == EOK) {
+         DEBUG(SSSDBG_TRACE_FUNC, "Nothing to refresh\n");
+@@ -143,7 +122,8 @@ static errno_t sdap_refresh_step(struct tevent_req *req)
+     }
+ 
+     DEBUG(SSSDBG_TRACE_FUNC, "Issuing refresh of %s %s\n",
+-          state->type, state->account_req->filter_value);
++          be_req2str(state->account_req->entry_type),
++          state->account_req->filter_value);
+ 
+     subreq = sdap_handle_acct_req_send(state, state->be_ctx,
+                                        state->account_req, state->id_ctx,
+@@ -178,7 +158,8 @@ static void sdap_refresh_done(struct tevent_req *subreq)
+     talloc_zfree(subreq);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to refresh %s [dp_error: %d, "
+-              "sdap_ret: %d, errno: %d]: %s\n", state->type,
++              "sdap_ret: %d, errno: %d]: %s\n",
++               be_req2str(state->account_req->entry_type),
+               dp_error, sdap_ret, ret, err_msg);
+         goto done;
+     }
+-- 
+2.20.1
+
diff --git a/SOURCES/0053-BE-Pass-in-filter_type-when-creating-the-refresh-acc.patch b/SOURCES/0053-BE-Pass-in-filter_type-when-creating-the-refresh-acc.patch
new file mode 100644
index 0000000..7bb8449
--- /dev/null
+++ b/SOURCES/0053-BE-Pass-in-filter_type-when-creating-the-refresh-acc.patch
@@ -0,0 +1,73 @@
+From 219028cb3f2059e6d1c0cb28f491fb30909d967c Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 21 May 2019 12:07:59 +0200
+Subject: [PATCH 53/64] BE: Pass in filter_type when creating the refresh
+ account request
+
+For refreshing AD users and groups, we'll want to create a request by
+SID, for all other requests we'll want to create a request by name. This
+patch allows parametrizing the request creation by the caller.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 2cb294e6d5782aa725a2e9d7892a9e0c62e0b3a9)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/be_refresh.c        | 3 ++-
+ src/providers/be_refresh.h        | 1 +
+ src/providers/ldap/sdap_refresh.c | 3 ++-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
+index c49229e71..c4ff71e1f 100644
+--- a/src/providers/be_refresh.c
++++ b/src/providers/be_refresh.c
+@@ -365,6 +365,7 @@ errno_t be_refresh_recv(struct tevent_req *req)
+ 
+ struct dp_id_data *be_refresh_acct_req(TALLOC_CTX *mem_ctx,
+                                        uint32_t entry_type,
++                                       uint32_t filter_type,
+                                        struct sss_domain_info *domain)
+ {
+     struct dp_id_data *account_req;
+@@ -375,7 +376,7 @@ struct dp_id_data *be_refresh_acct_req(TALLOC_CTX *mem_ctx,
+     }
+ 
+     account_req->entry_type = entry_type;
+-    account_req->filter_type = BE_FILTER_NAME;
++    account_req->filter_type = filter_type;
+     account_req->extra_value = NULL;
+     account_req->domain = domain->name;
+     return account_req;
+diff --git a/src/providers/be_refresh.h b/src/providers/be_refresh.h
+index b7ba5d4c2..c7b4872df 100644
+--- a/src/providers/be_refresh.h
++++ b/src/providers/be_refresh.h
+@@ -71,6 +71,7 @@ errno_t be_refresh_recv(struct tevent_req *req);
+ 
+ struct dp_id_data *be_refresh_acct_req(TALLOC_CTX *mem_ctx,
+                                        uint32_t entry_type,
++                                       uint32_t filter_type,
+                                        struct sss_domain_info *domain);
+ 
+ #endif /* _DP_REFRESH_H_ */
+diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c
+index af39d8686..2206d6670 100644
+--- a/src/providers/ldap/sdap_refresh.c
++++ b/src/providers/ldap/sdap_refresh.c
+@@ -73,7 +73,8 @@ static struct tevent_req *sdap_refresh_send(TALLOC_CTX *mem_ctx,
+         goto immediately;
+     }
+ 
+-    state->account_req = be_refresh_acct_req(state, entry_type, domain);
++    state->account_req = be_refresh_acct_req(state, entry_type,
++                                             BE_FILTER_NAME, domain);
+     if (state->account_req == NULL) {
+         ret = ENOMEM;
+         goto immediately;
+-- 
+2.20.1
+
diff --git a/SOURCES/0054-BE-Send-refresh-requests-in-batches.patch b/SOURCES/0054-BE-Send-refresh-requests-in-batches.patch
new file mode 100644
index 0000000..bf44794
--- /dev/null
+++ b/SOURCES/0054-BE-Send-refresh-requests-in-batches.patch
@@ -0,0 +1,300 @@
+From 84268efb9de2befd87b5e251bf2c99eb583923b6 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 8 May 2019 23:16:07 +0200
+Subject: [PATCH 54/64] BE: Send refresh requests in batches
+
+As we extend the background refresh into larger domains, the amount of
+data that SSSD refreshes on the background might be larger. And
+refreshing all expired entries in a single request might block sssd_be
+for a long time, either triggering the watchdog or starving other
+legitimate requests.
+
+Therefore the background refresh will be done in batches of 200 entries.
+The first batch of every type (up to 200 users, up to 200 groups, ...)
+will be scheduled imediatelly and subsequent batches with a 0.5 second
+delay.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 7443498cc074c323e3b307f47ed49d59a5001f64)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/be_refresh.c            | 131 ++++++++++++++++++++++----
+ src/tests/cmocka/test_expire_common.c |   6 +-
+ src/tests/sss_idmap-tests.c           |   8 +-
+ src/util/util.h                       |   8 ++
+ 4 files changed, 128 insertions(+), 25 deletions(-)
+
+diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
+index c4ff71e1f..5d86509bb 100644
+--- a/src/providers/be_refresh.c
++++ b/src/providers/be_refresh.c
+@@ -204,8 +204,21 @@ struct be_refresh_state {
+     struct sss_domain_info *domain;
+     enum be_refresh_type index;
+     time_t period;
++
++    char **refresh_values;
++    size_t refresh_val_size;
++    size_t refresh_index;
++
++    size_t batch_size;
++    char **refresh_batch;
+ };
+ 
++static errno_t be_refresh_batch_step(struct tevent_req *req,
++                                     uint32_t msec_delay);
++static void be_refresh_batch_step_wakeup(struct tevent_context *ev,
++                                         struct tevent_timer *tt,
++                                         struct timeval tv,
++                                         void *pvt);
+ static errno_t be_refresh_step(struct tevent_req *req);
+ static void be_refresh_done(struct tevent_req *subreq);
+ 
+@@ -236,6 +249,13 @@ struct tevent_req *be_refresh_send(TALLOC_CTX *mem_ctx,
+         goto immediately;
+     }
+ 
++    state->batch_size = 200;
++    state->refresh_batch = talloc_zero_array(state, char *, state->batch_size+1);
++    if (state->refresh_batch == NULL) {
++        ret = ENOMEM;
++        goto immediately;
++    }
++
+     ret = be_refresh_step(req);
+     if (ret == EOK) {
+         goto immediately;
+@@ -261,8 +281,6 @@ immediately:
+ static errno_t be_refresh_step(struct tevent_req *req)
+ {
+     struct be_refresh_state *state = NULL;
+-    struct tevent_req *subreq = NULL;
+-    char **values = NULL;
+     errno_t ret;
+ 
+     state = tevent_req_data(req, struct be_refresh_state);
+@@ -289,42 +307,103 @@ static errno_t be_refresh_step(struct tevent_req *req)
+             goto done;
+         }
+ 
++        talloc_zfree(state->refresh_values);
+         ret = be_refresh_get_values(state, state->index, state->ctx->attr_name,
+-                                    state->domain, state->period, &values);
++                                    state->domain, state->period,
++                                    &state->refresh_values);
+         if (ret != EOK) {
+             DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain DN list [%d]: %s\n",
+                                         ret, sss_strerror(ret));
+             goto done;
+         }
+ 
+-        DEBUG(SSSDBG_TRACE_FUNC, "Refreshing %s in domain %s\n",
+-              state->cb->name, state->domain->name);
++        for (state->refresh_val_size = 0;
++             state->refresh_values[state->refresh_val_size] != NULL;
++             state->refresh_val_size++);
++
++        DEBUG(SSSDBG_TRACE_FUNC, "Refreshing %zu %s in domain %s\n",
++              state->refresh_val_size, state->cb->name, state->domain->name);
+ 
+-        subreq = state->cb->send_fn(state, state->ev, state->be_ctx,
+-                                    state->domain, values, state->cb->pvt);
+-        if (subreq == NULL) {
+-            ret = ENOMEM;
++        ret = be_refresh_batch_step(req, 0);
++        if (ret == EOK) {
++            state->index++;
++            continue;
++        } else if (ret != EAGAIN) {
+             goto done;
+         }
+-
+-        /* make the list disappear with subreq */
+-        talloc_steal(subreq, values);
+-
+-        tevent_req_set_callback(subreq, be_refresh_done, req);
++        /* EAGAIN only, refreshing something.. */
+ 
+         state->index++;
+-        ret = EAGAIN;
+         goto done;
+     }
+ 
+     ret = EOK;
+ 
+ done:
+-    if (ret != EOK && ret != EAGAIN) {
+-        talloc_free(values);
++    return ret;
++}
++
++static errno_t be_refresh_batch_step(struct tevent_req *req,
++                                     uint32_t msec_delay)
++{
++    struct be_refresh_state *state = tevent_req_data(req, struct be_refresh_state);
++    struct timeval tv;
++    struct tevent_timer *timeout = NULL;
++
++    size_t remaining;
++    size_t batch_size;
++
++    memset(state->refresh_batch, 0, sizeof(char *) * state->batch_size);
++
++    if (state->refresh_index >= state->refresh_val_size) {
++        DEBUG(SSSDBG_FUNC_DATA, "The batch is done\n");
++        state->refresh_index = 0;
++        return EOK;
+     }
+ 
+-    return ret;
++    remaining = state->refresh_val_size - state->refresh_index;
++    batch_size = MIN(remaining, state->batch_size);
++    DEBUG(SSSDBG_FUNC_DATA,
++          "This batch will refresh %zu entries (so far %zu/%zu)\n",
++          batch_size, state->refresh_index, state->refresh_val_size);
++
++    for (size_t i = 0; i < batch_size; i++) {
++        state->refresh_batch[i] = state->refresh_values[state->refresh_index];
++        state->refresh_index++;
++    }
++
++    tv = tevent_timeval_current_ofs(0, msec_delay * 1000);
++    timeout = tevent_add_timer(state->be_ctx->ev, req, tv,
++                               be_refresh_batch_step_wakeup, req);
++    if (timeout == NULL) {
++        return ENOMEM;
++    }
++
++    return EAGAIN;
++}
++
++static void be_refresh_batch_step_wakeup(struct tevent_context *ev,
++                                         struct tevent_timer *tt,
++                                         struct timeval tv,
++                                         void *pvt)
++{
++    struct tevent_req *req;
++    struct tevent_req *subreq = NULL;
++    struct be_refresh_state *state = NULL;
++
++    req = talloc_get_type(pvt, struct tevent_req);
++    state = tevent_req_data(req, struct be_refresh_state);
++
++    DEBUG(SSSDBG_TRACE_INTERNAL, "Issuing refresh\n");
++    subreq = state->cb->send_fn(state, state->ev, state->be_ctx,
++                                state->domain,
++                                state->refresh_batch,
++                                state->cb->pvt);
++    if (subreq == NULL) {
++        tevent_req_error(req, ENOMEM);
++        return;
++    }
++    tevent_req_set_callback(subreq, be_refresh_done, req);
+ }
+ 
+ static void be_refresh_done(struct tevent_req *subreq)
+@@ -342,8 +421,24 @@ static void be_refresh_done(struct tevent_req *subreq)
+         goto done;
+     }
+ 
++    ret = be_refresh_batch_step(req, 500);
++    if (ret == EAGAIN) {
++        DEBUG(SSSDBG_TRACE_INTERNAL,
++              "Another batch in this step in progress\n");
++        return;
++    } else if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE,
++              "be_refresh_batch_step failed [%d]: %s\n",
++              ret, sss_strerror(ret));
++        goto done;
++    }
++
++    DEBUG(SSSDBG_TRACE_INTERNAL, "All batches in this step refreshed\n");
++
++    /* Proceed to the next step */
+     ret = be_refresh_step(req);
+     if (ret == EAGAIN) {
++        DEBUG(SSSDBG_TRACE_INTERNAL, "Another step in progress\n");
+         return;
+     }
+ 
+diff --git a/src/tests/cmocka/test_expire_common.c b/src/tests/cmocka/test_expire_common.c
+index 5d3ea02f3..4f6168190 100644
+--- a/src/tests/cmocka/test_expire_common.c
++++ b/src/tests/cmocka/test_expire_common.c
+@@ -32,7 +32,7 @@
+ #include "tests/common_check.h"
+ #include "tests/cmocka/test_expire_common.h"
+ 
+-#define MAX 100
++#define MAX_VAL 100
+ 
+ static char *now_str(TALLOC_CTX *mem_ctx, const char* format, int s)
+ {
+@@ -41,10 +41,10 @@ static char *now_str(TALLOC_CTX *mem_ctx, const char* format, int s)
+     size_t len;
+     char *timestr;
+ 
+-    timestr = talloc_array(mem_ctx, char, MAX);
++    timestr = talloc_array(mem_ctx, char, MAX_VAL);
+ 
+     tm = gmtime(&t);
+-    len = strftime(timestr, MAX, format, tm);
++    len = strftime(timestr, MAX_VAL, format, tm);
+     if (len == 0) {
+         return NULL;
+     }
+diff --git a/src/tests/sss_idmap-tests.c b/src/tests/sss_idmap-tests.c
+index 885913645..ef6843403 100644
+--- a/src/tests/sss_idmap-tests.c
++++ b/src/tests/sss_idmap-tests.c
+@@ -140,8 +140,8 @@ void idmap_add_domain_with_sec_slices_setup_cb_fail(void)
+ }
+ 
+ 
+-#define MAX 1000
+-char data[MAX];
++#define DATA_MAX 1000
++char data[DATA_MAX];
+ 
+ enum idmap_error_code cb2(const char *dom_name,
+                           const char *dom_sid,
+@@ -154,10 +154,10 @@ enum idmap_error_code cb2(const char *dom_name,
+     char *p = (char*)pvt;
+     size_t len;
+ 
+-    len = snprintf(p, MAX, "%s, %s %s, %"PRIu32", %"PRIu32", %" PRIu32,
++    len = snprintf(p, DATA_MAX, "%s, %s %s, %"PRIu32", %"PRIu32", %" PRIu32,
+                    dom_name, dom_sid, range_id, min_id, max_id, first_rid);
+ 
+-    if (len >= MAX) {
++    if (len >= DATA_MAX) {
+         return IDMAP_OUT_OF_MEMORY;
+     }
+     return IDMAP_SUCCESS;
+diff --git a/src/util/util.h b/src/util/util.h
+index 3003583b7..fce7e42c3 100644
+--- a/src/util/util.h
++++ b/src/util/util.h
+@@ -68,6 +68,14 @@
+ 
+ #define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x))
+ 
++#ifndef MIN
++#define MIN(a, b)  (((a) < (b)) ? (a) : (b))
++#endif
++
++#ifndef MAX
++#define MAX(a, b)  (((a) > (b)) ? (a) : (b))
++#endif
++
+ #define SSSD_MAIN_OPTS SSSD_DEBUG_OPTS
+ 
+ #define SSSD_SERVER_OPTS(uid, gid) \
+-- 
+2.20.1
+
diff --git a/SOURCES/0055-BE-Extend-be_ptask_create-with-control-when-to-sched.patch b/SOURCES/0055-BE-Extend-be_ptask_create-with-control-when-to-sched.patch
new file mode 100644
index 0000000..3ce5ee4
--- /dev/null
+++ b/SOURCES/0055-BE-Extend-be_ptask_create-with-control-when-to-sched.patch
@@ -0,0 +1,465 @@
+From 70d477efb1a43b3e1750b4aca868dadc2ed435d5 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 18 Jun 2019 20:49:00 +0200
+Subject: [PATCH 55/64] BE: Extend be_ptask_create() with control when to
+ schedule next run after success
+
+Related: https://pagure.io/SSSD/sssd/issue/4012
+
+be_ptask_create() used to always schedule the next periodical run
+"period" seconds after the previous run started. This is great for tasks
+that are short-lived like DNS updates because we know they will be
+executed really with the configured period.
+
+But the background refresh task can potentially take a very long time in
+which case the next run could have been scheduled almost immediately and
+as a result sssd_be would always be quite busy. It is better to have the
+option to schedule the next task period seconds after the last run has
+finished. This can lead to some inconsistency, but we can warn the
+admin about that.
+
+This patch so far does not change any of the existing calls to
+be_ptask_create(), just adds BE_PTASK_SCHEDULE_FROM_LAST as an
+additional parameter.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 0fbc317ac7f1fe13cd41364c67db7d7a19d7d546)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/ad/ad_machine_pw_renewal.c |  4 +-
+ src/providers/ad/ad_subdomains.c         |  4 +-
+ src/providers/be_ptask.c                 | 10 ++--
+ src/providers/be_ptask.h                 | 24 ++++++++-
+ src/providers/be_ptask_private.h         |  1 +
+ src/providers/be_refresh.c               |  4 +-
+ src/providers/ipa/ipa_subdomains.c       |  4 +-
+ src/providers/ldap/ldap_id_enum.c        |  1 +
+ src/providers/ldap/sdap_sudo_shared.c    |  8 ++-
+ src/tests/cmocka/test_be_ptask.c         | 62 ++++++++++++++++--------
+ 10 files changed, 89 insertions(+), 33 deletions(-)
+
+diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c
+index 5b6ba26b7..47941dfbf 100644
+--- a/src/providers/ad/ad_machine_pw_renewal.c
++++ b/src/providers/ad/ad_machine_pw_renewal.c
+@@ -382,7 +382,9 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx,
+     }
+ 
+     ret = be_ptask_create(be_ctx, be_ctx, period, initial_delay, 0, 0, 60,
+-                          BE_PTASK_OFFLINE_DISABLE, 0,
++                          BE_PTASK_OFFLINE_DISABLE,
++                          BE_PTASK_SCHEDULE_FROM_LAST,
++                          0,
+                           ad_machine_account_password_renewal_send,
+                           ad_machine_account_password_renewal_recv,
+                           renewal_data,
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index e3e3d3ece..45a8fe0fc 100644
+--- a/src/providers/ad/ad_subdomains.c
++++ b/src/providers/ad/ad_subdomains.c
+@@ -2111,7 +2111,9 @@ errno_t ad_subdomains_init(TALLOC_CTX *mem_ctx,
+ 
+     period = be_ctx->domain->subdomain_refresh_interval;
+     ret = be_ptask_create(sd_ctx, be_ctx, period, 0, 0, 0, period,
+-                          BE_PTASK_OFFLINE_DISABLE, 0,
++                          BE_PTASK_OFFLINE_DISABLE,
++                          BE_PTASK_SCHEDULE_FROM_LAST,
++                          0,
+                           ad_subdomains_ptask_send, ad_subdomains_ptask_recv, sd_ctx,
+                           "Subdomains Refresh", NULL);
+     if (ret != EOK) {
+diff --git a/src/providers/be_ptask.c b/src/providers/be_ptask.c
+index c43351755..32d9a03ce 100644
+--- a/src/providers/be_ptask.c
++++ b/src/providers/be_ptask.c
+@@ -30,11 +30,6 @@
+ 
+ #define backoff_allowed(ptask) (ptask->max_backoff != 0)
+ 
+-enum be_ptask_schedule {
+-    BE_PTASK_SCHEDULE_FROM_NOW,
+-    BE_PTASK_SCHEDULE_FROM_LAST
+-};
+-
+ enum be_ptask_delay {
+     BE_PTASK_FIRST_DELAY,
+     BE_PTASK_ENABLED_DELAY,
+@@ -182,7 +177,7 @@ static void be_ptask_done(struct tevent_req *req)
+         DEBUG(SSSDBG_TRACE_FUNC, "Task [%s]: finished successfully\n",
+                                   task->name);
+ 
+-        be_ptask_schedule(task, BE_PTASK_PERIOD, BE_PTASK_SCHEDULE_FROM_LAST);
++        be_ptask_schedule(task, BE_PTASK_PERIOD, task->success_schedule_type);
+         break;
+     default:
+         DEBUG(SSSDBG_OP_FAILURE, "Task [%s]: failed with [%d]: %s\n",
+@@ -268,6 +263,7 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
+                         time_t random_offset,
+                         time_t timeout,
+                         enum be_ptask_offline offline,
++                        enum be_ptask_schedule success_schedule_type,
+                         time_t max_backoff,
+                         be_ptask_send_t send_fn,
+                         be_ptask_recv_t recv_fn,
+@@ -300,6 +296,7 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
+     task->max_backoff = max_backoff;
+     task->timeout = timeout;
+     task->offline = offline;
++    task->success_schedule_type = success_schedule_type;
+     task->send_fn = send_fn;
+     task->recv_fn = recv_fn;
+     task->pvt = pvt;
+@@ -470,6 +467,7 @@ errno_t be_ptask_create_sync(TALLOC_CTX *mem_ctx,
+ 
+     ret = be_ptask_create(mem_ctx, be_ctx, period, first_delay,
+                           enabled_delay, random_offset, timeout, offline,
++                          BE_PTASK_SCHEDULE_FROM_LAST,
+                           max_backoff, be_ptask_sync_send, be_ptask_sync_recv,
+                           ctx, name, _task);
+     if (ret != EOK) {
+diff --git a/src/providers/be_ptask.h b/src/providers/be_ptask.h
+index 3b9755361..c23278e88 100644
+--- a/src/providers/be_ptask.h
++++ b/src/providers/be_ptask.h
+@@ -46,6 +46,19 @@ enum be_ptask_offline {
+     BE_PTASK_OFFLINE_EXECUTE
+ };
+ 
++/**
++ * Defines the starting point for scheduling a task
++ */
++enum be_ptask_schedule {
++    /* Schedule starting from now, typically this is used when scheduling
++     * relative to the finish time
++     */
++    BE_PTASK_SCHEDULE_FROM_NOW,
++    /* Schedule relative to the start time of the task
++     */
++    BE_PTASK_SCHEDULE_FROM_LAST
++};
++
+ typedef struct tevent_req *
+ (*be_ptask_send_t)(TALLOC_CTX *mem_ctx,
+                    struct tevent_context *ev,
+@@ -75,6 +88,14 @@ typedef errno_t
+  * The first execution is scheduled first_delay seconds after the task is
+  * created.
+  *
++ * Subsequent runs will be scheduled depending on the value of the
++ * success_schedule_type parameter:
++ *  - BE_PTASK_SCHEDULE_FROM_NOW: period seconds from the finish time
++ *  - BE_PTASK_SCHEDULE_FROM_LAST: period seconds from the last start time
++ *
++ * If the test fails, another run is always scheduled period seconds
++ * from the finish time.
++ *
+  * If request does not complete in timeout seconds, it will be
+  * cancelled and rescheduled to 'now + period'.
+  *
+@@ -83,7 +104,7 @@ typedef errno_t
+  *
+  * The random_offset is maximum number of seconds added to the
+  * expected delay. Set to 0 if no randomization is needed.
+-
++ *
+  * If max_backoff is not 0 then the period is doubled
+  * every time the task is scheduled. The maximum value of
+  * period is max_backoff. The value of period will be reset to
+@@ -100,6 +121,7 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
+                         time_t random_offset,
+                         time_t timeout,
+                         enum be_ptask_offline offline,
++                        enum be_ptask_schedule success_schedule_type,
+                         time_t max_backoff,
+                         be_ptask_send_t send_fn,
+                         be_ptask_recv_t recv_fn,
+diff --git a/src/providers/be_ptask_private.h b/src/providers/be_ptask_private.h
+index 4144a3938..e89105f95 100644
+--- a/src/providers/be_ptask_private.h
++++ b/src/providers/be_ptask_private.h
+@@ -32,6 +32,7 @@ struct be_ptask {
+     time_t timeout;
+     time_t max_backoff;
+     enum be_ptask_offline offline;
++    enum be_ptask_schedule success_schedule_type;
+     be_ptask_send_t send_fn;
+     be_ptask_recv_t recv_fn;
+     void *pvt;
+diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
+index 5d86509bb..50b023c3d 100644
+--- a/src/providers/be_refresh.c
++++ b/src/providers/be_refresh.c
+@@ -156,7 +156,9 @@ errno_t be_refresh_ctx_init(struct be_ctx *be_ctx,
+     refresh_interval = be_ctx->domain->refresh_expired_interval;
+     if (refresh_interval > 0) {
+         ret = be_ptask_create(be_ctx, be_ctx, refresh_interval, 30, 5, 0,
+-                              refresh_interval, BE_PTASK_OFFLINE_SKIP, 0,
++                              refresh_interval, BE_PTASK_OFFLINE_SKIP,
++                              BE_PTASK_SCHEDULE_FROM_LAST,
++                              0,
+                               be_refresh_send, be_refresh_recv,
+                               ctx, "Refresh Records", NULL);
+         if (ret != EOK) {
+diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
+index 94365aaca..3a17c851d 100644
+--- a/src/providers/ipa/ipa_subdomains.c
++++ b/src/providers/ipa/ipa_subdomains.c
+@@ -3134,7 +3134,9 @@ errno_t ipa_subdomains_init(TALLOC_CTX *mem_ctx,
+ 
+     period = be_ctx->domain->subdomain_refresh_interval;
+     ret = be_ptask_create(sd_ctx, be_ctx, period, ptask_first_delay, 0, 0, period,
+-                          BE_PTASK_OFFLINE_DISABLE, 0,
++                          BE_PTASK_OFFLINE_DISABLE,
++                          BE_PTASK_SCHEDULE_FROM_LAST,
++                          0,
+                           ipa_subdomains_ptask_send, ipa_subdomains_ptask_recv, sd_ctx,
+                           "Subdomains Refresh", NULL);
+     if (ret != EOK) {
+diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c
+index 8832eb558..062185c55 100644
+--- a/src/providers/ldap/ldap_id_enum.c
++++ b/src/providers/ldap/ldap_id_enum.c
+@@ -99,6 +99,7 @@ errno_t ldap_setup_enumeration(struct be_ctx *be_ctx,
+                           0,                        /* random offset */
+                           period,                   /* timeout */
+                           BE_PTASK_OFFLINE_SKIP,
++                          BE_PTASK_SCHEDULE_FROM_LAST,
+                           0,                        /* max_backoff */
+                           send_fn, recv_fn,
+                           ectx, "enumeration", &sdom->enum_task);
+diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c
+index 66b788702..982fdbf7f 100644
+--- a/src/providers/ldap/sdap_sudo_shared.c
++++ b/src/providers/ldap/sdap_sudo_shared.c
+@@ -90,7 +90,9 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx,
+      * when offline. */
+     if (full > 0) {
+         ret = be_ptask_create(be_ctx, be_ctx, full, delay, 0, 0, full,
+-                              BE_PTASK_OFFLINE_DISABLE, 0,
++                              BE_PTASK_OFFLINE_DISABLE,
++                              BE_PTASK_SCHEDULE_FROM_LAST,
++                              0,
+                               full_send_fn, full_recv_fn, pvt,
+                               "SUDO Full Refresh", NULL);
+         if (ret != EOK) {
+@@ -107,7 +109,9 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx,
+      * when offline. */
+     if (smart > 0) {
+         ret = be_ptask_create(be_ctx, be_ctx, smart, delay + smart, smart, 0,
+-                              smart, BE_PTASK_OFFLINE_DISABLE, 0,
++                              smart, BE_PTASK_OFFLINE_DISABLE,
++                              BE_PTASK_SCHEDULE_FROM_LAST,
++                              0,
+                               smart_send_fn, smart_recv_fn, pvt,
+                               "SUDO Smart Refresh", NULL);
+         if (ret != EOK) {
+diff --git a/src/tests/cmocka/test_be_ptask.c b/src/tests/cmocka/test_be_ptask.c
+index ca80b5442..45c41ed58 100644
+--- a/src/tests/cmocka/test_be_ptask.c
++++ b/src/tests/cmocka/test_be_ptask.c
+@@ -306,7 +306,8 @@ void test_be_ptask_create_einval_be(void **state)
+     errno_t ret;
+ 
+     ret = be_ptask_create(test_ctx, NULL, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, NULL, "Test ptask", &ptask);
+     assert_int_equal(ret, EINVAL);
+     assert_null(ptask);
+@@ -319,7 +320,8 @@ void test_be_ptask_create_einval_period(void **state)
+     errno_t ret;
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, 0, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, NULL, "Test ptask", &ptask);
+     assert_int_equal(ret, EINVAL);
+     assert_null(ptask);
+@@ -332,7 +334,8 @@ void test_be_ptask_create_einval_send(void **state)
+     errno_t ret;
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, NULL,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, NULL,
+                           test_be_ptask_recv, NULL, "Test ptask", &ptask);
+     assert_int_equal(ret, EINVAL);
+     assert_null(ptask);
+@@ -345,7 +348,8 @@ void test_be_ptask_create_einval_recv(void **state)
+     errno_t ret;
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           NULL, NULL, "Test ptask", &ptask);
+     assert_int_equal(ret, EINVAL);
+     assert_null(ptask);
+@@ -358,7 +362,8 @@ void test_be_ptask_create_einval_name(void **state)
+     errno_t ret;
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, NULL, NULL, &ptask);
+     assert_int_equal(ret, EINVAL);
+     assert_null(ptask);
+@@ -373,7 +378,8 @@ void test_be_ptask_create_no_delay(void **state)
+ 
+     now = get_current_time();
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask", &ptask);
+     assert_int_equal(ret, ERR_OK);
+     assert_non_null(ptask);
+@@ -400,7 +406,8 @@ void test_be_ptask_create_first_delay(void **state)
+ 
+     now = get_current_time();
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, DELAY, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask", &ptask);
+     assert_int_equal(ret, ERR_OK);
+     assert_non_null(ptask);
+@@ -425,7 +432,8 @@ void test_be_ptask_disable(void **state)
+     errno_t ret;
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask", &ptask);
+     assert_int_equal(ret, ERR_OK);
+     assert_non_null(ptask);
+@@ -449,7 +457,8 @@ void test_be_ptask_enable(void **state)
+ 
+     now = get_current_time();
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask", &ptask);
+     assert_int_equal(ret, ERR_OK);
+     assert_non_null(ptask);
+@@ -481,7 +490,8 @@ void test_be_ptask_enable_delay(void **state)
+     errno_t ret;
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, DELAY, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask", &ptask);
+     assert_int_equal(ret, ERR_OK);
+     assert_non_null(ptask);
+@@ -520,7 +530,8 @@ void test_be_ptask_offline_skip(void **state)
+ 
+     now = get_current_time();
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask", &ptask);
+     assert_int_equal(ret, ERR_OK);
+     assert_non_null(ptask);
+@@ -553,7 +564,9 @@ void test_be_ptask_offline_disable(void **state)
+     will_return(be_add_offline_cb, test_ctx);
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_DISABLE, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_DISABLE,
++                          BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask", &ptask);
+     assert_int_equal(ret, ERR_OK);
+     assert_non_null(ptask);
+@@ -583,7 +596,9 @@ void test_be_ptask_offline_execute(void **state)
+     mark_offline(test_ctx);
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_EXECUTE, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_EXECUTE,
++                          BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask", &ptask);
+     assert_int_equal(ret, ERR_OK);
+     assert_non_null(ptask);
+@@ -610,7 +625,8 @@ void test_be_ptask_reschedule_ok(void **state)
+ 
+     now = get_current_time();
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask", &ptask);
+     assert_int_equal(ret, ERR_OK);
+     assert_non_null(ptask);
+@@ -641,7 +657,8 @@ void test_be_ptask_reschedule_null(void **state)
+     errno_t ret;
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_null_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_null_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask",
+                           &ptask);
+     assert_int_equal(ret, ERR_OK);
+@@ -668,7 +685,8 @@ void test_be_ptask_reschedule_error(void **state)
+     errno_t ret;
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_error_recv, test_ctx, "Test ptask",
+                           &ptask);
+     assert_int_equal(ret, ERR_OK);
+@@ -695,7 +713,8 @@ void test_be_ptask_reschedule_timeout(void **state)
+     errno_t ret;
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 1,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_timeout_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_timeout_send,
+                           test_be_ptask_error_recv, test_ctx, "Test ptask",
+                           &ptask);
+     assert_int_equal(ret, ERR_OK);
+@@ -732,7 +751,8 @@ void test_be_ptask_reschedule_backoff(void **state)
+ 
+     now_first = get_current_time();
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, PERIOD*2, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          PERIOD*2, test_be_ptask_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask", &ptask);
+     assert_int_equal(ret, ERR_OK);
+     assert_non_null(ptask);
+@@ -786,7 +806,8 @@ void test_be_ptask_get_period(void **state)
+     errno_t ret;
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask", &ptask);
+     assert_int_equal(ret, ERR_OK);
+     assert_non_null(ptask);
+@@ -806,7 +827,8 @@ void test_be_ptask_get_timeout(void **state)
+     errno_t ret;
+ 
+     ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, TIMEOUT,
+-                          BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send,
++                          BE_PTASK_OFFLINE_SKIP, BE_PTASK_SCHEDULE_FROM_LAST,
++                          0, test_be_ptask_send,
+                           test_be_ptask_recv, test_ctx, "Test ptask", &ptask);
+     assert_int_equal(ret, ERR_OK);
+     assert_non_null(ptask);
+-- 
+2.20.1
+
diff --git a/SOURCES/0056-BE-Schedule-the-refresh-interval-from-the-finish-tim.patch b/SOURCES/0056-BE-Schedule-the-refresh-interval-from-the-finish-tim.patch
new file mode 100644
index 0000000..197a06a
--- /dev/null
+++ b/SOURCES/0056-BE-Schedule-the-refresh-interval-from-the-finish-tim.patch
@@ -0,0 +1,37 @@
+From 873c9417fefc0ce7ce02f4fe4fd3b858b9b1781b Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 19 Jun 2019 22:03:16 +0200
+Subject: [PATCH 56/64] BE: Schedule the refresh interval from the finish time
+ of the last run
+
+Related: https://pagure.io/SSSD/sssd/issue/4012
+
+Changes scheduling the periodical task so that the next run is started
+relative to the previous run finish time, not start time to protect
+against cases where the refresh would take too long and run practically
+all the time.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 576f3691a2d22322b08fb55fe74899d2ea4975d6)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/be_refresh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
+index 50b023c3d..a9d4295ec 100644
+--- a/src/providers/be_refresh.c
++++ b/src/providers/be_refresh.c
+@@ -157,7 +157,7 @@ errno_t be_refresh_ctx_init(struct be_ctx *be_ctx,
+     if (refresh_interval > 0) {
+         ret = be_ptask_create(be_ctx, be_ctx, refresh_interval, 30, 5, 0,
+                               refresh_interval, BE_PTASK_OFFLINE_SKIP,
+-                              BE_PTASK_SCHEDULE_FROM_LAST,
++                              BE_PTASK_SCHEDULE_FROM_NOW,
+                               0,
+                               be_refresh_send, be_refresh_recv,
+                               ctx, "Refresh Records", NULL);
+-- 
+2.20.1
+
diff --git a/SOURCES/0057-AD-Implement-background-refresh-for-AD-domains.patch b/SOURCES/0057-AD-Implement-background-refresh-for-AD-domains.patch
new file mode 100644
index 0000000..a9fbceb
--- /dev/null
+++ b/SOURCES/0057-AD-Implement-background-refresh-for-AD-domains.patch
@@ -0,0 +1,592 @@
+From 6777831bc1b0d1218d635d2913326883f509f3e8 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 24 Apr 2019 20:52:11 +0200
+Subject: [PATCH 57/64] AD: Implement background refresh for AD domains
+
+Split out the actual useful functionality from the AD account handler
+into a tevent request. This tevent request is then subsequently used by
+a new ad_refresh module.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit b72adfcc332b13489931483201bcc4c7ecf9ecb6)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ Makefile.am                   |   5 +-
+ src/providers/ad/ad_common.h  |   4 +
+ src/providers/ad/ad_id.c      | 140 +++++++++++++----
+ src/providers/ad/ad_id.h      |  10 ++
+ src/providers/ad/ad_init.c    |   2 +-
+ src/providers/ad/ad_refresh.c | 283 ++++++++++++++++++++++++++++++++++
+ 6 files changed, 412 insertions(+), 32 deletions(-)
+ create mode 100644 src/providers/ad/ad_refresh.c
+
+diff --git a/Makefile.am b/Makefile.am
+index 0c24ae664..7d83b6847 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -4243,7 +4243,10 @@ libsss_ad_la_SOURCES = \
+     src/providers/ad/ad_gpo_ndr.c \
+     src/providers/ad/ad_srv.c \
+     src/providers/ad/ad_subdomains.c \
+-    src/providers/ad/ad_domain_info.c
++    src/providers/ad/ad_domain_info.c \
++    src/providers/ad/ad_refresh.c \
++    $(NULL)
++
+ 
+ if BUILD_SUDO
+ libsss_ad_la_SOURCES += \
+diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
+index 2f624df3d..44369288e 100644
+--- a/src/providers/ad/ad_common.h
++++ b/src/providers/ad/ad_common.h
+@@ -221,4 +221,8 @@ errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts,
+                                   struct confdb_ctx *cdb,
+                                   const char *subdom_conf_path,
+                                   int opt_id);
++
++errno_t ad_refresh_init(struct be_ctx *be_ctx,
++                        struct ad_id_ctx *id_ctx);
++
+ #endif /* AD_COMMON_H_ */
+diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
+index c3bda1662..eb6e36824 100644
+--- a/src/providers/ad/ad_id.c
++++ b/src/providers/ad/ad_id.c
+@@ -360,44 +360,36 @@ get_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
+     return clist;
+ }
+ 
+-struct ad_account_info_handler_state {
+-    struct sss_domain_info *domain;
+-    struct dp_reply_std reply;
++struct ad_account_info_state {
++    const char *err_msg;
++    int dp_error;
+ };
+ 
+-static void ad_account_info_handler_done(struct tevent_req *subreq);
++static void ad_account_info_done(struct tevent_req *subreq);
+ 
+ struct tevent_req *
+-ad_account_info_handler_send(TALLOC_CTX *mem_ctx,
+-                              struct ad_id_ctx *id_ctx,
+-                              struct dp_id_data *data,
+-                              struct dp_req_params *params)
++ad_account_info_send(TALLOC_CTX *mem_ctx,
++                     struct be_ctx *be_ctx,
++                     struct ad_id_ctx *id_ctx,
++                     struct dp_id_data *data)
+ {
+-    struct ad_account_info_handler_state *state;
+-    struct sdap_id_conn_ctx **clist;
+-    struct sdap_id_ctx *sdap_id_ctx;
+-    struct sss_domain_info *domain;
++    struct sss_domain_info *domain = NULL;
++    struct ad_account_info_state *state = NULL;
++    struct tevent_req *req = NULL;
++    struct tevent_req *subreq = NULL;
++    struct sdap_id_conn_ctx **clist = NULL;
++    struct sdap_id_ctx *sdap_id_ctx = NULL;
+     struct sdap_domain *sdom;
+-    struct tevent_req *subreq;
+-    struct tevent_req *req;
+-    struct be_ctx *be_ctx;
+     errno_t ret;
+ 
+-    sdap_id_ctx = id_ctx->sdap_id_ctx;
+-    be_ctx = params->be_ctx;
+-
+     req = tevent_req_create(mem_ctx, &state,
+-                            struct ad_account_info_handler_state);
++                            struct ad_account_info_state);
+     if (req == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
+         return NULL;
+     }
+ 
+-    if (sdap_is_enum_request(data)) {
+-        DEBUG(SSSDBG_TRACE_LIBS, "Skipping enumeration on demand\n");
+-        ret = EOK;
+-        goto immediately;
+-    }
++    sdap_id_ctx = id_ctx->sdap_id_ctx;
+ 
+     domain = be_ctx->domain;
+     if (strcasecmp(data->domain, be_ctx->domain->name) != 0) {
+@@ -406,6 +398,7 @@ ad_account_info_handler_send(TALLOC_CTX *mem_ctx,
+     }
+ 
+     if (domain == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unknown domain\n");
+         ret = EINVAL;
+         goto immediately;
+     }
+@@ -413,6 +406,7 @@ ad_account_info_handler_send(TALLOC_CTX *mem_ctx,
+     /* Determine whether to connect to GC, LDAP or try both. */
+     clist = get_conn_list(state, id_ctx, domain, data);
+     if (clist == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create conn list\n");
+         ret = EIO;
+         goto immediately;
+     }
+@@ -423,14 +417,100 @@ ad_account_info_handler_send(TALLOC_CTX *mem_ctx,
+         goto immediately;
+     }
+ 
+-    state->domain = sdom->dom;
+-
+     subreq = ad_handle_acct_info_send(state, data, sdap_id_ctx,
+                                       id_ctx->ad_options, sdom, clist);
+     if (subreq == NULL) {
+         ret = ENOMEM;
+         goto immediately;
+     }
++    tevent_req_set_callback(subreq, ad_account_info_done, req);
++    return req;
++
++immediately:
++    tevent_req_error(req, ret);
++    tevent_req_post(req, be_ctx->ev);
++    return req;
++}
++
++static void ad_account_info_done(struct tevent_req *subreq)
++{
++    struct ad_account_info_state *state = NULL;
++    struct tevent_req *req = NULL;
++    errno_t ret;
++
++    req = tevent_req_callback_data(subreq, struct tevent_req);
++    state = tevent_req_data(req, struct ad_account_info_state);
++
++    ret = ad_handle_acct_info_recv(subreq, &state->dp_error, &state->err_msg);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE,
++              "ad_handle_acct_info_recv failed [%d]: %s\n",
++              ret, sss_strerror(ret));
++        /* The caller wouldn't fail either, just report the error up */
++    }
++    talloc_zfree(subreq);
++    tevent_req_done(req);
++}
++
++errno_t ad_account_info_recv(struct tevent_req *req,
++                             int *_dp_error,
++                             const char **_err_msg)
++{
++    struct ad_account_info_state *state = NULL;
++
++    state = tevent_req_data(req, struct ad_account_info_state);
++
++    if (_err_msg != NULL) {
++        *_err_msg = state->err_msg;
++    }
++
++    if (_dp_error) {
++        *_dp_error = state->dp_error;
++    }
++
++
++    TEVENT_REQ_RETURN_ON_ERROR(req);
++
++    return EOK;
++}
++
++struct ad_account_info_handler_state {
++    struct sss_domain_info *domain;
++    struct dp_reply_std reply;
++};
++
++static void ad_account_info_handler_done(struct tevent_req *subreq);
++
++struct tevent_req *
++ad_account_info_handler_send(TALLOC_CTX *mem_ctx,
++                              struct ad_id_ctx *id_ctx,
++                              struct dp_id_data *data,
++                              struct dp_req_params *params)
++{
++    struct ad_account_info_handler_state *state;
++    struct tevent_req *subreq;
++    struct tevent_req *req;
++    errno_t ret;
++
++
++    req = tevent_req_create(mem_ctx, &state,
++                            struct ad_account_info_handler_state);
++    if (req == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
++        return NULL;
++    }
++
++    if (sdap_is_enum_request(data)) {
++        DEBUG(SSSDBG_TRACE_LIBS, "Skipping enumeration on demand\n");
++        ret = EOK;
++        goto immediately;
++    }
++
++    subreq = ad_account_info_send(state, params->be_ctx, id_ctx, data);
++    if (subreq == NULL) {
++        ret = ENOMEM;
++        goto immediately;
++    }
+ 
+     tevent_req_set_callback(subreq, ad_account_info_handler_done, req);
+ 
+@@ -451,13 +531,13 @@ static void ad_account_info_handler_done(struct tevent_req *subreq)
+     struct ad_account_info_handler_state *state;
+     struct tevent_req *req;
+     const char *err_msg;
+-    int dp_error;
++    int dp_error = DP_ERR_FATAL;
+     errno_t ret;
+ 
+     req = tevent_req_callback_data(subreq, struct tevent_req);
+     state = tevent_req_data(req, struct ad_account_info_handler_state);
+ 
+-    ret = ad_handle_acct_info_recv(subreq, &dp_error, &err_msg);
++    ret = ad_account_info_recv(subreq, &dp_error, &err_msg);
+     talloc_zfree(subreq);
+ 
+     /* TODO For backward compatibility we always return EOK to DP now. */
+@@ -466,8 +546,8 @@ static void ad_account_info_handler_done(struct tevent_req *subreq)
+ }
+ 
+ errno_t ad_account_info_handler_recv(TALLOC_CTX *mem_ctx,
+-                                      struct tevent_req *req,
+-                                      struct dp_reply_std *data)
++                                     struct tevent_req *req,
++                                     struct dp_reply_std *data)
+ {
+     struct ad_account_info_handler_state *state = NULL;
+ 
+diff --git a/src/providers/ad/ad_id.h b/src/providers/ad/ad_id.h
+index 5154393c5..19cc54eec 100644
+--- a/src/providers/ad/ad_id.h
++++ b/src/providers/ad/ad_id.h
+@@ -33,6 +33,16 @@ errno_t ad_account_info_handler_recv(TALLOC_CTX *mem_ctx,
+                                       struct tevent_req *req,
+                                       struct dp_reply_std *data);
+ 
++struct tevent_req *
++ad_account_info_send(TALLOC_CTX *mem_ctx,
++                     struct be_ctx *be_ctx,
++                     struct ad_id_ctx *id_ctx,
++                     struct dp_id_data *data);
++
++errno_t ad_account_info_recv(struct tevent_req *req,
++                             int *_dp_error,
++                             const char **_err_msg);
++
+ struct tevent_req *
+ ad_handle_acct_info_send(TALLOC_CTX *mem_ctx,
+                          struct dp_id_data *ar,
+diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
+index 42c2f150a..f5aea8904 100644
+--- a/src/providers/ad/ad_init.c
++++ b/src/providers/ad/ad_init.c
+@@ -408,7 +408,7 @@ static errno_t ad_init_misc(struct be_ctx *be_ctx,
+         return ret;
+     }
+ 
+-    ret = sdap_refresh_init(be_ctx, sdap_id_ctx);
++    ret = ad_refresh_init(be_ctx, ad_id_ctx);
+     if (ret != EOK && ret != EEXIST) {
+         DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh "
+               "will not work [%d]: %s\n", ret, sss_strerror(ret));
+diff --git a/src/providers/ad/ad_refresh.c b/src/providers/ad/ad_refresh.c
+new file mode 100644
+index 000000000..ee541056f
+--- /dev/null
++++ b/src/providers/ad/ad_refresh.c
+@@ -0,0 +1,283 @@
++/*
++    Copyright (C) 2019 Red Hat
++
++    This program is free software; you can redistribute it and/or modify
++    it under the terms of the GNU General Public License as published by
++    the Free Software Foundation; either version 3 of the License, or
++    (at your option) any later version.
++
++    This program is distributed in the hope that it will be useful,
++    but WITHOUT ANY WARRANTY; without even the implied warranty of
++    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++    GNU General Public License for more details.
++
++    You should have received a copy of the GNU General Public License
++    along with this program.  If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include <talloc.h>
++#include <tevent.h>
++
++#include "providers/ad/ad_common.h"
++#include "providers/ad/ad_id.h"
++
++struct ad_refresh_state {
++    struct tevent_context *ev;
++    struct be_ctx *be_ctx;
++    struct dp_id_data *account_req;
++    struct ad_id_ctx *id_ctx;
++    char **names;
++    size_t index;
++};
++
++static errno_t ad_refresh_step(struct tevent_req *req);
++static void ad_refresh_done(struct tevent_req *subreq);
++
++static struct tevent_req *ad_refresh_send(TALLOC_CTX *mem_ctx,
++                                            struct tevent_context *ev,
++                                            struct be_ctx *be_ctx,
++                                            struct sss_domain_info *domain,
++                                            int entry_type,
++                                            char **names,
++                                            void *pvt)
++{
++    struct ad_refresh_state *state = NULL;
++    struct tevent_req *req = NULL;
++    errno_t ret;
++    uint32_t filter_type;
++
++    req = tevent_req_create(mem_ctx, &state,
++                            struct ad_refresh_state);
++    if (req == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
++        return NULL;
++    }
++
++    if (names == NULL) {
++        ret = EOK;
++        goto immediately;
++    }
++
++    state->ev = ev;
++    state->be_ctx = be_ctx;
++    state->id_ctx = talloc_get_type(pvt, struct ad_id_ctx);
++    state->names = names;
++    state->index = 0;
++
++    switch (entry_type) {
++    case BE_REQ_NETGROUP:
++        filter_type = BE_FILTER_NAME;
++        break;
++    case BE_REQ_USER:
++    case BE_REQ_GROUP:
++        filter_type = BE_FILTER_SECID;
++        break;
++    default:
++        ret = EINVAL;
++        goto immediately;
++    }
++
++    state->account_req = be_refresh_acct_req(state, entry_type,
++                                             filter_type, domain);
++    if (state->account_req == NULL) {
++        ret = ENOMEM;
++        goto immediately;
++    }
++
++    ret = ad_refresh_step(req);
++    if (ret == EOK) {
++        DEBUG(SSSDBG_TRACE_FUNC, "Nothing to refresh\n");
++        goto immediately;
++    } else if (ret != EAGAIN) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "ad_refresh_step() failed "
++                                   "[%d]: %s\n", ret, sss_strerror(ret));
++        goto immediately;
++    }
++
++    return req;
++
++immediately:
++    if (ret == EOK) {
++        tevent_req_done(req);
++    } else {
++        tevent_req_error(req, ret);
++    }
++    tevent_req_post(req, ev);
++
++    return req;
++}
++
++static errno_t ad_refresh_step(struct tevent_req *req)
++{
++    struct ad_refresh_state *state = NULL;
++    struct tevent_req *subreq = NULL;
++    errno_t ret;
++
++    state = tevent_req_data(req, struct ad_refresh_state);
++
++    if (state->names == NULL) {
++        ret = EOK;
++        goto done;
++    }
++
++    state->account_req->filter_value = state->names[state->index];
++    if (state->account_req->filter_value == NULL) {
++        ret = EOK;
++        goto done;
++    }
++
++    DEBUG(SSSDBG_TRACE_FUNC, "Issuing refresh of %s %s\n",
++          be_req2str(state->account_req->entry_type),
++          state->account_req->filter_value);
++
++    subreq = ad_account_info_send(state, state->be_ctx, state->id_ctx,
++                                  state->account_req);
++    if (subreq == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    tevent_req_set_callback(subreq, ad_refresh_done, req);
++
++    state->index++;
++    ret = EAGAIN;
++
++done:
++    return ret;
++}
++
++static void ad_refresh_done(struct tevent_req *subreq)
++{
++    struct ad_refresh_state *state = NULL;
++    struct tevent_req *req = NULL;
++    const char *err_msg = NULL;
++    errno_t dp_error;
++    errno_t ret;
++
++    req = tevent_req_callback_data(subreq, struct tevent_req);
++    state = tevent_req_data(req, struct ad_refresh_state);
++
++    ret = ad_account_info_recv(subreq, &dp_error, &err_msg);
++    talloc_zfree(subreq);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to refresh %s [dp_error: %d, "
++              "errno: %d]: %s\n", be_req2str(state->account_req->entry_type),
++              dp_error, ret, err_msg);
++        goto done;
++    }
++
++    ret = ad_refresh_step(req);
++    if (ret == EAGAIN) {
++        return;
++    }
++
++done:
++    if (ret != EOK) {
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    tevent_req_done(req);
++}
++
++static errno_t ad_refresh_recv(struct tevent_req *req)
++{
++    TEVENT_REQ_RETURN_ON_ERROR(req);
++
++    return EOK;
++}
++
++static struct tevent_req *
++ad_refresh_users_send(TALLOC_CTX *mem_ctx,
++                      struct tevent_context *ev,
++                      struct be_ctx *be_ctx,
++                      struct sss_domain_info *domain,
++                      char **names,
++                      void *pvt)
++{
++    return ad_refresh_send(mem_ctx, ev, be_ctx, domain,
++                           BE_REQ_USER, names, pvt);
++}
++
++static errno_t ad_refresh_users_recv(struct tevent_req *req)
++{
++    return ad_refresh_recv(req);
++}
++
++static struct tevent_req *
++ad_refresh_groups_send(TALLOC_CTX *mem_ctx,
++                       struct tevent_context *ev,
++                       struct be_ctx *be_ctx,
++                       struct sss_domain_info *domain,
++                       char **names,
++                       void *pvt)
++{
++    return ad_refresh_send(mem_ctx, ev, be_ctx, domain,
++                           BE_REQ_GROUP, names, pvt);
++}
++
++static errno_t ad_refresh_groups_recv(struct tevent_req *req)
++{
++    return ad_refresh_recv(req);
++}
++
++static struct tevent_req *
++ad_refresh_netgroups_send(TALLOC_CTX *mem_ctx,
++                          struct tevent_context *ev,
++                          struct be_ctx *be_ctx,
++                          struct sss_domain_info *domain,
++                          char **names,
++                          void *pvt)
++{
++    return ad_refresh_send(mem_ctx, ev, be_ctx, domain,
++                           BE_REQ_NETGROUP, names, pvt);
++}
++
++static errno_t ad_refresh_netgroups_recv(struct tevent_req *req)
++{
++    return ad_refresh_recv(req);
++}
++
++errno_t ad_refresh_init(struct be_ctx *be_ctx,
++                        struct ad_id_ctx *id_ctx)
++{
++    errno_t ret;
++
++    ret = be_refresh_ctx_init(be_ctx, SYSDB_SID_STR);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize refresh_ctx\n");
++        return ret;
++    }
++
++    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
++                            BE_REFRESH_TYPE_USERS,
++                            ad_refresh_users_send,
++                            ad_refresh_users_recv,
++                            id_ctx);
++    if (ret != EOK && ret != EEXIST) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of users "
++              "will not work [%d]: %s\n", ret, strerror(ret));
++    }
++
++    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
++                            BE_REFRESH_TYPE_GROUPS,
++                            ad_refresh_groups_send,
++                            ad_refresh_groups_recv,
++                            id_ctx);
++    if (ret != EOK && ret != EEXIST) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of groups "
++              "will not work [%d]: %s\n", ret, strerror(ret));
++    }
++
++    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
++                            BE_REFRESH_TYPE_NETGROUPS,
++                            ad_refresh_netgroups_send,
++                            ad_refresh_netgroups_recv,
++                            id_ctx);
++    if (ret != EOK && ret != EEXIST) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of netgroups "
++              "will not work [%d]: %s\n", ret, strerror(ret));
++    }
++
++    return ret;
++}
+-- 
+2.20.1
+
diff --git a/SOURCES/0058-IPA-Implement-background-refresh-for-IPA-domains.patch b/SOURCES/0058-IPA-Implement-background-refresh-for-IPA-domains.patch
new file mode 100644
index 0000000..472daaa
--- /dev/null
+++ b/SOURCES/0058-IPA-Implement-background-refresh-for-IPA-domains.patch
@@ -0,0 +1,550 @@
+From 7c4055f0701c9be44f478a713c45e43e5d5914a9 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 8 May 2019 14:39:23 +0200
+Subject: [PATCH 58/64] IPA: Implement background refresh for IPA domains
+
+Split out the actual useful functionality from the IPA account lookup
+handler into a tevent request. This tevent request is then used in a new
+ipa_refresh module.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit d76756ef472da9593c691f94186d09226bb49916)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ Makefile.am                     |   1 +
+ src/providers/ipa/ipa_common.h  |   3 +
+ src/providers/ipa/ipa_id.c      | 140 +++++++++++++----
+ src/providers/ipa/ipa_id.h      |   8 +
+ src/providers/ipa/ipa_init.c    |   2 +-
+ src/providers/ipa/ipa_refresh.c | 264 ++++++++++++++++++++++++++++++++
+ 6 files changed, 386 insertions(+), 32 deletions(-)
+ create mode 100644 src/providers/ipa/ipa_refresh.c
+
+diff --git a/Makefile.am b/Makefile.am
+index 7d83b6847..e74de422d 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -4171,6 +4171,7 @@ libsss_ipa_la_SOURCES = \
+     src/providers/ipa/ipa_srv.c \
+     src/providers/ipa/ipa_idmap.c \
+     src/providers/ipa/ipa_dn.c \
++    src/providers/ipa/ipa_refresh.c \
+     src/providers/ad/ad_opts.c \
+     src/providers/ad/ad_common.c \
+     src/providers/ad/ad_dyndns.c \
+diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
+index 31e671eb5..6bb1739ef 100644
+--- a/src/providers/ipa/ipa_common.h
++++ b/src/providers/ipa/ipa_common.h
+@@ -301,4 +301,7 @@ errno_t ipa_get_host_attrs(struct dp_option *ipa_options,
+                            struct sysdb_attrs **hosts,
+                            struct sysdb_attrs **_ipa_host);
+ 
++errno_t ipa_refresh_init(struct be_ctx *be_ctx,
++                         struct ipa_id_ctx *id_ctx);
++
+ #endif /* _IPA_COMMON_H_ */
+diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
+index e644af5ff..9abee34cb 100644
+--- a/src/providers/ipa/ipa_id.c
++++ b/src/providers/ipa/ipa_id.c
+@@ -1344,43 +1344,39 @@ ipa_decide_account_info_type(struct dp_id_data *data, struct be_ctx *be_ctx)
+     return IPA_ACCOUNT_INFO_OTHER;
+ }
+ 
+-struct ipa_account_info_handler_state {
++struct ipa_account_info_state {
+     enum ipa_account_info_type type;
+-    struct dp_reply_std reply;
++
++    const char *err_msg;
++    int dp_error;
+ };
+ 
+-static void ipa_account_info_handler_done(struct tevent_req *subreq);
++static void ipa_account_info_done(struct tevent_req *subreq);
+ 
+ struct tevent_req *
+-ipa_account_info_handler_send(TALLOC_CTX *mem_ctx,
+-                              struct ipa_id_ctx *id_ctx,
+-                              struct dp_id_data *data,
+-                              struct dp_req_params *params)
++ipa_account_info_send(TALLOC_CTX *mem_ctx,
++                      struct be_ctx *be_ctx,
++                      struct ipa_id_ctx *id_ctx,
++                      struct dp_id_data *data)
+ {
+-    struct ipa_account_info_handler_state *state;
++    struct ipa_account_info_state *state = NULL;
++    struct tevent_req *req = NULL;
+     struct tevent_req *subreq = NULL;
+-    struct tevent_req *req;
+     errno_t ret;
+ 
+     req = tevent_req_create(mem_ctx, &state,
+-                            struct ipa_account_info_handler_state);
++                            struct ipa_account_info_state);
+     if (req == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
+         return NULL;
+     }
+ 
+-    state->type = ipa_decide_account_info_type(data, params->be_ctx);
+-
+-    if (sdap_is_enum_request(data)) {
+-        DEBUG(SSSDBG_TRACE_LIBS, "Skipping enumeration on demand\n");
+-        ret = EOK;
+-        goto immediately;
+-    }
++    state->type = ipa_decide_account_info_type(data, be_ctx);
+ 
+     switch (state->type) {
+     case IPA_ACCOUNT_INFO_SUBDOMAIN:
+         /* Subdomain lookups are handled differently on server and client. */
+-        subreq = ipa_subdomain_account_send(state, params->ev, id_ctx, data);
++        subreq = ipa_subdomain_account_send(state, be_ctx->ev, id_ctx, data);
+         break;
+     case IPA_ACCOUNT_INFO_NETGROUP:
+         if (data->filter_type != BE_FILTER_NAME) {
+@@ -1388,11 +1384,11 @@ ipa_account_info_handler_send(TALLOC_CTX *mem_ctx,
+             goto immediately;
+         }
+ 
+-        subreq = ipa_id_get_netgroup_send(state, params->ev, id_ctx,
++        subreq = ipa_id_get_netgroup_send(state, be_ctx->ev, id_ctx,
+                                           data->filter_value);
+         break;
+     case IPA_ACCOUNT_INFO_OTHER:
+-        subreq = ipa_id_get_account_info_send(state, params->ev, id_ctx, data);
++        subreq = ipa_id_get_account_info_send(state, be_ctx->ev, id_ctx, data);
+         break;
+     }
+ 
+@@ -1400,7 +1396,99 @@ ipa_account_info_handler_send(TALLOC_CTX *mem_ctx,
+         ret = ENOMEM;
+         goto immediately;
+     }
++    tevent_req_set_callback(subreq, ipa_account_info_done, req);
++    return req;
++
++immediately:
++    tevent_req_error(req, ret);
++    tevent_req_post(req, be_ctx->ev);
++    return req;
++}
++
++static void ipa_account_info_done(struct tevent_req *subreq)
++{
++    struct ipa_account_info_state *state = NULL;
++    struct tevent_req *req = NULL;
++    errno_t ret;
++
++    req = tevent_req_callback_data(subreq, struct tevent_req);
++    state = tevent_req_data(req, struct ipa_account_info_state);
++
++    switch (state->type) {
++    case IPA_ACCOUNT_INFO_SUBDOMAIN:
++        ret = ipa_subdomain_account_recv(subreq, &state->dp_error);
++        break;
++    case IPA_ACCOUNT_INFO_NETGROUP:
++        ret = ipa_id_get_netgroup_recv(subreq, &state->dp_error);
++        break;
++    case IPA_ACCOUNT_INFO_OTHER:
++        ret = ipa_id_get_account_info_recv(subreq, &state->dp_error);
++        break;
++    default:
++        ret = EINVAL;
++        break;
++    }
++    talloc_zfree(subreq);
++
++    if (ret != EOK) {
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    tevent_req_done(req);
++}
+ 
++errno_t ipa_account_info_recv(struct tevent_req *req,
++                              int *_dp_error)
++{
++    struct ipa_account_info_state *state = NULL;
++
++    state = tevent_req_data(req, struct ipa_account_info_state);
++
++    /* Fail the request after collecting the dp_error */
++    if (_dp_error) {
++        *_dp_error = state->dp_error;
++    }
++
++    TEVENT_REQ_RETURN_ON_ERROR(req);
++    return EOK;
++}
++
++struct ipa_account_info_handler_state {
++    struct dp_reply_std reply;
++};
++
++static void ipa_account_info_handler_done(struct tevent_req *subreq);
++
++struct tevent_req *
++ipa_account_info_handler_send(TALLOC_CTX *mem_ctx,
++                              struct ipa_id_ctx *id_ctx,
++                              struct dp_id_data *data,
++                              struct dp_req_params *params)
++{
++    struct ipa_account_info_handler_state *state;
++    struct tevent_req *subreq = NULL;
++    struct tevent_req *req;
++    errno_t ret;
++
++    req = tevent_req_create(mem_ctx, &state,
++                            struct ipa_account_info_handler_state);
++    if (req == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
++        return NULL;
++    }
++
++    if (sdap_is_enum_request(data)) {
++        DEBUG(SSSDBG_TRACE_LIBS, "Skipping enumeration on demand\n");
++        ret = EOK;
++        goto immediately;
++    }
++
++    subreq = ipa_account_info_send(state, params->be_ctx, id_ctx, data);
++    if (subreq == NULL) {
++        ret = ENOMEM;
++        goto immediately;
++    }
+     tevent_req_set_callback(subreq, ipa_account_info_handler_done, req);
+ 
+     return req;
+@@ -1425,17 +1513,7 @@ static void ipa_account_info_handler_done(struct tevent_req *subreq)
+     req = tevent_req_callback_data(subreq, struct tevent_req);
+     state = tevent_req_data(req, struct ipa_account_info_handler_state);
+ 
+-    switch (state->type) {
+-    case IPA_ACCOUNT_INFO_SUBDOMAIN:
+-        ret = ipa_subdomain_account_recv(subreq, &dp_error);
+-        break;
+-    case IPA_ACCOUNT_INFO_NETGROUP:
+-        ret = ipa_id_get_netgroup_recv(subreq, &dp_error);
+-        break;
+-    case IPA_ACCOUNT_INFO_OTHER:
+-        ret = ipa_id_get_account_info_recv(subreq, &dp_error);
+-        break;
+-    }
++    ret = ipa_account_info_recv(subreq, &dp_error);
+     talloc_zfree(subreq);
+ 
+     /* TODO For backward compatibility we always return EOK to DP now. */
+diff --git a/src/providers/ipa/ipa_id.h b/src/providers/ipa/ipa_id.h
+index 4b2549882..fe9acfeef 100644
+--- a/src/providers/ipa/ipa_id.h
++++ b/src/providers/ipa/ipa_id.h
+@@ -33,6 +33,14 @@
+ 
+ #define IPA_DEFAULT_VIEW_NAME "Default Trust View"
+ 
++struct tevent_req *
++ipa_account_info_send(TALLOC_CTX *mem_ctx,
++                      struct be_ctx *be_ctx,
++                      struct ipa_id_ctx *id_ctx,
++                      struct dp_id_data *data);
++errno_t ipa_account_info_recv(struct tevent_req *req,
++                              int *_dp_error);
++
+ struct tevent_req *
+ ipa_account_info_handler_send(TALLOC_CTX *mem_ctx,
+                               struct ipa_id_ctx *id_ctx,
+diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
+index b3060e228..cdfd11d7a 100644
+--- a/src/providers/ipa/ipa_init.c
++++ b/src/providers/ipa/ipa_init.c
+@@ -594,7 +594,7 @@ static errno_t ipa_init_misc(struct be_ctx *be_ctx,
+         }
+     }
+ 
+-    ret = sdap_refresh_init(be_ctx, sdap_id_ctx);
++    ret = ipa_refresh_init(be_ctx, ipa_id_ctx);
+     if (ret != EOK && ret != EEXIST) {
+         DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh "
+               "will not work [%d]: %s\n", ret, sss_strerror(ret));
+diff --git a/src/providers/ipa/ipa_refresh.c b/src/providers/ipa/ipa_refresh.c
+new file mode 100644
+index 000000000..72051cfdd
+--- /dev/null
++++ b/src/providers/ipa/ipa_refresh.c
+@@ -0,0 +1,264 @@
++/*
++    Copyright (C) 2019 Red Hat
++
++    This program is free software; you can redistribute it and/or modify
++    it under the terms of the GNU General Public License as published by
++    the Free Software Foundation; either version 3 of the License, or
++    (at your option) any later version.
++
++    This program is distributed in the hope that it will be useful,
++    but WITHOUT ANY WARRANTY; without even the implied warranty of
++    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++    GNU General Public License for more details.
++
++    You should have received a copy of the GNU General Public License
++    along with this program.  If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include <talloc.h>
++#include <tevent.h>
++
++#include "providers/ipa/ipa_common.h"
++#include "providers/ipa/ipa_id.h"
++
++struct ipa_refresh_state {
++    struct tevent_context *ev;
++    struct be_ctx *be_ctx;
++    struct dp_id_data *account_req;
++    struct ipa_id_ctx *id_ctx;
++    char **names;
++    size_t index;
++};
++
++static errno_t ipa_refresh_step(struct tevent_req *req);
++static void ipa_refresh_done(struct tevent_req *subreq);
++
++static struct tevent_req *ipa_refresh_send(TALLOC_CTX *mem_ctx,
++                                            struct tevent_context *ev,
++                                            struct be_ctx *be_ctx,
++                                            struct sss_domain_info *domain,
++                                            int entry_type,
++                                            char **names,
++                                            void *pvt)
++{
++    struct ipa_refresh_state *state = NULL;
++    struct tevent_req *req = NULL;
++    errno_t ret;
++
++    req = tevent_req_create(mem_ctx, &state,
++                            struct ipa_refresh_state);
++    if (req == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
++        return NULL;
++    }
++
++    if (names == NULL) {
++        ret = EOK;
++        goto immediately;
++    }
++
++    state->ev = ev;
++    state->be_ctx = be_ctx;
++    state->id_ctx = talloc_get_type(pvt, struct ipa_id_ctx);
++    state->names = names;
++    state->index = 0;
++
++    state->account_req = be_refresh_acct_req(state, entry_type,
++                                             BE_FILTER_NAME, domain);
++    if (state->account_req == NULL) {
++        ret = ENOMEM;
++        goto immediately;
++    }
++
++    ret = ipa_refresh_step(req);
++    if (ret == EOK) {
++        DEBUG(SSSDBG_TRACE_FUNC, "Nothing to refresh\n");
++        goto immediately;
++    } else if (ret != EAGAIN) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "ipa_refresh_step() failed "
++                                   "[%d]: %s\n", ret, sss_strerror(ret));
++        goto immediately;
++    }
++
++    return req;
++
++immediately:
++    if (ret == EOK) {
++        tevent_req_done(req);
++    } else {
++        tevent_req_error(req, ret);
++    }
++    tevent_req_post(req, ev);
++
++    return req;
++}
++
++static errno_t ipa_refresh_step(struct tevent_req *req)
++{
++    struct ipa_refresh_state *state = NULL;
++    struct tevent_req *subreq = NULL;
++    errno_t ret;
++
++    state = tevent_req_data(req, struct ipa_refresh_state);
++
++    if (state->names == NULL) {
++        ret = EOK;
++        goto done;
++    }
++
++    state->account_req->filter_value = state->names[state->index];
++    if (state->account_req->filter_value == NULL) {
++        ret = EOK;
++        goto done;
++    }
++
++    subreq = ipa_account_info_send(state, state->be_ctx, state->id_ctx,
++                                  state->account_req);
++    if (subreq == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    tevent_req_set_callback(subreq, ipa_refresh_done, req);
++
++    state->index++;
++    ret = EAGAIN;
++
++done:
++    return ret;
++}
++
++static void ipa_refresh_done(struct tevent_req *subreq)
++{
++    struct ipa_refresh_state *state = NULL;
++    struct tevent_req *req = NULL;
++    errno_t dp_error;
++    errno_t ret;
++
++    req = tevent_req_callback_data(subreq, struct tevent_req);
++    state = tevent_req_data(req, struct ipa_refresh_state);
++
++    ret = ipa_account_info_recv(subreq, &dp_error);
++    talloc_zfree(subreq);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to refresh %s [dp_error: %d, "
++              "errno: %d]\n", be_req2str(state->account_req->entry_type),
++              dp_error, ret);
++        goto done;
++    }
++
++    ret = ipa_refresh_step(req);
++    if (ret == EAGAIN) {
++        return;
++    }
++
++done:
++    if (ret != EOK) {
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    tevent_req_done(req);
++}
++
++static errno_t ipa_refresh_recv(struct tevent_req *req)
++{
++    TEVENT_REQ_RETURN_ON_ERROR(req);
++
++    return EOK;
++}
++
++static struct tevent_req *
++ipa_refresh_users_send(TALLOC_CTX *mem_ctx,
++                        struct tevent_context *ev,
++                        struct be_ctx *be_ctx,
++                        struct sss_domain_info *domain,
++                        char **names,
++                        void *pvt)
++{
++    return ipa_refresh_send(mem_ctx, ev, be_ctx, domain,
++                           BE_REQ_USER, names, pvt);
++}
++
++static errno_t ipa_refresh_users_recv(struct tevent_req *req)
++{
++    return ipa_refresh_recv(req);
++}
++
++static struct tevent_req *
++ipa_refresh_groups_send(TALLOC_CTX *mem_ctx,
++                         struct tevent_context *ev,
++                         struct be_ctx *be_ctx,
++                         struct sss_domain_info *domain,
++                         char **names,
++                         void *pvt)
++{
++    return ipa_refresh_send(mem_ctx, ev, be_ctx, domain,
++                           BE_REQ_GROUP, names, pvt);
++}
++
++static errno_t ipa_refresh_groups_recv(struct tevent_req *req)
++{
++    return ipa_refresh_recv(req);
++}
++
++static struct tevent_req *
++ipa_refresh_netgroups_send(TALLOC_CTX *mem_ctx,
++                            struct tevent_context *ev,
++                            struct be_ctx *be_ctx,
++                            struct sss_domain_info *domain,
++                            char **names,
++                            void *pvt)
++{
++    return ipa_refresh_send(mem_ctx, ev, be_ctx, domain,
++                           BE_REQ_NETGROUP, names, pvt);
++}
++
++static errno_t ipa_refresh_netgroups_recv(struct tevent_req *req)
++{
++    return ipa_refresh_recv(req);
++}
++
++errno_t ipa_refresh_init(struct be_ctx *be_ctx,
++                         struct ipa_id_ctx *id_ctx)
++{
++    errno_t ret;
++
++    ret = be_refresh_ctx_init(be_ctx, SYSDB_NAME);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize refresh_ctx\n");
++        return ENOMEM;
++    }
++
++    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
++                            BE_REFRESH_TYPE_USERS,
++                            ipa_refresh_users_send,
++                            ipa_refresh_users_recv,
++                            id_ctx);
++    if (ret != EOK && ret != EEXIST) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of users "
++              "will not work [%d]: %s\n", ret, strerror(ret));
++    }
++
++    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
++                            BE_REFRESH_TYPE_GROUPS,
++                            ipa_refresh_groups_send,
++                            ipa_refresh_groups_recv,
++                            id_ctx);
++    if (ret != EOK && ret != EEXIST) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of groups "
++              "will not work [%d]: %s\n", ret, strerror(ret));
++    }
++
++    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
++                            BE_REFRESH_TYPE_NETGROUPS,
++                            ipa_refresh_netgroups_send,
++                            ipa_refresh_netgroups_recv,
++                            id_ctx);
++    if (ret != EOK && ret != EEXIST) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of netgroups "
++              "will not work [%d]: %s\n", ret, strerror(ret));
++    }
++
++    return ret;
++}
+-- 
+2.20.1
+
diff --git a/SOURCES/0059-BE-IPA-AD-LDAP-Add-inigroups-refresh-support.patch b/SOURCES/0059-BE-IPA-AD-LDAP-Add-inigroups-refresh-support.patch
new file mode 100644
index 0000000..54122c7
--- /dev/null
+++ b/SOURCES/0059-BE-IPA-AD-LDAP-Add-inigroups-refresh-support.patch
@@ -0,0 +1,294 @@
+From a8212a7884175fe32dccc29f3fed3688f81c76fe Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 25 Jun 2019 14:16:31 +0200
+Subject: [PATCH 59/64] BE/IPA/AD/LDAP: Add inigroups refresh support
+
+Related: https://pagure.io/SSSD/sssd/issue/4012
+
+In addition to refreshing users, groups and netgroups, this patch adds
+the ability to also refresh initgroups. The refresh is ran for any users
+that have the initgrExpireTimestamp attribute close to expiration.
+
+This request is ran as the first one, because the initgroups operation
+refreshes the user entry and can touch groups as well.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 1d0e75e9c5db0acf946f82705a4640063ea5aea9)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/ad/ad_refresh.c     | 28 +++++++++++++++++++++++
+ src/providers/be_refresh.c        | 37 +++++++++++++++++++++++--------
+ src/providers/be_refresh.h        |  1 +
+ src/providers/ipa/ipa_refresh.c   | 27 ++++++++++++++++++++++
+ src/providers/ldap/sdap_refresh.c | 17 ++++++++++++++
+ 5 files changed, 101 insertions(+), 9 deletions(-)
+
+diff --git a/src/providers/ad/ad_refresh.c b/src/providers/ad/ad_refresh.c
+index ee541056f..f0130cbaf 100644
+--- a/src/providers/ad/ad_refresh.c
++++ b/src/providers/ad/ad_refresh.c
+@@ -65,6 +65,7 @@ static struct tevent_req *ad_refresh_send(TALLOC_CTX *mem_ctx,
+     state->index = 0;
+ 
+     switch (entry_type) {
++    case BE_REQ_INITGROUPS:
+     case BE_REQ_NETGROUP:
+         filter_type = BE_FILTER_NAME;
+         break;
+@@ -187,6 +188,23 @@ static errno_t ad_refresh_recv(struct tevent_req *req)
+     return EOK;
+ }
+ 
++static struct tevent_req *
++ad_refresh_initgroups_send(TALLOC_CTX *mem_ctx,
++                           struct tevent_context *ev,
++                           struct be_ctx *be_ctx,
++                           struct sss_domain_info *domain,
++                           char **names,
++                           void *pvt)
++{
++    return ad_refresh_send(mem_ctx, ev, be_ctx, domain,
++                           BE_REQ_INITGROUPS, names, pvt);
++}
++
++static errno_t ad_refresh_initgroups_recv(struct tevent_req *req)
++{
++    return ad_refresh_recv(req);
++}
++
+ static struct tevent_req *
+ ad_refresh_users_send(TALLOC_CTX *mem_ctx,
+                       struct tevent_context *ev,
+@@ -249,6 +267,16 @@ errno_t ad_refresh_init(struct be_ctx *be_ctx,
+         return ret;
+     }
+ 
++    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
++                            BE_REFRESH_TYPE_INITGROUPS,
++                            ad_refresh_initgroups_send,
++                            ad_refresh_initgroups_recv,
++                            id_ctx);
++    if (ret != EOK && ret != EEXIST) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of users "
++              "will not work [%d]: %s\n", ret, strerror(ret));
++    }
++
+     ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+                             BE_REFRESH_TYPE_USERS,
+                             ad_refresh_users_send,
+diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
+index a9d4295ec..6945ca9e3 100644
+--- a/src/providers/be_refresh.c
++++ b/src/providers/be_refresh.c
+@@ -33,11 +33,12 @@ static errno_t be_refresh_get_values_ex(TALLOC_CTX *mem_ctx,
+                                         struct sss_domain_info *domain,
+                                         time_t period,
+                                         struct ldb_dn *base_dn,
+-                                        const char *attr,
++                                        const char *key_attr,
++                                        const char *value_attr,
+                                         char ***_values)
+ {
+     TALLOC_CTX *tmp_ctx = NULL;
+-    const char *attrs[] = {attr, NULL};
++    const char *attrs[] = {value_attr, NULL};
+     const char *filter = NULL;
+     char **values = NULL;
+     struct sysdb_attrs **records = NULL;
+@@ -45,13 +46,17 @@ static errno_t be_refresh_get_values_ex(TALLOC_CTX *mem_ctx,
+     time_t now = time(NULL);
+     errno_t ret;
+ 
++    if (key_attr == NULL || domain == NULL || base_dn == NULL) {
++        return EINVAL;
++    }
++
+     tmp_ctx = talloc_new(NULL);
+     if (tmp_ctx == NULL) {
+         return ENOMEM;
+     }
+ 
+     filter = talloc_asprintf(tmp_ctx, "(&(%s<=%lld))",
+-                             SYSDB_CACHE_EXPIRE, (long long) now + period);
++                             key_attr, (long long) now + period);
+     if (filter == NULL) {
+         ret = ENOMEM;
+         goto done;
+@@ -73,7 +78,7 @@ static errno_t be_refresh_get_values_ex(TALLOC_CTX *mem_ctx,
+         goto done;
+     }
+ 
+-    ret = sysdb_attrs_to_list(tmp_ctx, records, res->count, attr, &values);
++    ret = sysdb_attrs_to_list(tmp_ctx, records, res->count, value_attr, &values);
+     if (ret != EOK) {
+         goto done;
+     }
+@@ -96,18 +101,27 @@ static errno_t be_refresh_get_values(TALLOC_CTX *mem_ctx,
+ {
+     struct ldb_dn *base_dn = NULL;
+     errno_t ret;
++    const char *key_attr;
+ 
+     switch (type) {
++    case BE_REFRESH_TYPE_INITGROUPS:
++        key_attr = SYSDB_INITGR_EXPIRE;
++        base_dn = sysdb_user_base_dn(mem_ctx, domain);
++        break;
+     case BE_REFRESH_TYPE_USERS:
++        key_attr = SYSDB_CACHE_EXPIRE;
+         base_dn = sysdb_user_base_dn(mem_ctx, domain);
+         break;
+     case BE_REFRESH_TYPE_GROUPS:
++        key_attr = SYSDB_CACHE_EXPIRE;
+         base_dn = sysdb_group_base_dn(mem_ctx, domain);
+         break;
+     case BE_REFRESH_TYPE_NETGROUPS:
++        key_attr = SYSDB_CACHE_EXPIRE;
+         base_dn = sysdb_netgroup_base_dn(mem_ctx, domain);
+         break;
+-    case BE_REFRESH_TYPE_SENTINEL:
++    default:
++        DEBUG(SSSDBG_CRIT_FAILURE, "Uknown or unsupported refresh type\n");
+         return ERR_INTERNAL;
+         break;
+     }
+@@ -117,7 +131,8 @@ static errno_t be_refresh_get_values(TALLOC_CTX *mem_ctx,
+     }
+ 
+     ret = be_refresh_get_values_ex(mem_ctx, domain, period,
+-                                   base_dn, attr_name, _values);
++                                   base_dn, key_attr,
++                                   attr_name, _values);
+ 
+     talloc_free(base_dn);
+     return ret;
+@@ -125,6 +140,7 @@ static errno_t be_refresh_get_values(TALLOC_CTX *mem_ctx,
+ 
+ struct be_refresh_cb {
+     const char *name;
++    const char *attr_name;
+     bool enabled;
+     be_refresh_send_t send_fn;
+     be_refresh_recv_t recv_fn;
+@@ -132,7 +148,6 @@ struct be_refresh_cb {
+ };
+ 
+ struct be_refresh_ctx {
+-    const char *attr_name;
+     struct be_refresh_cb callbacks[BE_REFRESH_TYPE_SENTINEL];
+ };
+ 
+@@ -148,10 +163,14 @@ errno_t be_refresh_ctx_init(struct be_ctx *be_ctx,
+         return ENOMEM;
+     }
+ 
+-    ctx->attr_name = attr_name;
++    ctx->callbacks[BE_REFRESH_TYPE_INITGROUPS].name = "initgroups";
++    ctx->callbacks[BE_REFRESH_TYPE_INITGROUPS].attr_name = SYSDB_NAME;
+     ctx->callbacks[BE_REFRESH_TYPE_USERS].name = "users";
++    ctx->callbacks[BE_REFRESH_TYPE_USERS].attr_name = attr_name;
+     ctx->callbacks[BE_REFRESH_TYPE_GROUPS].name = "groups";
++    ctx->callbacks[BE_REFRESH_TYPE_GROUPS].attr_name = attr_name;
+     ctx->callbacks[BE_REFRESH_TYPE_NETGROUPS].name = "netgroups";
++    ctx->callbacks[BE_REFRESH_TYPE_NETGROUPS].attr_name = SYSDB_NAME;
+ 
+     refresh_interval = be_ctx->domain->refresh_expired_interval;
+     if (refresh_interval > 0) {
+@@ -310,7 +329,7 @@ static errno_t be_refresh_step(struct tevent_req *req)
+         }
+ 
+         talloc_zfree(state->refresh_values);
+-        ret = be_refresh_get_values(state, state->index, state->ctx->attr_name,
++        ret = be_refresh_get_values(state, state->index, state->cb->attr_name,
+                                     state->domain, state->period,
+                                     &state->refresh_values);
+         if (ret != EOK) {
+diff --git a/src/providers/be_refresh.h b/src/providers/be_refresh.h
+index c7b4872df..4ac5b70c2 100644
+--- a/src/providers/be_refresh.h
++++ b/src/providers/be_refresh.h
+@@ -44,6 +44,7 @@ typedef errno_t
+ (*be_refresh_recv_t)(struct tevent_req *req);
+ 
+ enum be_refresh_type {
++    BE_REFRESH_TYPE_INITGROUPS,
+     BE_REFRESH_TYPE_USERS,
+     BE_REFRESH_TYPE_GROUPS,
+     BE_REFRESH_TYPE_NETGROUPS,
+diff --git a/src/providers/ipa/ipa_refresh.c b/src/providers/ipa/ipa_refresh.c
+index 72051cfdd..bb47b0edf 100644
+--- a/src/providers/ipa/ipa_refresh.c
++++ b/src/providers/ipa/ipa_refresh.c
+@@ -168,6 +168,23 @@ static errno_t ipa_refresh_recv(struct tevent_req *req)
+     return EOK;
+ }
+ 
++static struct tevent_req *
++ipa_refresh_initgroups_send(TALLOC_CTX *mem_ctx,
++                            struct tevent_context *ev,
++                            struct be_ctx *be_ctx,
++                            struct sss_domain_info *domain,
++                            char **names,
++                            void *pvt)
++{
++    return ipa_refresh_send(mem_ctx, ev, be_ctx, domain,
++                           BE_REQ_INITGROUPS, names, pvt);
++}
++
++static errno_t ipa_refresh_initgroups_recv(struct tevent_req *req)
++{
++    return ipa_refresh_recv(req);
++}
++
+ static struct tevent_req *
+ ipa_refresh_users_send(TALLOC_CTX *mem_ctx,
+                         struct tevent_context *ev,
+@@ -230,6 +247,16 @@ errno_t ipa_refresh_init(struct be_ctx *be_ctx,
+         return ENOMEM;
+     }
+ 
++    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
++                            BE_REFRESH_TYPE_USERS,
++                            ipa_refresh_initgroups_send,
++                            ipa_refresh_initgroups_recv,
++                            id_ctx);
++    if (ret != EOK && ret != EEXIST) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of initgroups "
++              "will not work [%d]: %s\n", ret, strerror(ret));
++    }
++
+     ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+                             BE_REFRESH_TYPE_USERS,
+                             ipa_refresh_users_send,
+diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c
+index 2206d6670..3ceddb61e 100644
+--- a/src/providers/ldap/sdap_refresh.c
++++ b/src/providers/ldap/sdap_refresh.c
+@@ -186,6 +186,23 @@ static errno_t sdap_refresh_recv(struct tevent_req *req)
+     return EOK;
+ }
+ 
++static struct tevent_req *
++sdap_refresh_initgroups_send(TALLOC_CTX *mem_ctx,
++                        struct tevent_context *ev,
++                        struct be_ctx *be_ctx,
++                        struct sss_domain_info *domain,
++                        char **names,
++                        void *pvt)
++{
++    return sdap_refresh_send(mem_ctx, ev, be_ctx, domain,
++                             BE_REQ_INITGROUPS, names, pvt);
++}
++
++static errno_t sdap_refresh_initgroups_recv(struct tevent_req *req)
++{
++    return sdap_refresh_recv(req);
++}
++
+ static struct tevent_req *
+ sdap_refresh_users_send(TALLOC_CTX *mem_ctx,
+                         struct tevent_context *ev,
+-- 
+2.20.1
+
diff --git a/SOURCES/0060-BE-IPA-AD-LDAP-Initialize-the-refresh-callback-from-.patch b/SOURCES/0060-BE-IPA-AD-LDAP-Initialize-the-refresh-callback-from-.patch
new file mode 100644
index 0000000..6eefc84
--- /dev/null
+++ b/SOURCES/0060-BE-IPA-AD-LDAP-Initialize-the-refresh-callback-from-.patch
@@ -0,0 +1,498 @@
+From 09901039f2b6a34552ce6ed82d06d4ab04f890a9 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 25 Jun 2019 15:05:59 +0200
+Subject: [PATCH 60/64] BE/IPA/AD/LDAP: Initialize the refresh callback from a
+ list to reduce logic duplication
+
+Related: https://pagure.io/SSSD/sssd/issue/4012
+
+This patch slightly increases the line count, but on the other hand the
+code is now more declarative and contains less logic, which should
+hopefully decrease the maintenance cost in the future.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 792235097b9b63593dc717440aab48e8671fbf12)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/ad/ad_refresh.c     |  66 ++++++----------
+ src/providers/be_refresh.c        | 126 +++++++++++++++++++++++-------
+ src/providers/be_refresh.h        |  17 ++--
+ src/providers/ipa/ipa_refresh.c   |  70 ++++++-----------
+ src/providers/ldap/sdap_refresh.c |  58 ++++++--------
+ 5 files changed, 179 insertions(+), 158 deletions(-)
+
+diff --git a/src/providers/ad/ad_refresh.c b/src/providers/ad/ad_refresh.c
+index f0130cbaf..ed51b305a 100644
+--- a/src/providers/ad/ad_refresh.c
++++ b/src/providers/ad/ad_refresh.c
+@@ -260,52 +260,32 @@ errno_t ad_refresh_init(struct be_ctx *be_ctx,
+                         struct ad_id_ctx *id_ctx)
+ {
+     errno_t ret;
+-
+-    ret = be_refresh_ctx_init(be_ctx, SYSDB_SID_STR);
++    struct be_refresh_cb ad_refresh_callbacks[] = {
++        { .send_fn = ad_refresh_initgroups_send,
++          .recv_fn = ad_refresh_initgroups_recv,
++          .pvt = id_ctx,
++        },
++        { .send_fn = ad_refresh_users_send,
++          .recv_fn = ad_refresh_users_recv,
++          .pvt = id_ctx,
++        },
++        { .send_fn = ad_refresh_groups_send,
++          .recv_fn = ad_refresh_groups_recv,
++          .pvt = id_ctx,
++        },
++        { .send_fn = ad_refresh_netgroups_send,
++          .recv_fn = ad_refresh_netgroups_recv,
++          .pvt = id_ctx,
++        },
++    };
++
++    ret = be_refresh_ctx_init_with_callbacks(be_ctx,
++                                             SYSDB_SID_STR,
++                                             ad_refresh_callbacks);
+     if (ret != EOK) {
+-        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize refresh_ctx\n");
++        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize background refresh\n");
+         return ret;
+     }
+ 
+-    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+-                            BE_REFRESH_TYPE_INITGROUPS,
+-                            ad_refresh_initgroups_send,
+-                            ad_refresh_initgroups_recv,
+-                            id_ctx);
+-    if (ret != EOK && ret != EEXIST) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of users "
+-              "will not work [%d]: %s\n", ret, strerror(ret));
+-    }
+-
+-    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+-                            BE_REFRESH_TYPE_USERS,
+-                            ad_refresh_users_send,
+-                            ad_refresh_users_recv,
+-                            id_ctx);
+-    if (ret != EOK && ret != EEXIST) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of users "
+-              "will not work [%d]: %s\n", ret, strerror(ret));
+-    }
+-
+-    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+-                            BE_REFRESH_TYPE_GROUPS,
+-                            ad_refresh_groups_send,
+-                            ad_refresh_groups_recv,
+-                            id_ctx);
+-    if (ret != EOK && ret != EEXIST) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of groups "
+-              "will not work [%d]: %s\n", ret, strerror(ret));
+-    }
+-
+-    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+-                            BE_REFRESH_TYPE_NETGROUPS,
+-                            ad_refresh_netgroups_send,
+-                            ad_refresh_netgroups_recv,
+-                            id_ctx);
+-    if (ret != EOK && ret != EEXIST) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of netgroups "
+-              "will not work [%d]: %s\n", ret, strerror(ret));
+-    }
+-
+     return ret;
+ }
+diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
+index 6945ca9e3..8f50e231d 100644
+--- a/src/providers/be_refresh.c
++++ b/src/providers/be_refresh.c
+@@ -138,21 +138,19 @@ static errno_t be_refresh_get_values(TALLOC_CTX *mem_ctx,
+     return ret;
+ }
+ 
+-struct be_refresh_cb {
++struct be_refresh_cb_ctx {
+     const char *name;
+     const char *attr_name;
+     bool enabled;
+-    be_refresh_send_t send_fn;
+-    be_refresh_recv_t recv_fn;
+-    void *pvt;
++    struct be_refresh_cb cb;
+ };
+ 
+ struct be_refresh_ctx {
+-    struct be_refresh_cb callbacks[BE_REFRESH_TYPE_SENTINEL];
++    struct be_refresh_cb_ctx callbacks[BE_REFRESH_TYPE_SENTINEL];
+ };
+ 
+-errno_t be_refresh_ctx_init(struct be_ctx *be_ctx,
+-                            const char *attr_name)
++static errno_t be_refresh_ctx_init(struct be_ctx *be_ctx,
++                                   const char *attr_name)
+ {
+     struct be_refresh_ctx *ctx = NULL;
+     uint32_t refresh_interval;
+@@ -193,13 +191,11 @@ errno_t be_refresh_ctx_init(struct be_ctx *be_ctx,
+     return EOK;
+ }
+ 
+-errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+-                          enum be_refresh_type type,
+-                          be_refresh_send_t send_fn,
+-                          be_refresh_recv_t recv_fn,
+-                          void *pvt)
++static errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
++                                 enum be_refresh_type type,
++                                 struct be_refresh_cb *cb)
+ {
+-    if (ctx == NULL || send_fn == NULL || recv_fn == NULL
++    if (ctx == NULL || cb->send_fn == NULL || cb->recv_fn == NULL
+             || type >= BE_REFRESH_TYPE_SENTINEL) {
+         return EINVAL;
+     }
+@@ -209,9 +205,78 @@ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+     }
+ 
+     ctx->callbacks[type].enabled = true;
+-    ctx->callbacks[type].send_fn = send_fn;
+-    ctx->callbacks[type].recv_fn = recv_fn;
+-    ctx->callbacks[type].pvt = pvt;
++    ctx->callbacks[type].cb.send_fn = cb->send_fn;
++    ctx->callbacks[type].cb.recv_fn = cb->recv_fn;
++    ctx->callbacks[type].cb.pvt = cb->pvt;
++
++    return EOK;
++}
++
++static errno_t be_refresh_set_callbacks(struct be_refresh_ctx *refresh_ctx,
++                                        struct be_refresh_cb *callbacks)
++{
++    errno_t ret;
++
++    if (callbacks == NULL || refresh_ctx == NULL) {
++        return EINVAL;
++    }
++
++    ret = be_refresh_add_cb(refresh_ctx,
++                            BE_REFRESH_TYPE_INITGROUPS,
++                            &callbacks[BE_REFRESH_TYPE_INITGROUPS]);
++    if (ret != EOK && ret != EEXIST) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of initgroups "
++              "will not work [%d]: %s\n", ret, strerror(ret));
++    }
++
++    ret = be_refresh_add_cb(refresh_ctx,
++                            BE_REFRESH_TYPE_USERS,
++                            &callbacks[BE_REFRESH_TYPE_USERS]);
++    if (ret != EOK && ret != EEXIST) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of users "
++              "will not work [%d]: %s\n", ret, strerror(ret));
++    }
++
++    ret = be_refresh_add_cb(refresh_ctx,
++                            BE_REFRESH_TYPE_GROUPS,
++                            &callbacks[BE_REFRESH_TYPE_GROUPS]);
++    if (ret != EOK && ret != EEXIST) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of groups "
++              "will not work [%d]: %s\n", ret, strerror(ret));
++    }
++
++    ret = be_refresh_add_cb(refresh_ctx,
++                            BE_REFRESH_TYPE_NETGROUPS,
++                            &callbacks[BE_REFRESH_TYPE_NETGROUPS]);
++    if (ret != EOK && ret != EEXIST) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of netgroups "
++              "will not work [%d]: %s\n", ret, strerror(ret));
++    }
++
++    return EOK;
++}
++
++errno_t be_refresh_ctx_init_with_callbacks(struct be_ctx *be_ctx,
++                                           const char *attr_name,
++                                           struct be_refresh_cb *callbacks)
++{
++    errno_t ret;
++
++    if (be_ctx == NULL || attr_name == NULL || callbacks == NULL) {
++        return EINVAL;
++    }
++
++    ret = be_refresh_ctx_init(be_ctx, attr_name);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize refresh_ctx\n");
++        return ret;
++    }
++
++    ret = be_refresh_set_callbacks(be_ctx->refresh_ctx, callbacks);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize refresh callbacks\n");
++        return ENOMEM;
++    }
+ 
+     return EOK;
+ }
+@@ -220,7 +285,7 @@ struct be_refresh_state {
+     struct tevent_context *ev;
+     struct be_ctx *be_ctx;
+     struct be_refresh_ctx *ctx;
+-    struct be_refresh_cb *cb;
++    struct be_refresh_cb_ctx *cb_ctx;
+ 
+     struct sss_domain_info *domain;
+     enum be_refresh_type index;
+@@ -308,10 +373,11 @@ static errno_t be_refresh_step(struct tevent_req *req)
+ 
+     while (state->domain != NULL) {
+         /* find first enabled callback */
+-        state->cb = &state->ctx->callbacks[state->index];
+-        while (state->index != BE_REFRESH_TYPE_SENTINEL && !state->cb->enabled) {
++        state->cb_ctx = &state->ctx->callbacks[state->index];
++        while (state->index != BE_REFRESH_TYPE_SENTINEL
++                && !state->cb_ctx->enabled) {
+             state->index++;
+-            state->cb = &state->ctx->callbacks[state->index];
++            state->cb_ctx = &state->ctx->callbacks[state->index];
+         }
+ 
+         /* if not found than continue with next domain */
+@@ -322,14 +388,16 @@ static errno_t be_refresh_step(struct tevent_req *req)
+             continue;
+         }
+ 
+-        if (state->cb->send_fn == NULL || state->cb->recv_fn == NULL) {
++        if (state->cb_ctx->cb.send_fn == NULL
++                || state->cb_ctx->cb.recv_fn == NULL) {
+             DEBUG(SSSDBG_CRIT_FAILURE, "Invalid parameters!\n");
+             ret = ERR_INTERNAL;
+             goto done;
+         }
+ 
+         talloc_zfree(state->refresh_values);
+-        ret = be_refresh_get_values(state, state->index, state->cb->attr_name,
++        ret = be_refresh_get_values(state, state->index,
++                                    state->cb_ctx->attr_name,
+                                     state->domain, state->period,
+                                     &state->refresh_values);
+         if (ret != EOK) {
+@@ -343,7 +411,9 @@ static errno_t be_refresh_step(struct tevent_req *req)
+              state->refresh_val_size++);
+ 
+         DEBUG(SSSDBG_TRACE_FUNC, "Refreshing %zu %s in domain %s\n",
+-              state->refresh_val_size, state->cb->name, state->domain->name);
++              state->refresh_val_size,
++              state->cb_ctx->name,
++              state->domain->name);
+ 
+         ret = be_refresh_batch_step(req, 0);
+         if (ret == EOK) {
+@@ -416,10 +486,10 @@ static void be_refresh_batch_step_wakeup(struct tevent_context *ev,
+     state = tevent_req_data(req, struct be_refresh_state);
+ 
+     DEBUG(SSSDBG_TRACE_INTERNAL, "Issuing refresh\n");
+-    subreq = state->cb->send_fn(state, state->ev, state->be_ctx,
+-                                state->domain,
+-                                state->refresh_batch,
+-                                state->cb->pvt);
++    subreq = state->cb_ctx->cb.send_fn(state, state->ev, state->be_ctx,
++                                       state->domain,
++                                       state->refresh_batch,
++                                       state->cb_ctx->cb.pvt);
+     if (subreq == NULL) {
+         tevent_req_error(req, ENOMEM);
+         return;
+@@ -436,7 +506,7 @@ static void be_refresh_done(struct tevent_req *subreq)
+     req = tevent_req_callback_data(subreq, struct tevent_req);
+     state = tevent_req_data(req, struct be_refresh_state);
+ 
+-    ret = state->cb->recv_fn(subreq);
++    ret = state->cb_ctx->cb.recv_fn(subreq);
+     talloc_zfree(subreq);
+     if (ret != EOK) {
+         goto done;
+diff --git a/src/providers/be_refresh.h b/src/providers/be_refresh.h
+index 4ac5b70c2..42d73d938 100644
+--- a/src/providers/be_refresh.h
++++ b/src/providers/be_refresh.h
+@@ -51,16 +51,17 @@ enum be_refresh_type {
+     BE_REFRESH_TYPE_SENTINEL
+ };
+ 
+-struct be_refresh_ctx;
++struct be_refresh_cb {
++    be_refresh_send_t send_fn;
++    be_refresh_recv_t recv_fn;
++    void *pvt;
++};
+ 
+-errno_t be_refresh_ctx_init(struct be_ctx *be_ctx,
+-                            const char *attr_name);
++struct be_refresh_ctx;
+ 
+-errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+-                          enum be_refresh_type type,
+-                          be_refresh_send_t send_fn,
+-                          be_refresh_recv_t recv_fn,
+-                          void *pvt);
++errno_t be_refresh_ctx_init_with_callbacks(struct be_ctx *be_ctx,
++                                           const char *attr_name,
++                                           struct be_refresh_cb *callbacks);
+ 
+ struct tevent_req *be_refresh_send(TALLOC_CTX *mem_ctx,
+                                    struct tevent_context *ev,
+diff --git a/src/providers/ipa/ipa_refresh.c b/src/providers/ipa/ipa_refresh.c
+index bb47b0edf..7b05cf9e4 100644
+--- a/src/providers/ipa/ipa_refresh.c
++++ b/src/providers/ipa/ipa_refresh.c
+@@ -240,52 +240,32 @@ errno_t ipa_refresh_init(struct be_ctx *be_ctx,
+                          struct ipa_id_ctx *id_ctx)
+ {
+     errno_t ret;
+-
+-    ret = be_refresh_ctx_init(be_ctx, SYSDB_NAME);
++    struct be_refresh_cb ipa_refresh_callbacks[] = {
++        { .send_fn = ipa_refresh_initgroups_send,
++          .recv_fn = ipa_refresh_initgroups_recv,
++          .pvt = id_ctx,
++        },
++        { .send_fn = ipa_refresh_users_send,
++          .recv_fn = ipa_refresh_users_recv,
++          .pvt = id_ctx,
++        },
++        { .send_fn = ipa_refresh_groups_send,
++          .recv_fn = ipa_refresh_groups_recv,
++          .pvt = id_ctx,
++        },
++        { .send_fn = ipa_refresh_netgroups_send,
++          .recv_fn = ipa_refresh_netgroups_recv,
++          .pvt = id_ctx,
++        },
++    };
++
++    ret = be_refresh_ctx_init_with_callbacks(be_ctx,
++                                             SYSDB_NAME,
++                                             ipa_refresh_callbacks);
+     if (ret != EOK) {
+-        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize refresh_ctx\n");
+-        return ENOMEM;
+-    }
+-
+-    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+-                            BE_REFRESH_TYPE_USERS,
+-                            ipa_refresh_initgroups_send,
+-                            ipa_refresh_initgroups_recv,
+-                            id_ctx);
+-    if (ret != EOK && ret != EEXIST) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of initgroups "
+-              "will not work [%d]: %s\n", ret, strerror(ret));
++        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize background refresh\n");
++        return ret;
+     }
+ 
+-    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+-                            BE_REFRESH_TYPE_USERS,
+-                            ipa_refresh_users_send,
+-                            ipa_refresh_users_recv,
+-                            id_ctx);
+-    if (ret != EOK && ret != EEXIST) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of users "
+-              "will not work [%d]: %s\n", ret, strerror(ret));
+-    }
+-
+-    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+-                            BE_REFRESH_TYPE_GROUPS,
+-                            ipa_refresh_groups_send,
+-                            ipa_refresh_groups_recv,
+-                            id_ctx);
+-    if (ret != EOK && ret != EEXIST) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of groups "
+-              "will not work [%d]: %s\n", ret, strerror(ret));
+-    }
+-
+-    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+-                            BE_REFRESH_TYPE_NETGROUPS,
+-                            ipa_refresh_netgroups_send,
+-                            ipa_refresh_netgroups_recv,
+-                            id_ctx);
+-    if (ret != EOK && ret != EEXIST) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of netgroups "
+-              "will not work [%d]: %s\n", ret, strerror(ret));
+-    }
+-
+-    return ret;
++    return EOK;
+ }
+diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c
+index 3ceddb61e..ff4d2116d 100644
+--- a/src/providers/ldap/sdap_refresh.c
++++ b/src/providers/ldap/sdap_refresh.c
+@@ -258,41 +258,31 @@ errno_t sdap_refresh_init(struct be_ctx *be_ctx,
+                           struct sdap_id_ctx *id_ctx)
+ {
+     errno_t ret;
+-
+-    ret = be_refresh_ctx_init(be_ctx, SYSDB_NAME);
++    struct be_refresh_cb sdap_refresh_callbacks[] = {
++        { .send_fn = sdap_refresh_initgroups_send,
++          .recv_fn = sdap_refresh_initgroups_recv,
++          .pvt = id_ctx,
++        },
++        { .send_fn = sdap_refresh_users_send,
++          .recv_fn = sdap_refresh_users_recv,
++          .pvt = id_ctx,
++        },
++        { .send_fn = sdap_refresh_groups_send,
++          .recv_fn = sdap_refresh_groups_recv,
++          .pvt = id_ctx,
++        },
++        { .send_fn = sdap_refresh_netgroups_send,
++          .recv_fn = sdap_refresh_netgroups_recv,
++          .pvt = id_ctx,
++        },
++    };
++
++    ret = be_refresh_ctx_init_with_callbacks(be_ctx,
++                                             SYSDB_NAME,
++                                             sdap_refresh_callbacks);
+     if (ret != EOK) {
+-        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize refresh_ctx\n");
+-        return ENOMEM;
+-    }
+-
+-    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+-                            BE_REFRESH_TYPE_USERS,
+-                            sdap_refresh_users_send,
+-                            sdap_refresh_users_recv,
+-                            id_ctx);
+-    if (ret != EOK && ret != EEXIST) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of users "
+-              "will not work [%d]: %s\n", ret, strerror(ret));
+-    }
+-
+-    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+-                            BE_REFRESH_TYPE_USERS,
+-                            sdap_refresh_groups_send,
+-                            sdap_refresh_groups_recv,
+-                            id_ctx);
+-    if (ret != EOK && ret != EEXIST) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of groups "
+-              "will not work [%d]: %s\n", ret, strerror(ret));
+-    }
+-
+-    ret = be_refresh_add_cb(be_ctx->refresh_ctx,
+-                            BE_REFRESH_TYPE_USERS,
+-                            sdap_refresh_netgroups_send,
+-                            sdap_refresh_netgroups_recv,
+-                            id_ctx);
+-    if (ret != EOK && ret != EEXIST) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of netgroups "
+-              "will not work [%d]: %s\n", ret, strerror(ret));
++        DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize background refresh\n");
++        return ret;
+     }
+ 
+     return ret;
+-- 
+2.20.1
+
diff --git a/SOURCES/0061-IPA-AD-SDAP-BE-Generate-refresh-callbacks-with-a-mac.patch b/SOURCES/0061-IPA-AD-SDAP-BE-Generate-refresh-callbacks-with-a-mac.patch
new file mode 100644
index 0000000..c7fea2b
--- /dev/null
+++ b/SOURCES/0061-IPA-AD-SDAP-BE-Generate-refresh-callbacks-with-a-mac.patch
@@ -0,0 +1,303 @@
+From 441e05790e5efec4928af3d0f93c4eba72d979ae Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 25 Jun 2019 15:01:15 +0200
+Subject: [PATCH 61/64] IPA/AD/SDAP/BE: Generate refresh callbacks with a macro
+
+Related: https://pagure.io/SSSD/sssd/issue/4012
+
+The per-object type refresh functions are more or less boilerplate code.
+Even though macro-generated code should be used very rarely, here the
+generated code does not contain any logic at all so it makese sense to
+generate it with macros.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 60c876aefe2efc5a67929f9b3890b627cea7c549)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/ad/ad_refresh.c     | 71 ++-----------------------------
+ src/providers/be_refresh.h        | 20 +++++++++
+ src/providers/ipa/ipa_refresh.c   | 71 ++-----------------------------
+ src/providers/ldap/sdap_refresh.c | 71 ++-----------------------------
+ 4 files changed, 32 insertions(+), 201 deletions(-)
+
+diff --git a/src/providers/ad/ad_refresh.c b/src/providers/ad/ad_refresh.c
+index ed51b305a..0c2ebce5e 100644
+--- a/src/providers/ad/ad_refresh.c
++++ b/src/providers/ad/ad_refresh.c
+@@ -188,73 +188,10 @@ static errno_t ad_refresh_recv(struct tevent_req *req)
+     return EOK;
+ }
+ 
+-static struct tevent_req *
+-ad_refresh_initgroups_send(TALLOC_CTX *mem_ctx,
+-                           struct tevent_context *ev,
+-                           struct be_ctx *be_ctx,
+-                           struct sss_domain_info *domain,
+-                           char **names,
+-                           void *pvt)
+-{
+-    return ad_refresh_send(mem_ctx, ev, be_ctx, domain,
+-                           BE_REQ_INITGROUPS, names, pvt);
+-}
+-
+-static errno_t ad_refresh_initgroups_recv(struct tevent_req *req)
+-{
+-    return ad_refresh_recv(req);
+-}
+-
+-static struct tevent_req *
+-ad_refresh_users_send(TALLOC_CTX *mem_ctx,
+-                      struct tevent_context *ev,
+-                      struct be_ctx *be_ctx,
+-                      struct sss_domain_info *domain,
+-                      char **names,
+-                      void *pvt)
+-{
+-    return ad_refresh_send(mem_ctx, ev, be_ctx, domain,
+-                           BE_REQ_USER, names, pvt);
+-}
+-
+-static errno_t ad_refresh_users_recv(struct tevent_req *req)
+-{
+-    return ad_refresh_recv(req);
+-}
+-
+-static struct tevent_req *
+-ad_refresh_groups_send(TALLOC_CTX *mem_ctx,
+-                       struct tevent_context *ev,
+-                       struct be_ctx *be_ctx,
+-                       struct sss_domain_info *domain,
+-                       char **names,
+-                       void *pvt)
+-{
+-    return ad_refresh_send(mem_ctx, ev, be_ctx, domain,
+-                           BE_REQ_GROUP, names, pvt);
+-}
+-
+-static errno_t ad_refresh_groups_recv(struct tevent_req *req)
+-{
+-    return ad_refresh_recv(req);
+-}
+-
+-static struct tevent_req *
+-ad_refresh_netgroups_send(TALLOC_CTX *mem_ctx,
+-                          struct tevent_context *ev,
+-                          struct be_ctx *be_ctx,
+-                          struct sss_domain_info *domain,
+-                          char **names,
+-                          void *pvt)
+-{
+-    return ad_refresh_send(mem_ctx, ev, be_ctx, domain,
+-                           BE_REQ_NETGROUP, names, pvt);
+-}
+-
+-static errno_t ad_refresh_netgroups_recv(struct tevent_req *req)
+-{
+-    return ad_refresh_recv(req);
+-}
++REFRESH_SEND_RECV_FNS(ad_refresh_initgroups, ad_refresh, BE_REQ_INITGROUPS);
++REFRESH_SEND_RECV_FNS(ad_refresh_users, ad_refresh, BE_REQ_USER);
++REFRESH_SEND_RECV_FNS(ad_refresh_groups, ad_refresh, BE_REQ_GROUP);
++REFRESH_SEND_RECV_FNS(ad_refresh_netgroups, ad_refresh, BE_REQ_NETGROUP);
+ 
+ errno_t ad_refresh_init(struct be_ctx *be_ctx,
+                         struct ad_id_ctx *id_ctx)
+diff --git a/src/providers/be_refresh.h b/src/providers/be_refresh.h
+index 42d73d938..68be40118 100644
+--- a/src/providers/be_refresh.h
++++ b/src/providers/be_refresh.h
+@@ -29,6 +29,26 @@
+ /* solve circular dependency */
+ struct be_ctx;
+ 
++#define REFRESH_SEND_RECV_FNS(outer_base, inner_base, req_type) \
++                                                                \
++static struct tevent_req *                                      \
++outer_base ##_send(TALLOC_CTX *mem_ctx,                         \
++                   struct tevent_context *ev,                   \
++                   struct be_ctx *be_ctx,                       \
++                   struct sss_domain_info *domain,              \
++                   char **names,                                \
++                   void *pvt)                                   \
++{                                                               \
++    return inner_base ##_send(mem_ctx, ev,                      \
++                              be_ctx, domain,                   \
++                              req_type, names, pvt);            \
++}                                                               \
++                                                                \
++static errno_t outer_base ##_recv(struct tevent_req *req)       \
++{                                                               \
++    return inner_base ##_recv(req);                             \
++}                                                               \
++
+ /**
+  * name_list contains SYSDB_NAME of all expired records.
+  */
+diff --git a/src/providers/ipa/ipa_refresh.c b/src/providers/ipa/ipa_refresh.c
+index 7b05cf9e4..13c38dff9 100644
+--- a/src/providers/ipa/ipa_refresh.c
++++ b/src/providers/ipa/ipa_refresh.c
+@@ -168,73 +168,10 @@ static errno_t ipa_refresh_recv(struct tevent_req *req)
+     return EOK;
+ }
+ 
+-static struct tevent_req *
+-ipa_refresh_initgroups_send(TALLOC_CTX *mem_ctx,
+-                            struct tevent_context *ev,
+-                            struct be_ctx *be_ctx,
+-                            struct sss_domain_info *domain,
+-                            char **names,
+-                            void *pvt)
+-{
+-    return ipa_refresh_send(mem_ctx, ev, be_ctx, domain,
+-                           BE_REQ_INITGROUPS, names, pvt);
+-}
+-
+-static errno_t ipa_refresh_initgroups_recv(struct tevent_req *req)
+-{
+-    return ipa_refresh_recv(req);
+-}
+-
+-static struct tevent_req *
+-ipa_refresh_users_send(TALLOC_CTX *mem_ctx,
+-                        struct tevent_context *ev,
+-                        struct be_ctx *be_ctx,
+-                        struct sss_domain_info *domain,
+-                        char **names,
+-                        void *pvt)
+-{
+-    return ipa_refresh_send(mem_ctx, ev, be_ctx, domain,
+-                           BE_REQ_USER, names, pvt);
+-}
+-
+-static errno_t ipa_refresh_users_recv(struct tevent_req *req)
+-{
+-    return ipa_refresh_recv(req);
+-}
+-
+-static struct tevent_req *
+-ipa_refresh_groups_send(TALLOC_CTX *mem_ctx,
+-                         struct tevent_context *ev,
+-                         struct be_ctx *be_ctx,
+-                         struct sss_domain_info *domain,
+-                         char **names,
+-                         void *pvt)
+-{
+-    return ipa_refresh_send(mem_ctx, ev, be_ctx, domain,
+-                           BE_REQ_GROUP, names, pvt);
+-}
+-
+-static errno_t ipa_refresh_groups_recv(struct tevent_req *req)
+-{
+-    return ipa_refresh_recv(req);
+-}
+-
+-static struct tevent_req *
+-ipa_refresh_netgroups_send(TALLOC_CTX *mem_ctx,
+-                            struct tevent_context *ev,
+-                            struct be_ctx *be_ctx,
+-                            struct sss_domain_info *domain,
+-                            char **names,
+-                            void *pvt)
+-{
+-    return ipa_refresh_send(mem_ctx, ev, be_ctx, domain,
+-                           BE_REQ_NETGROUP, names, pvt);
+-}
+-
+-static errno_t ipa_refresh_netgroups_recv(struct tevent_req *req)
+-{
+-    return ipa_refresh_recv(req);
+-}
++REFRESH_SEND_RECV_FNS(ipa_refresh_initgroups, ipa_refresh, BE_REQ_INITGROUPS);
++REFRESH_SEND_RECV_FNS(ipa_refresh_users, ipa_refresh, BE_REQ_USER);
++REFRESH_SEND_RECV_FNS(ipa_refresh_groups, ipa_refresh, BE_REQ_GROUP);
++REFRESH_SEND_RECV_FNS(ipa_refresh_netgroups, ipa_refresh, BE_REQ_NETGROUP);
+ 
+ errno_t ipa_refresh_init(struct be_ctx *be_ctx,
+                          struct ipa_id_ctx *id_ctx)
+diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c
+index ff4d2116d..4e464b2f6 100644
+--- a/src/providers/ldap/sdap_refresh.c
++++ b/src/providers/ldap/sdap_refresh.c
+@@ -186,73 +186,10 @@ static errno_t sdap_refresh_recv(struct tevent_req *req)
+     return EOK;
+ }
+ 
+-static struct tevent_req *
+-sdap_refresh_initgroups_send(TALLOC_CTX *mem_ctx,
+-                        struct tevent_context *ev,
+-                        struct be_ctx *be_ctx,
+-                        struct sss_domain_info *domain,
+-                        char **names,
+-                        void *pvt)
+-{
+-    return sdap_refresh_send(mem_ctx, ev, be_ctx, domain,
+-                             BE_REQ_INITGROUPS, names, pvt);
+-}
+-
+-static errno_t sdap_refresh_initgroups_recv(struct tevent_req *req)
+-{
+-    return sdap_refresh_recv(req);
+-}
+-
+-static struct tevent_req *
+-sdap_refresh_users_send(TALLOC_CTX *mem_ctx,
+-                        struct tevent_context *ev,
+-                        struct be_ctx *be_ctx,
+-                        struct sss_domain_info *domain,
+-                        char **names,
+-                        void *pvt)
+-{
+-    return sdap_refresh_send(mem_ctx, ev, be_ctx, domain,
+-                             BE_REQ_USER, names, pvt);
+-}
+-
+-static errno_t sdap_refresh_users_recv(struct tevent_req *req)
+-{
+-    return sdap_refresh_recv(req);
+-}
+-
+-static struct tevent_req *
+-sdap_refresh_groups_send(TALLOC_CTX *mem_ctx,
+-                         struct tevent_context *ev,
+-                         struct be_ctx *be_ctx,
+-                         struct sss_domain_info *domain,
+-                         char **names,
+-                         void *pvt)
+-{
+-    return sdap_refresh_send(mem_ctx, ev, be_ctx, domain,
+-                             BE_REQ_GROUP, names, pvt);
+-}
+-
+-static errno_t sdap_refresh_groups_recv(struct tevent_req *req)
+-{
+-    return sdap_refresh_recv(req);
+-}
+-
+-static struct tevent_req *
+-sdap_refresh_netgroups_send(TALLOC_CTX *mem_ctx,
+-                            struct tevent_context *ev,
+-                            struct be_ctx *be_ctx,
+-                            struct sss_domain_info *domain,
+-                            char **names,
+-                            void *pvt)
+-{
+-    return sdap_refresh_send(mem_ctx, ev, be_ctx, domain,
+-                             BE_REQ_NETGROUP, names, pvt);
+-}
+-
+-static errno_t sdap_refresh_netgroups_recv(struct tevent_req *req)
+-{
+-    return sdap_refresh_recv(req);
+-}
++REFRESH_SEND_RECV_FNS(sdap_refresh_initgroups, sdap_refresh, BE_REQ_INITGROUPS);
++REFRESH_SEND_RECV_FNS(sdap_refresh_users, sdap_refresh, BE_REQ_USER);
++REFRESH_SEND_RECV_FNS(sdap_refresh_groups, sdap_refresh, BE_REQ_GROUP);
++REFRESH_SEND_RECV_FNS(sdap_refresh_netgroups, sdap_refresh, BE_REQ_NETGROUP);
+ 
+ errno_t sdap_refresh_init(struct be_ctx *be_ctx,
+                           struct sdap_id_ctx *id_ctx)
+-- 
+2.20.1
+
diff --git a/SOURCES/0062-MAN-Amend-the-documentation-for-the-background-refre.patch b/SOURCES/0062-MAN-Amend-the-documentation-for-the-background-refre.patch
new file mode 100644
index 0000000..c0b6a83
--- /dev/null
+++ b/SOURCES/0062-MAN-Amend-the-documentation-for-the-background-refre.patch
@@ -0,0 +1,39 @@
+From 84f2dca9c02908eaed1a5bea2d44329e1050f9c7 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 26 Jun 2019 12:43:45 +0200
+Subject: [PATCH 62/64] MAN: Amend the documentation for the background refresh
+
+Related: https://pagure.io/SSSD/sssd/issue/4012
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 039384b8851bb6a2513af83dba0df318432e0c63)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/man/sssd.conf.5.xml | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index 3f05b3942..277a3c0cb 100644
+--- a/src/man/sssd.conf.5.xml
++++ b/src/man/sssd.conf.5.xml
+@@ -2081,7 +2081,15 @@ pam_p11_allowed_services = +my_pam_service, -login
+                         </para>
+                         <para>
+                             The background refresh will process users,
+-                            groups and netgroups in the cache.
++                            groups and netgroups in the cache. For users
++                            who have performed the initgroups (get group
++                            membership for user, typically ran at login)
++                            operation in the past, both the user entry
++                            and the group membership are updated.
++                        </para>
++                        <para>
++                            This option is automatically inherited for all
++                            trusted domains.
+                         </para>
+                         <para>
+                             You can consider setting this value to
+-- 
+2.20.1
+
diff --git a/SOURCES/0063-DP-SYSDB-Move-the-code-to-set-initgrExpireTimestamp-.patch b/SOURCES/0063-DP-SYSDB-Move-the-code-to-set-initgrExpireTimestamp-.patch
new file mode 100644
index 0000000..c759d4f
--- /dev/null
+++ b/SOURCES/0063-DP-SYSDB-Move-the-code-to-set-initgrExpireTimestamp-.patch
@@ -0,0 +1,219 @@
+From 3543c929ea2264ae83cc5de195a33b48da5dfd16 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Mon, 1 Jul 2019 14:15:29 +0200
+Subject: [PATCH 63/64] DP/SYSDB: Move the code to set initgrExpireTimestamp to
+ a reusable function
+
+Related: https://pagure.io/SSSD/sssd/issue/4012
+
+Because the initgroups request can, especially in the case of IPA provider
+with trusts, contain several sub-requests that run some provider-specific
+initgroups internally and then run post-processing AND because at the same
+time concurrent requests in the responder need to be sure that the
+initgrExpireTimestamp is only increased when the initgroups request is
+really done, we only set the initgrExpireTimestamp in the DP when the
+request finishes.
+
+This means, the background refresh task needs to also set the
+initgrExpireTimestamp attribute on its own as well. This patch so far
+splits the helper function into a reusable one so it can later be used
+by the background refresh.
+
+For examples of the bugs caused by the initgrTimestamp being set before
+the whole multi-step operation finishes, please see tickets #3744
+or #2634.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 7a08d1dea8cb9148ba1afe13f4d4567229c9b381)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/db/sysdb.h                             | 11 ++++
+ src/db/sysdb_ops.c                         | 70 ++++++++++++++++++++++
+ src/providers/data_provider/dp_target_id.c | 55 ++---------------
+ 3 files changed, 85 insertions(+), 51 deletions(-)
+
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index 15df1a726..dfd91f6b8 100644
+--- a/src/db/sysdb.h
++++ b/src/db/sysdb.h
+@@ -1122,6 +1122,17 @@ errno_t sysdb_store_override(struct sss_domain_info *domain,
+                              enum sysdb_member_type type,
+                              struct sysdb_attrs *attrs, struct ldb_dn *obj_dn);
+ 
++/*
++ * Cache the time of last initgroups invocation. Typically this is not done when
++ * the provider-specific request itself finishes, because currently the request
++ * might hand over to other requests from a different provider (e.g. an AD user
++ * from a trusted domain might need to also call an IPA request to fetch the
++ * external groups). Instead, the caller of the initgroups request, typically
++ * the DP or the periodical refresh task sets the timestamp.
++ */
++errno_t sysdb_set_initgr_expire_timestamp(struct sss_domain_info *domain,
++                                          const char *name_or_upn_or_sid);
++
+ /* Password caching function.
+  * If you are in a transaction ignore sysdb and pass in the handle.
+  * If you are not in a transaction pass NULL in handle and provide sysdb,
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index 340062f6f..fa3842d8f 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -3259,6 +3259,76 @@ int sysdb_cache_password(struct sss_domain_info *domain,
+                                    SSS_AUTHTOK_TYPE_PASSWORD, 0);
+ }
+ 
++static errno_t set_initgroups_expire_attribute(struct sss_domain_info *domain,
++                                               const char *name)
++{
++    errno_t ret;
++    time_t cache_timeout;
++    struct sysdb_attrs *attrs;
++
++    attrs = sysdb_new_attrs(NULL);
++    if (attrs == NULL) {
++        return ENOMEM;
++    }
++
++    cache_timeout = domain->user_timeout
++                        ? time(NULL) + domain->user_timeout
++                        : 0;
++
++    ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, cache_timeout);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n");
++        goto done;
++    }
++
++    ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              "Failed to set initgroups expire attribute\n");
++        goto done;
++    }
++
++done:
++    talloc_zfree(attrs);
++    return ret;
++}
++
++errno_t sysdb_set_initgr_expire_timestamp(struct sss_domain_info *domain,
++                                          const char *name_or_upn_or_sid)
++{
++    const char *cname;
++    errno_t ret;
++    TALLOC_CTX *tmp_ctx;
++
++    tmp_ctx = talloc_new(NULL);
++    if (!tmp_ctx) {
++        return ENOMEM;
++    }
++
++    ret = sysdb_get_real_name(tmp_ctx, domain, name_or_upn_or_sid, &cname);
++    if (ret == ENOENT) {
++        /* No point trying to bump timestamp of an entry that does not exist..*/
++        ret = EOK;
++        goto done;
++    } else if (ret != EOK) {
++        cname = name_or_upn_or_sid;
++        DEBUG(SSSDBG_MINOR_FAILURE,
++              "Failed to canonicalize name, using [%s]\n", name_or_upn_or_sid);
++    }
++
++    ret = set_initgroups_expire_attribute(domain, cname);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_MINOR_FAILURE,
++              "Cannot set the initgroups expire attribute [%d]: %s\n",
++              ret, sss_strerror(ret));
++    }
++
++    ret = EOK;
++done:
++    talloc_free(tmp_ctx);
++    return ret;
++}
++
+ /* =Custom Search================== */
+ 
+ int sysdb_search_custom(TALLOC_CTX *mem_ctx,
+diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c
+index d123638eb..591ddd32d 100644
+--- a/src/providers/data_provider/dp_target_id.c
++++ b/src/providers/data_provider/dp_target_id.c
+@@ -372,69 +372,22 @@ done:
+     talloc_free(tmp_ctx);
+ }
+ 
+-static errno_t set_initgroups_expire_attribute(struct sss_domain_info *domain,
+-                                               const char *name)
+-{
+-    errno_t ret;
+-    time_t cache_timeout;
+-    struct sysdb_attrs *attrs;
+-
+-    attrs = sysdb_new_attrs(NULL);
+-    if (attrs == NULL) {
+-        return ENOMEM;
+-    }
+-
+-    cache_timeout = domain->user_timeout
+-                        ? time(NULL) + domain->user_timeout
+-                        : 0;
+-
+-    ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, cache_timeout);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n");
+-        goto done;
+-    }
+-
+-    ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "Failed to set initgroups expire attribute\n");
+-        goto done;
+-    }
+-
+-done:
+-    talloc_zfree(attrs);
+-    return ret;
+-}
+-
+ static void dp_req_initgr_pp_set_initgr_timestamp(struct dp_initgr_ctx *ctx,
+                                                   struct dp_reply_std *reply)
+ {
+     errno_t ret;
+-    const char *cname;
+ 
+     if (reply->dp_error != DP_ERR_OK || reply->error != EOK) {
+         /* Only bump the timestamp on successful lookups */
+         return;
+     }
+ 
+-    ret = sysdb_get_real_name(ctx,
+-                              ctx->domain_info,
+-                              ctx->filter_value,
+-                              &cname);
+-    if (ret == ENOENT) {
+-        /* No point trying to bump timestamp of an entry that does not exist..*/
+-        return;
+-    } else if (ret != EOK) {
+-        cname = ctx->filter_value;
+-        DEBUG(SSSDBG_MINOR_FAILURE,
+-              "Failed to canonicalize name, using [%s]\n", cname);
+-    }
+-
+-    ret = set_initgroups_expire_attribute(ctx->domain_info, cname);
++    ret = sysdb_set_initgr_expire_timestamp(ctx->domain_info,
++                                            ctx->filter_value);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_MINOR_FAILURE,
+-              "Cannot set the initgroups expire attribute [%d]: %s\n",
+-              ret, sss_strerror(ret));
++              "Failed to set initgroups expiration for [%s]\n",
++              ctx->filter_value);
+     }
+ }
+ 
+-- 
+2.20.1
+
diff --git a/SOURCES/0064-IPA-AD-LDAP-Increase-the-initgrExpireTimestamp-after.patch b/SOURCES/0064-IPA-AD-LDAP-Increase-the-initgrExpireTimestamp-after.patch
new file mode 100644
index 0000000..7062c3c
--- /dev/null
+++ b/SOURCES/0064-IPA-AD-LDAP-Increase-the-initgrExpireTimestamp-after.patch
@@ -0,0 +1,140 @@
+From e20452153abfc6bd6e941ba10d2e2cd2bc811139 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Mon, 1 Jul 2019 14:26:38 +0200
+Subject: [PATCH 64/64] IPA/AD/LDAP: Increase the initgrExpireTimestamp after
+ finishing refresh request
+
+Related: https://pagure.io/SSSD/sssd/issue/4012
+
+Calls sysdb_set_initgr_expire_timestamp() after each successfull refresh
+of initgroups data to make sure the initgrExpireTimestamp attribute is
+increased.
+
+If you're wondering why the timestamp is not set by the initgroups operation
+itself, see tickets #3744 or #2634 for examples of bugs caused by setting
+the initgrExpireTimestamp too soon.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit cdc44a05d11ae614eb55f219f70150d241cd850f)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/ad/ad_refresh.c     | 12 ++++++++++++
+ src/providers/ipa/ipa_refresh.c   | 12 ++++++++++++
+ src/providers/ldap/sdap_refresh.c | 12 ++++++++++++
+ 3 files changed, 36 insertions(+)
+
+diff --git a/src/providers/ad/ad_refresh.c b/src/providers/ad/ad_refresh.c
+index 0c2ebce5e..7aa56f33e 100644
+--- a/src/providers/ad/ad_refresh.c
++++ b/src/providers/ad/ad_refresh.c
+@@ -26,6 +26,7 @@ struct ad_refresh_state {
+     struct be_ctx *be_ctx;
+     struct dp_id_data *account_req;
+     struct ad_id_ctx *id_ctx;
++    struct sss_domain_info *domain;
+     char **names;
+     size_t index;
+ };
+@@ -60,6 +61,7 @@ static struct tevent_req *ad_refresh_send(TALLOC_CTX *mem_ctx,
+ 
+     state->ev = ev;
+     state->be_ctx = be_ctx;
++    state->domain = domain;
+     state->id_ctx = talloc_get_type(pvt, struct ad_id_ctx);
+     state->names = names;
+     state->index = 0;
+@@ -167,6 +169,16 @@ static void ad_refresh_done(struct tevent_req *subreq)
+         goto done;
+     }
+ 
++    if (state->account_req->entry_type == BE_REQ_INITGROUPS) {
++        ret = sysdb_set_initgr_expire_timestamp(state->domain,
++                                                state->account_req->filter_value);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_MINOR_FAILURE,
++                  "Failed to set initgroups expiration for [%s]\n",
++                  state->account_req->filter_value);
++        }
++    }
++
+     ret = ad_refresh_step(req);
+     if (ret == EAGAIN) {
+         return;
+diff --git a/src/providers/ipa/ipa_refresh.c b/src/providers/ipa/ipa_refresh.c
+index 13c38dff9..64f8db812 100644
+--- a/src/providers/ipa/ipa_refresh.c
++++ b/src/providers/ipa/ipa_refresh.c
+@@ -26,6 +26,7 @@ struct ipa_refresh_state {
+     struct be_ctx *be_ctx;
+     struct dp_id_data *account_req;
+     struct ipa_id_ctx *id_ctx;
++    struct sss_domain_info *domain;
+     char **names;
+     size_t index;
+ };
+@@ -59,6 +60,7 @@ static struct tevent_req *ipa_refresh_send(TALLOC_CTX *mem_ctx,
+ 
+     state->ev = ev;
+     state->be_ctx = be_ctx;
++    state->domain = domain;
+     state->id_ctx = talloc_get_type(pvt, struct ipa_id_ctx);
+     state->names = names;
+     state->index = 0;
+@@ -147,6 +149,16 @@ static void ipa_refresh_done(struct tevent_req *subreq)
+         goto done;
+     }
+ 
++    if (state->account_req->entry_type == BE_REQ_INITGROUPS) {
++        ret = sysdb_set_initgr_expire_timestamp(state->domain,
++                                                state->account_req->filter_value);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_MINOR_FAILURE,
++                  "Failed to set initgroups expiration for [%s]\n",
++                  state->account_req->filter_value);
++        }
++    }
++
+     ret = ipa_refresh_step(req);
+     if (ret == EAGAIN) {
+         return;
+diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c
+index 4e464b2f6..402db53a9 100644
+--- a/src/providers/ldap/sdap_refresh.c
++++ b/src/providers/ldap/sdap_refresh.c
+@@ -29,6 +29,7 @@ struct sdap_refresh_state {
+     struct be_ctx *be_ctx;
+     struct dp_id_data *account_req;
+     struct sdap_id_ctx *id_ctx;
++    struct sss_domain_info *domain;
+     struct sdap_domain *sdom;
+     char **names;
+     size_t index;
+@@ -63,6 +64,7 @@ static struct tevent_req *sdap_refresh_send(TALLOC_CTX *mem_ctx,
+ 
+     state->ev = ev;
+     state->be_ctx = be_ctx;
++    state->domain = domain;
+     state->id_ctx = talloc_get_type(pvt, struct sdap_id_ctx);
+     state->names = names;
+     state->index = 0;
+@@ -165,6 +167,16 @@ static void sdap_refresh_done(struct tevent_req *subreq)
+         goto done;
+     }
+ 
++    if (state->account_req->entry_type == BE_REQ_INITGROUPS) {
++        ret = sysdb_set_initgr_expire_timestamp(state->domain,
++                                                state->account_req->filter_value);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_MINOR_FAILURE,
++                  "Failed to set initgroups expiration for [%s]\n",
++                  state->account_req->filter_value);
++        }
++    }
++
+     ret = sdap_refresh_step(req);
+     if (ret == EAGAIN) {
+         return;
+-- 
+2.20.1
+
diff --git a/SOURCES/0065-sss_ptr_hash-add-sss_ptr_get_value-to-make-it-useful.patch b/SOURCES/0065-sss_ptr_hash-add-sss_ptr_get_value-to-make-it-useful.patch
new file mode 100644
index 0000000..50466dc
--- /dev/null
+++ b/SOURCES/0065-sss_ptr_hash-add-sss_ptr_get_value-to-make-it-useful.patch
@@ -0,0 +1,102 @@
+From 79560617790781384dda2751701b523aed6b5cb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Sat, 3 Feb 2018 10:58:06 +0100
+Subject: [PATCH 65/90] sss_ptr_hash: add sss_ptr_get_value to make it useful
+ in delete callbacks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/util/sss_ptr_hash.c | 31 +++++++++++++++++++++++++++++++
+ src/util/sss_ptr_hash.h | 15 +++++++++++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
+index 0f884c8b6..bc0db6f48 100644
+--- a/src/util/sss_ptr_hash.c
++++ b/src/util/sss_ptr_hash.c
+@@ -263,6 +263,12 @@ sss_ptr_hash_lookup_internal(hash_table_t *table,
+         return NULL;
+     }
+ 
++    /* This may happen if we are in delete callback
++     * and we try to search the hash table. */
++    if (table_value.ptr == NULL) {
++        return NULL;
++    }
++
+     if (!sss_ptr_hash_check_type(table_value.ptr, "struct sss_ptr_hash_value")) {
+         return NULL;
+     }
+@@ -288,6 +294,31 @@ void *_sss_ptr_hash_lookup(hash_table_t *table,
+     return value->ptr;
+ }
+ 
++void *_sss_ptr_get_value(hash_value_t *table_value,
++                         const char *type)
++{
++    struct sss_ptr_hash_value *value;
++
++    /* Check value type. */
++    if (table_value->type != HASH_VALUE_PTR) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Invalid value type found: %d\n",
++              table_value->type);
++        return NULL;
++    }
++
++    if (!sss_ptr_hash_check_type(table_value->ptr, "struct sss_ptr_hash_value")) {
++        return NULL;
++    }
++
++    value = table_value->ptr;
++
++    if (!sss_ptr_hash_check_type(value->ptr, type)) {
++        return NULL;
++    }
++
++    return value->ptr;
++}
++
+ void sss_ptr_hash_delete(hash_table_t *table,
+                          const char *key,
+                          bool free_value)
+diff --git a/src/util/sss_ptr_hash.h b/src/util/sss_ptr_hash.h
+index 510b9544f..56bb19a65 100644
+--- a/src/util/sss_ptr_hash.h
++++ b/src/util/sss_ptr_hash.h
+@@ -24,6 +24,8 @@
+ #include <talloc.h>
+ #include <dhash.h>
+ 
++#include "util/util.h"
++
+ /**
+  * Create a new hash table with string key and talloc pointer value with
+  * possible delete callback.
+@@ -91,6 +93,19 @@ void *_sss_ptr_hash_lookup(hash_table_t *table,
+ #define sss_ptr_hash_lookup(table, key, type) \
+     (type *)_sss_ptr_hash_lookup(table, key, #type)
+ 
++void *_sss_ptr_get_value(hash_value_t *table_value,
++                         const char *type);
++
++/**
++ * Obtain inserted talloc pointer from table value typed to @type.
++ * The type of the value must match with @type, otherwise NULL is returned.
++ *
++ * @return talloc_ptr If the value is found as type matches.
++ * @return NULL If the value is not found or if the type is invalid.
++ */
++#define sss_ptr_get_value(table_value, type) \
++    (type *)_sss_ptr_get_value(table_value, #type)
++
+ /**
+  * Delete @key from table. If @free_value is true then also the value
+  * associated with @key is freed, otherwise it is left intact.
+-- 
+2.20.1
+
diff --git a/SOURCES/0066-sss_ptr_hash-keep-value-pointer-when-destroying-spy.patch b/SOURCES/0066-sss_ptr_hash-keep-value-pointer-when-destroying-spy.patch
new file mode 100644
index 0000000..0350bcf
--- /dev/null
+++ b/SOURCES/0066-sss_ptr_hash-keep-value-pointer-when-destroying-spy.patch
@@ -0,0 +1,34 @@
+From 00926ab450074741e2a2b5c699c440e6309e3bff Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Mon, 2 Sep 2019 13:48:13 +0200
+Subject: [PATCH 66/90] sss_ptr_hash: keep value pointer when destroying spy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Oterwise its value in delete callback is NULL.
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/util/sss_ptr_hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
+index bc0db6f48..e8fd19ca8 100644
+--- a/src/util/sss_ptr_hash.c
++++ b/src/util/sss_ptr_hash.c
+@@ -59,10 +59,10 @@ static int
+ sss_ptr_hash_spy_destructor(struct sss_ptr_hash_spy *spy)
+ {
+     spy->value->spy = NULL;
+-    spy->value->ptr = NULL;
+ 
+     /* This results in removing entry from hash table and freeing the value. */
+     sss_ptr_hash_delete(spy->table, spy->key, false);
++
+     return 0;
+ }
+ 
+-- 
+2.20.1
+
diff --git a/SOURCES/0067-autofs-fix-typo-in-test-tool.patch b/SOURCES/0067-autofs-fix-typo-in-test-tool.patch
new file mode 100644
index 0000000..97fb9b0
--- /dev/null
+++ b/SOURCES/0067-autofs-fix-typo-in-test-tool.patch
@@ -0,0 +1,29 @@
+From 49ad0b9b84c88d52694c8e9f5582dc49d0f87e2a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Mon, 5 Aug 2019 10:21:30 +0200
+Subject: [PATCH 67/90] autofs: fix typo in test tool
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/sss_client/autofs/autofs_test_client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sss_client/autofs/autofs_test_client.c b/src/sss_client/autofs/autofs_test_client.c
+index f4395ff7c..6bbd2a0e8 100644
+--- a/src/sss_client/autofs/autofs_test_client.c
++++ b/src/sss_client/autofs/autofs_test_client.c
+@@ -103,7 +103,7 @@ int main(int argc, const char *argv[])
+         if (ret == ENOENT) {
+             fprintf(stderr, "no such entry in map\n");
+         } else if (ret != 0) {
+-            fprintf(stderr, "getautomntent_r failed [%d]: %s\n",
++            fprintf(stderr, "getautomntbyname_r failed [%d]: %s\n",
+                     ret, strerror(ret));
+             goto end;
+         } else {
+-- 
+2.20.1
+
diff --git a/SOURCES/0068-sysdb-add-expiration-time-to-autofs-entries.patch b/SOURCES/0068-sysdb-add-expiration-time-to-autofs-entries.patch
new file mode 100644
index 0000000..36b09c3
--- /dev/null
+++ b/SOURCES/0068-sysdb-add-expiration-time-to-autofs-entries.patch
@@ -0,0 +1,155 @@
+From ccf14f490985b96bd6f5871b55c1398024e34af0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 13 Aug 2019 12:21:47 +0200
+Subject: [PATCH 68/90] sysdb: add expiration time to autofs entries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This will be later used to expire single entries during
+`get entry by name` operation.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/db/sysdb_autofs.c                  | 13 ++++++++++++-
+ src/db/sysdb_autofs.h                  |  4 +++-
+ src/db/sysdb_upgrade.c                 |  2 +-
+ src/providers/ldap/sdap_async_autofs.c | 11 ++++++++---
+ src/tests/sysdb-tests.c                |  4 ++--
+ 5 files changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/src/db/sysdb_autofs.c b/src/db/sysdb_autofs.c
+index 89803a778..c92a51658 100644
+--- a/src/db/sysdb_autofs.c
++++ b/src/db/sysdb_autofs.c
+@@ -248,7 +248,9 @@ sysdb_save_autofsentry(struct sss_domain_info *domain,
+                        const char *map,
+                        const char *key,
+                        const char *value,
+-                       struct sysdb_attrs *attrs)
++                       struct sysdb_attrs *attrs,
++                       int cache_timeout,
++                       time_t now)
+ {
+     errno_t ret;
+     TALLOC_CTX *tmp_ctx;
+@@ -307,6 +309,15 @@ sysdb_save_autofsentry(struct sss_domain_info *domain,
+         goto done;
+     }
+ 
++    ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE,
++                                 ((cache_timeout) ?
++                                  (now + cache_timeout) : 0));
++    if (ret) {
++        DEBUG(SSSDBG_OP_FAILURE, "Could not set sysdb cache expire [%d]: %s\n",
++              ret, strerror(ret));
++        goto done;
++    }
++
+     dn = sysdb_autofsentry_dn(tmp_ctx, domain, map, key, value);
+     if (!dn) {
+         ret = ENOMEM;
+diff --git a/src/db/sysdb_autofs.h b/src/db/sysdb_autofs.h
+index d1ef8412e..a3aba726c 100644
+--- a/src/db/sysdb_autofs.h
++++ b/src/db/sysdb_autofs.h
+@@ -58,7 +58,9 @@ sysdb_save_autofsentry(struct sss_domain_info *domain,
+                        const char *map,
+                        const char *key,
+                        const char *value,
+-                       struct sysdb_attrs *attrs);
++                       struct sysdb_attrs *attrs,
++                       int cache_timeout,
++                       time_t now);
+ errno_t
+ sysdb_del_autofsentry(struct sss_domain_info *domain,
+                       const char *entry_dn);
+diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
+index f6a481147..392d04b07 100644
+--- a/src/db/sysdb_upgrade.c
++++ b/src/db/sysdb_upgrade.c
+@@ -1255,7 +1255,7 @@ int sysdb_upgrade_11(struct sysdb_ctx *sysdb, struct sss_domain_info *domain,
+ 
+                 ret = sysdb_save_autofsentry(domain,
+                                              (const char *) val->data,
+-                                             key, value, NULL);
++                                             key, value, NULL, 0, 0);
+                 if (ret != EOK) {
+                     DEBUG(SSSDBG_OP_FAILURE,
+                           "Cannot save autofs entry [%s]-[%s] into map %s\n",
+diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c
+index 8d1742ad1..787283872 100644
+--- a/src/providers/ldap/sdap_async_autofs.c
++++ b/src/providers/ldap/sdap_async_autofs.c
+@@ -86,7 +86,8 @@ static errno_t
+ add_autofs_entry(struct sss_domain_info *domain,
+                  const char *map,
+                  struct sdap_options *opts,
+-                 struct sysdb_attrs *entry)
++                 struct sysdb_attrs *entry,
++                 time_t now)
+ {
+     const char *key;
+     const char *value;
+@@ -103,7 +104,8 @@ add_autofs_entry(struct sss_domain_info *domain,
+         return EINVAL;
+     }
+ 
+-    return sysdb_save_autofsentry(domain, map, key, value, NULL);
++    return sysdb_save_autofsentry(domain, map, key, value, NULL,
++                                  domain->autofsmap_timeout, now);
+ }
+ 
+ static errno_t
+@@ -119,11 +121,14 @@ save_autofs_entries(struct sss_domain_info *domain,
+     int hret;
+     errno_t ret;
+     struct sysdb_attrs *entry;
++    time_t now;
+ 
+     if (!add_dn_list) {
+         return EOK;
+     }
+ 
++    now = time(NULL);
++
+     for (i=0; add_dn_list[i]; i++) {
+         key.type = HASH_KEY_STRING;
+         key.str = (char *) add_dn_list[i];
+@@ -144,7 +149,7 @@ save_autofs_entries(struct sss_domain_info *domain,
+ 
+         DEBUG(SSSDBG_TRACE_FUNC,
+               "Saving autofs entry [%s]\n", add_dn_list[i]);
+-        ret = add_autofs_entry(domain, map, opts, entry);
++        ret = add_autofs_entry(domain, map, opts, entry, now);
+         if (ret) {
+             DEBUG(SSSDBG_MINOR_FAILURE,
+                   "Cannot save entry [%s] to cache\n", add_dn_list[i]);
+diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
+index 832d60466..23f2bd383 100644
+--- a/src/tests/sysdb-tests.c
++++ b/src/tests/sysdb-tests.c
+@@ -6466,7 +6466,7 @@ START_TEST(test_autofs_store_entry_in_map)
+ 
+         ret = sysdb_save_autofsentry(test_ctx->domain,
+                                      autofsmapname, autofskey,
+-                                     autofsval, NULL);
++                                     autofsval, NULL, 0, 0);
+         fail_if(ret != EOK, "Could not save autofs entry %s", autofskey);
+     }
+ 
+@@ -6521,7 +6521,7 @@ START_TEST(test_autofs_key_duplicate)
+ 
+     ret = sysdb_save_autofsentry(test_ctx->domain,
+                                  autofsmapname, autofskey,
+-                                 autofsval, NULL);
++                                 autofsval, NULL, 0, 0);
+     fail_if(ret != EOK, "Could not save autofs entry %s", autofskey);
+     talloc_free(test_ctx);
+ }
+-- 
+2.20.1
+
diff --git a/SOURCES/0069-sysdb-add-sysdb_get_autofsentry.patch b/SOURCES/0069-sysdb-add-sysdb_get_autofsentry.patch
new file mode 100644
index 0000000..27ca583
--- /dev/null
+++ b/SOURCES/0069-sysdb-add-sysdb_get_autofsentry.patch
@@ -0,0 +1,123 @@
+From 57e33404e0f98d9358e8c31eb2c2f764ee380b13 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 13 Aug 2019 12:59:49 +0200
+Subject: [PATCH 69/90] sysdb: add sysdb_get_autofsentry
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/db/sysdb_autofs.c | 73 +++++++++++++++++++++++++++++++++++++++++++
+ src/db/sysdb_autofs.h |  8 +++++
+ 2 files changed, 81 insertions(+)
+
+diff --git a/src/db/sysdb_autofs.c b/src/db/sysdb_autofs.c
+index c92a51658..f5186451e 100644
+--- a/src/db/sysdb_autofs.c
++++ b/src/db/sysdb_autofs.c
+@@ -341,6 +341,79 @@ done:
+     return ret;
+ }
+ 
++errno_t
++sysdb_get_autofsentry(TALLOC_CTX *mem_ctx,
++                      struct sss_domain_info *domain,
++                      const char *map_name,
++                      const char *entry_name,
++                      struct ldb_message **_entry)
++{
++    TALLOC_CTX *tmp_ctx;
++    char *safe_entryname;
++    char *filter;
++    struct ldb_dn *mapdn;
++    size_t count;
++    struct ldb_message **msgs;
++    errno_t ret;
++    const char *attrs[] = { SYSDB_AUTOFS_ENTRY_KEY,
++                            SYSDB_AUTOFS_ENTRY_VALUE,
++                            SYSDB_CACHE_EXPIRE,
++                            NULL };
++
++    tmp_ctx = talloc_new(NULL);
++    if (tmp_ctx == NULL) {
++        DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!\n");
++        return ENOMEM;
++    }
++
++    ret = sss_filter_sanitize(tmp_ctx, entry_name, &safe_entryname);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              "Cannot sanitize map [%s] error [%d]: %s\n",
++               map_name, ret, strerror(ret));
++        goto done;
++    }
++
++    filter = talloc_asprintf(tmp_ctx, "(&(objectclass=%s)(%s=%s))",
++                             SYSDB_AUTOFS_ENTRY_OC, SYSDB_AUTOFS_ENTRY_KEY,
++                             safe_entryname);
++    if (filter == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    mapdn = sysdb_autofsmap_dn(tmp_ctx, domain, map_name);
++    if (!mapdn) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    ret = sysdb_search_entry(tmp_ctx, domain->sysdb, mapdn, LDB_SCOPE_SUBTREE,
++                             filter, attrs, &count, &msgs);
++    if (ret == ENOENT) {
++        goto done;
++    } else if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE, "sysdb search failed: %d\n", ret);
++        goto done;
++    }
++
++    if (count != 1) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "More than one entry %s:%s found\n",
++              map_name, entry_name);
++        ret = ERR_INTERNAL;
++        goto done;
++    }
++
++    *_entry = talloc_steal(mem_ctx, msgs[0]);
++
++    ret = EOK;
++
++done:
++    talloc_free(tmp_ctx);
++
++    return ret;
++}
++
+ errno_t
+ sysdb_del_autofsentry(struct sss_domain_info *domain,
+                       const char *entry_dn)
+diff --git a/src/db/sysdb_autofs.h b/src/db/sysdb_autofs.h
+index a3aba726c..0cbe6ddbf 100644
+--- a/src/db/sysdb_autofs.h
++++ b/src/db/sysdb_autofs.h
+@@ -61,6 +61,14 @@ sysdb_save_autofsentry(struct sss_domain_info *domain,
+                        struct sysdb_attrs *attrs,
+                        int cache_timeout,
+                        time_t now);
++
++errno_t
++sysdb_get_autofsentry(TALLOC_CTX *mem_ctx,
++                      struct sss_domain_info *domain,
++                      const char *map_name,
++                      const char *entry_name,
++                      struct ldb_message **_entry);
++
+ errno_t
+ sysdb_del_autofsentry(struct sss_domain_info *domain,
+                       const char *entry_dn);
+-- 
+2.20.1
+
diff --git a/SOURCES/0070-sysdb-add-enumerationExpireTimestamp.patch b/SOURCES/0070-sysdb-add-enumerationExpireTimestamp.patch
new file mode 100644
index 0000000..933eab4
--- /dev/null
+++ b/SOURCES/0070-sysdb-add-enumerationExpireTimestamp.patch
@@ -0,0 +1,31 @@
+From c366050029983969cbaf3795f05115893f7617e9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 14 Aug 2019 11:37:10 +0200
+Subject: [PATCH 70/90] sysdb: add enumerationExpireTimestamp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/db/sysdb.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index dfd91f6b8..0a7e7c4f8 100644
+--- a/src/db/sysdb.h
++++ b/src/db/sysdb.h
+@@ -98,6 +98,7 @@
+ #define SYSDB_LAST_UPDATE "lastUpdate"
+ #define SYSDB_CACHE_EXPIRE "dataExpireTimestamp"
+ #define SYSDB_INITGR_EXPIRE "initgrExpireTimestamp"
++#define SYSDB_ENUM_EXPIRE "enumerationExpireTimestamp"
+ #define SYSDB_IFP_CACHED "ifpCached"
+ 
+ #define SYSDB_AUTHORIZED_SERVICE "authorizedService"
+-- 
+2.20.1
+
diff --git a/SOURCES/0071-sysdb-store-enumeration-expiration-time-in-autofs-ma.patch b/SOURCES/0071-sysdb-store-enumeration-expiration-time-in-autofs-ma.patch
new file mode 100644
index 0000000..9bd8c98
--- /dev/null
+++ b/SOURCES/0071-sysdb-store-enumeration-expiration-time-in-autofs-ma.patch
@@ -0,0 +1,139 @@
+From 11ffb775d725172a4247a9826cadecb872c7d0dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 14 Aug 2019 12:29:56 +0200
+Subject: [PATCH 71/90] sysdb: store enumeration expiration time in autofs map
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We need to distinguish between 'object expired' when we need
+to obtain only the map entry and 'enumeration expired' when
+we need to enumerated the map entry.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/db/sysdb_autofs.c                  | 22 ++++++++++++++++++----
+ src/db/sysdb_autofs.h                  |  3 ++-
+ src/providers/ldap/sdap_async_autofs.c |  7 ++++---
+ src/tests/sysdb-tests.c                |  2 +-
+ 4 files changed, 25 insertions(+), 9 deletions(-)
+
+diff --git a/src/db/sysdb_autofs.c b/src/db/sysdb_autofs.c
+index f5186451e..dc1ea5586 100644
+--- a/src/db/sysdb_autofs.c
++++ b/src/db/sysdb_autofs.c
+@@ -101,8 +101,10 @@ sysdb_save_autofsmap(struct sss_domain_info *domain,
+                      const char *autofsmapname,
+                      struct sysdb_attrs *attrs,
+                      int cache_timeout,
+-                     time_t now)
++                     time_t now,
++                     bool enumerated)
+ {
++    time_t expiration = cache_timeout ? now + cache_timeout : 0;
+     errno_t ret;
+     TALLOC_CTX *tmp_ctx;
+ 
+@@ -150,15 +152,22 @@ sysdb_save_autofsmap(struct sss_domain_info *domain,
+         goto done;
+     }
+ 
+-    ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE,
+-                                 ((cache_timeout) ?
+-                                  (now + cache_timeout) : 0));
++    ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, expiration);
+     if (ret) {
+         DEBUG(SSSDBG_OP_FAILURE, "Could not set sysdb cache expire [%d]: %s\n",
+               ret, strerror(ret));
+         goto done;
+     }
+ 
++    if (enumerated) {
++        ret = sysdb_attrs_add_time_t(attrs, SYSDB_ENUM_EXPIRE, expiration);
++        if (ret) {
++            DEBUG(SSSDBG_OP_FAILURE, "Could not set sysdb enum expire [%d]: %s\n",
++                  ret, strerror(ret));
++            goto done;
++        }
++    }
++
+     ret = sysdb_store_custom(domain, name, AUTOFS_MAP_SUBDIR, attrs);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_custom failed [%d]: %s\n",
+@@ -569,6 +578,11 @@ sysdb_invalidate_autofs_maps(struct sss_domain_info *domain)
+         goto done;
+     }
+ 
++    ret = sysdb_attrs_add_time_t(sys_attrs, SYSDB_ENUM_EXPIRE, 1);
++    if (ret != EOK) {
++        goto done;
++    }
++
+     ret = sysdb_transaction_start(domain->sysdb);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
+diff --git a/src/db/sysdb_autofs.h b/src/db/sysdb_autofs.h
+index 0cbe6ddbf..7170334c6 100644
+--- a/src/db/sysdb_autofs.h
++++ b/src/db/sysdb_autofs.h
+@@ -41,7 +41,8 @@ sysdb_save_autofsmap(struct sss_domain_info *domain,
+                      const char *autofsmapname,
+                      struct sysdb_attrs *attrs,
+                      int cache_timeout,
+-                     time_t now);
++                     time_t now,
++                     bool enumerated);
+ 
+ errno_t
+ sysdb_get_map_byname(TALLOC_CTX *mem_ctx,
+diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c
+index 787283872..453e95f7b 100644
+--- a/src/providers/ldap/sdap_async_autofs.c
++++ b/src/providers/ldap/sdap_async_autofs.c
+@@ -189,7 +189,8 @@ del_autofs_entries(struct sss_domain_info *dom,
+ static errno_t
+ save_autofs_map(struct sss_domain_info *dom,
+                 struct sdap_options *opts,
+-                struct sysdb_attrs *map)
++                struct sysdb_attrs *map,
++                bool enumerated)
+ {
+     const char *mapname;
+     errno_t ret;
+@@ -201,7 +202,7 @@ save_autofs_map(struct sss_domain_info *dom,
+     now = time(NULL);
+ 
+     ret = sysdb_save_autofsmap(dom, mapname, mapname,
+-                               NULL, dom->autofsmap_timeout, now);
++                               NULL, dom->autofsmap_timeout, now, enumerated);
+     if (ret != EOK) {
+         return ret;
+     }
+@@ -898,7 +899,7 @@ sdap_autofs_setautomntent_save(struct tevent_req *req)
+     in_transaction = true;
+ 
+     /* Save the map itself */
+-    ret = save_autofs_map(state->dom, state->opts, state->map);
++    ret = save_autofs_map(state->dom, state->opts, state->map, true);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE,
+              "Cannot save autofs map entry [%d]: %s\n",
+diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
+index 23f2bd383..108ef8943 100644
+--- a/src/tests/sysdb-tests.c
++++ b/src/tests/sysdb-tests.c
+@@ -6374,7 +6374,7 @@ START_TEST(test_autofs_create_map)
+     fail_if(autofsmapname == NULL, "Out of memory\n");
+ 
+     ret = sysdb_save_autofsmap(test_ctx->domain, autofsmapname,
+-                               autofsmapname, NULL, 0, 0);
++                               autofsmapname, NULL, 0, 0, false);
+     fail_if(ret != EOK, "Could not store autofs map %s", autofsmapname);
+     talloc_free(test_ctx);
+ }
+-- 
+2.20.1
+
diff --git a/SOURCES/0072-sysdb-store-original-dn-in-autofs-map.patch b/SOURCES/0072-sysdb-store-original-dn-in-autofs-map.patch
new file mode 100644
index 0000000..294eccc
--- /dev/null
+++ b/SOURCES/0072-sysdb-store-original-dn-in-autofs-map.patch
@@ -0,0 +1,124 @@
+From efe44597a3f1181fe60771c0efbfcab54585dc42 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 15 Aug 2019 14:20:26 +0200
+Subject: [PATCH 72/90] sysdb: store original dn in autofs map
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This will be used later when fetching single entry.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/db/sysdb_autofs.c                  |  9 +++++++++
+ src/db/sysdb_autofs.h                  |  1 +
+ src/providers/ldap/sdap_async_autofs.c | 10 +++++++++-
+ src/tests/sysdb-tests.c                |  6 +++++-
+ 4 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/db/sysdb_autofs.c b/src/db/sysdb_autofs.c
+index dc1ea5586..971abafa3 100644
+--- a/src/db/sysdb_autofs.c
++++ b/src/db/sysdb_autofs.c
+@@ -99,6 +99,7 @@ errno_t
+ sysdb_save_autofsmap(struct sss_domain_info *domain,
+                      const char *name,
+                      const char *autofsmapname,
++                     const char *origdn,
+                      struct sysdb_attrs *attrs,
+                      int cache_timeout,
+                      time_t now,
+@@ -138,6 +139,13 @@ sysdb_save_autofsmap(struct sss_domain_info *domain,
+         goto done;
+     }
+ 
++    ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_DN, origdn);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE, "Could not set origdn [%d]: %s\n",
++              ret, strerror(ret));
++        goto done;
++    }
++
+     ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, name);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE, "Could not set name attribute [%d]: %s\n",
+@@ -202,6 +210,7 @@ sysdb_get_map_byname(TALLOC_CTX *mem_ctx,
+     size_t count;
+     struct ldb_message **msgs;
+     const char *attrs[] = { SYSDB_OBJECTCLASS,
++                            SYSDB_ORIG_DN,
+                             SYSDB_CACHE_EXPIRE,
+                             SYSDB_LAST_UPDATE,
+                             SYSDB_AUTOFS_MAP_NAME,
+diff --git a/src/db/sysdb_autofs.h b/src/db/sysdb_autofs.h
+index 7170334c6..79ecbd94e 100644
+--- a/src/db/sysdb_autofs.h
++++ b/src/db/sysdb_autofs.h
+@@ -39,6 +39,7 @@ errno_t
+ sysdb_save_autofsmap(struct sss_domain_info *domain,
+                      const char *name,
+                      const char *autofsmapname,
++                     const char *origdn,
+                      struct sysdb_attrs *attrs,
+                      int cache_timeout,
+                      time_t now,
+diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c
+index 453e95f7b..7548d4a67 100644
+--- a/src/providers/ldap/sdap_async_autofs.c
++++ b/src/providers/ldap/sdap_async_autofs.c
+@@ -193,15 +193,23 @@ save_autofs_map(struct sss_domain_info *dom,
+                 bool enumerated)
+ {
+     const char *mapname;
++    const char *origdn;
+     errno_t ret;
+     time_t now;
+ 
+     mapname = get_autofs_map_name(map, opts);
+     if (!mapname) return EINVAL;
+ 
++    ret = sysdb_attrs_get_string(map, SYSDB_ORIG_DN, &origdn);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get original dn [%d]: %s\n",
++              ret, sss_strerror(ret));
++        return ret;
++    }
++
+     now = time(NULL);
+ 
+-    ret = sysdb_save_autofsmap(dom, mapname, mapname,
++    ret = sysdb_save_autofsmap(dom, mapname, mapname, origdn,
+                                NULL, dom->autofsmap_timeout, now, enumerated);
+     if (ret != EOK) {
+         return ret;
+diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
+index 108ef8943..22460d9db 100644
+--- a/src/tests/sysdb-tests.c
++++ b/src/tests/sysdb-tests.c
+@@ -6365,6 +6365,7 @@ START_TEST(test_autofs_create_map)
+ {
+     struct sysdb_test_ctx *test_ctx;
+     const char *autofsmapname;
++    const char *origdn;
+     errno_t ret;
+ 
+     ret = setup_sysdb_tests(&test_ctx);
+@@ -6373,8 +6374,11 @@ START_TEST(test_autofs_create_map)
+     autofsmapname = talloc_asprintf(test_ctx, "testmap%d", _i);
+     fail_if(autofsmapname == NULL, "Out of memory\n");
+ 
++    origdn = talloc_asprintf(test_ctx, "cn=testmap%d,dc=test", _i);
++    fail_if(origdn == NULL, "Out of memory\n");
++
+     ret = sysdb_save_autofsmap(test_ctx->domain, autofsmapname,
+-                               autofsmapname, NULL, 0, 0, false);
++                               autofsmapname, origdn, NULL, 0, 0, false);
+     fail_if(ret != EOK, "Could not store autofs map %s", autofsmapname);
+     talloc_free(test_ctx);
+ }
+-- 
+2.20.1
+
diff --git a/SOURCES/0073-sysdb-add-sysdb_del_autofsentry_by_key.patch b/SOURCES/0073-sysdb-add-sysdb_del_autofsentry_by_key.patch
new file mode 100644
index 0000000..894ff88
--- /dev/null
+++ b/SOURCES/0073-sysdb-add-sysdb_del_autofsentry_by_key.patch
@@ -0,0 +1,69 @@
+From 49b5baf0e6ef978d971427160677c2c95e89c418 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 15 Aug 2019 13:50:17 +0200
+Subject: [PATCH 73/90] sysdb: add sysdb_del_autofsentry_by_key
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/db/sysdb_autofs.c | 22 ++++++++++++++++++++++
+ src/db/sysdb_autofs.h |  5 +++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/src/db/sysdb_autofs.c b/src/db/sysdb_autofs.c
+index 971abafa3..11841d50d 100644
+--- a/src/db/sysdb_autofs.c
++++ b/src/db/sysdb_autofs.c
+@@ -449,6 +449,28 @@ sysdb_del_autofsentry(struct sss_domain_info *domain,
+     return ret;
+ }
+ 
++errno_t
++sysdb_del_autofsentry_by_key(struct sss_domain_info *domain,
++                             const char *map_name,
++                             const char *entry_key)
++{
++    struct ldb_message *entry;
++    errno_t ret;
++
++    ret = sysdb_get_autofsentry(NULL, domain, map_name, entry_key, &entry);
++    if (ret == ENOENT) {
++        return EOK;
++    } else if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE, "Unable to get autofs entry [%d]: %s\n",
++              ret, sss_strerror(ret));
++        return ret;
++    }
++
++    ret = sysdb_delete_entry(domain->sysdb, entry->dn, true);
++    talloc_free(entry);
++    return ret;
++}
++
+ errno_t
+ sysdb_autofs_entries_by_map(TALLOC_CTX *mem_ctx,
+                             struct sss_domain_info *domain,
+diff --git a/src/db/sysdb_autofs.h b/src/db/sysdb_autofs.h
+index 79ecbd94e..3775e2a17 100644
+--- a/src/db/sysdb_autofs.h
++++ b/src/db/sysdb_autofs.h
+@@ -75,6 +75,11 @@ errno_t
+ sysdb_del_autofsentry(struct sss_domain_info *domain,
+                       const char *entry_dn);
+ 
++errno_t
++sysdb_del_autofsentry_by_key(struct sss_domain_info *domain,
++                             const char *map_name,
++                             const char *entry_key);
++
+ errno_t
+ sysdb_autofs_entries_by_map(TALLOC_CTX *mem_ctx,
+                             struct sss_domain_info *domain,
+-- 
+2.20.1
+
diff --git a/SOURCES/0074-autofs-move-data-provider-functions-to-responder-com.patch b/SOURCES/0074-autofs-move-data-provider-functions-to-responder-com.patch
new file mode 100644
index 0000000..db1a92f
--- /dev/null
+++ b/SOURCES/0074-autofs-move-data-provider-functions-to-responder-com.patch
@@ -0,0 +1,125 @@
+From 4665606235605b1d5d1ec7462257aaa86aa3d7b1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 28 Aug 2019 11:47:07 +0200
+Subject: [PATCH 74/90] autofs: move data provider functions to responder
+ common code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So it can be later used from cache_req.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ Makefile.am                                   |  2 +-
+ src/responder/common/responder.h              | 19 +++++++++++
+ .../responder_dp_autofs.c}                    |  0
+ src/tests/cmocka/common_mock_resp_dp.c        | 34 +++++++++++++++++++
+ 4 files changed, 54 insertions(+), 1 deletion(-)
+ rename src/responder/{autofs/autofssrv_dp.c => common/responder_dp_autofs.c} (100%)
+
+diff --git a/Makefile.am b/Makefile.am
+index e74de422d..c109afe56 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -576,6 +576,7 @@ SSSD_RESPONDER_OBJ = \
+     src/responder/common/responder_common.c \
+     src/responder/common/responder_dp.c \
+     src/responder/common/responder_dp_ssh.c \
++    src/responder/common/responder_dp_autofs.c \
+     src/responder/common/responder_packet.c \
+     src/responder/common/responder_get_domains.c \
+     src/responder/common/responder_utils.c \
+@@ -1434,7 +1435,6 @@ if BUILD_AUTOFS
+ sssd_autofs_SOURCES = \
+     src/responder/autofs/autofssrv.c \
+     src/responder/autofs/autofssrv_cmd.c \
+-    src/responder/autofs/autofssrv_dp.c \
+     $(SSSD_RESPONDER_OBJ)
+ sssd_autofs_LDADD = \
+     $(LIBADD_DL) \
+diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
+index 987a5d17d..17b04c3de 100644
+--- a/src/responder/common/responder.h
++++ b/src/responder/common/responder.h
+@@ -363,6 +363,25 @@ sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx,
+                          dbus_uint32_t *dp_ret,
+                          char **err_msg);
+ 
++enum sss_dp_autofs_type {
++    SSS_DP_AUTOFS
++};
++
++struct tevent_req *
++sss_dp_get_autofs_send(TALLOC_CTX *mem_ctx,
++                       struct resp_ctx *rctx,
++                       struct sss_domain_info *dom,
++                       bool fast_reply,
++                       enum sss_dp_autofs_type type,
++                       const char *name);
++
++errno_t
++sss_dp_get_autofs_recv(TALLOC_CTX *mem_ctx,
++                       struct tevent_req *req,
++                       dbus_uint16_t *dp_err,
++                       dbus_uint32_t *dp_ret,
++                       char **err_msg);
++
+ bool sss_utf8_check(const uint8_t *s, size_t n);
+ 
+ void responder_set_fd_limit(rlim_t fd_limit);
+diff --git a/src/responder/autofs/autofssrv_dp.c b/src/responder/common/responder_dp_autofs.c
+similarity index 100%
+rename from src/responder/autofs/autofssrv_dp.c
+rename to src/responder/common/responder_dp_autofs.c
+diff --git a/src/tests/cmocka/common_mock_resp_dp.c b/src/tests/cmocka/common_mock_resp_dp.c
+index a85257515..93e507100 100644
+--- a/src/tests/cmocka/common_mock_resp_dp.c
++++ b/src/tests/cmocka/common_mock_resp_dp.c
+@@ -95,6 +95,40 @@ sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx,
+     return test_request_recv(req);
+ }
+ 
++struct tevent_req *
++sss_dp_get_autofs_send(TALLOC_CTX *mem_ctx,
++                       struct resp_ctx *rctx,
++                       struct sss_domain_info *dom,
++                       bool fast_reply,
++                       enum sss_dp_autofs_type type,
++                       const char *mapname,
++                       const char *entryname)
++{
++    return test_req_succeed_send(mem_ctx, rctx->ev);
++}
++
++
++errno_t
++sss_dp_get_autofs_recv(TALLOC_CTX *mem_ctx,
++                       struct tevent_req *req,
++                       dbus_uint16_t *dp_err,
++                       dbus_uint32_t *dp_ret,
++                       char **err_msg)
++{
++    acct_cb_t cb;
++
++    *dp_err = sss_mock_type(dbus_uint16_t);
++    *dp_ret = sss_mock_type(dbus_uint32_t);
++    *err_msg = sss_mock_ptr_type(char *);
++
++    cb = sss_mock_ptr_type(acct_cb_t);
++    if (cb) {
++        (cb)(sss_mock_ptr_type(void *));
++    }
++
++    return test_request_recv(req);
++}
++
+ errno_t
+ sss_dp_req_recv(TALLOC_CTX *mem_ctx,
+                 struct tevent_req *req,
+-- 
+2.20.1
+
diff --git a/SOURCES/0075-cache_req-add-autofs-map-entries-plugin.patch b/SOURCES/0075-cache_req-add-autofs-map-entries-plugin.patch
new file mode 100644
index 0000000..a8a1121
--- /dev/null
+++ b/SOURCES/0075-cache_req-add-autofs-map-entries-plugin.patch
@@ -0,0 +1,278 @@
+From 01b7dc92180cf80080f657b80f72cec20eafa0e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 13 Aug 2019 13:31:21 +0200
+Subject: [PATCH 75/90] cache_req: add autofs map entries plugin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ Makefile.am                                   |   1 +
+ src/responder/common/cache_req/cache_req.c    |   2 +
+ src/responder/common/cache_req/cache_req.h    |  14 ++
+ .../common/cache_req/cache_req_data.c         |   1 +
+ .../common/cache_req/cache_req_plugin.h       |   1 +
+ .../plugins/cache_req_autofs_map_entries.c    | 156 ++++++++++++++++++
+ src/tests/cwrap/Makefile.am                   |   1 +
+ 7 files changed, 176 insertions(+)
+ create mode 100644 src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+
+diff --git a/Makefile.am b/Makefile.am
+index c109afe56..879f38311 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -559,6 +559,7 @@ SSSD_CACHE_REQ_OBJ = \
+ 	src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \
+ 	src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \
+ 	src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
++	src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c \
+ 	$(NULL)
+ 
+ SSSD_RESPONDER_IFACE_OBJ = \
+diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
+index 28b563392..2ce9deca0 100644
+--- a/src/responder/common/cache_req/cache_req.c
++++ b/src/responder/common/cache_req/cache_req.c
+@@ -60,6 +60,8 @@ cache_req_get_plugin(enum cache_req_type type)
+         &cache_req_netgroup_by_name,
+ 
+         &cache_req_host_by_name,
++
++        &cache_req_autofs_map_entries,
+     };
+ 
+     if (type >= CACHE_REQ_SENTINEL) {
+diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
+index 84dd22c25..0c214a483 100644
+--- a/src/responder/common/cache_req/cache_req.h
++++ b/src/responder/common/cache_req/cache_req.h
+@@ -54,6 +54,8 @@ enum cache_req_type {
+ 
+     CACHE_REQ_HOST_BY_NAME,
+ 
++    CACHE_REQ_AUTOFS_MAP_ENTRIES,
++
+     CACHE_REQ_SENTINEL
+ };
+ 
+@@ -430,4 +432,16 @@ cache_req_host_by_name_send(TALLOC_CTX *mem_ctx,
+ #define cache_req_host_by_name_recv(mem_ctx, req, _result) \
+     cache_req_single_domain_recv(mem_ctx, req, _result)
+ 
++struct tevent_req *
++cache_req_autofs_map_entries_send(TALLOC_CTX *mem_ctx,
++                                  struct tevent_context *ev,
++                                  struct resp_ctx *rctx,
++                                  struct sss_nc_ctx *ncache,
++                                  int cache_refresh_percent,
++                                  const char *domain,
++                                  const char *name);
++
++#define cache_req_autofs_map_entries_recv(mem_ctx, req, _result) \
++    cache_req_single_domain_recv(mem_ctx, req, _result)
++
+ #endif /* _CACHE_REQ_H_ */
+diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
+index 77959f9fe..20d73ebfd 100644
+--- a/src/responder/common/cache_req/cache_req_data.c
++++ b/src/responder/common/cache_req/cache_req_data.c
+@@ -93,6 +93,7 @@ cache_req_data_create(TALLOC_CTX *mem_ctx,
+     case CACHE_REQ_INITGROUPS_BY_UPN:
+     case CACHE_REQ_NETGROUP_BY_NAME:
+     case CACHE_REQ_OBJECT_BY_NAME:
++    case CACHE_REQ_AUTOFS_MAP_ENTRIES:
+         if (input->name.input == NULL) {
+             DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n");
+             ret = ERR_INTERNAL;
+diff --git a/src/responder/common/cache_req/cache_req_plugin.h b/src/responder/common/cache_req/cache_req_plugin.h
+index d547c9bf3..1071cd889 100644
+--- a/src/responder/common/cache_req/cache_req_plugin.h
++++ b/src/responder/common/cache_req/cache_req_plugin.h
+@@ -314,5 +314,6 @@ extern const struct cache_req_plugin cache_req_svc_by_name;
+ extern const struct cache_req_plugin cache_req_svc_by_port;
+ extern const struct cache_req_plugin cache_req_netgroup_by_name;
+ extern const struct cache_req_plugin cache_req_host_by_name;
++extern const struct cache_req_plugin cache_req_autofs_map_entries;
+ 
+ #endif /* _CACHE_REQ_PLUGIN_H_ */
+diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+new file mode 100644
+index 000000000..73d2b3cf2
+--- /dev/null
++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+@@ -0,0 +1,156 @@
++/*
++    Authors:
++        Pavel Březina <pbrezina@redhat.com>
++
++    Copyright (C) 2019 Red Hat
++
++    This program is free software; you can redistribute it and/or modify
++    it under the terms of the GNU General Public License as published by
++    the Free Software Foundation; either version 3 of the License, or
++    (at your option) any later version.
++
++    This program is distributed in the hope that it will be useful,
++    but WITHOUT ANY WARRANTY; without even the implied warranty of
++    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++    GNU General Public License for more details.
++
++    You should have received a copy of the GNU General Public License
++    along with this program.  If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include <talloc.h>
++#include <ldb.h>
++
++#include "db/sysdb.h"
++#include "db/sysdb_autofs.h"
++#include "util/util.h"
++#include "providers/data_provider.h"
++#include "responder/common/cache_req/cache_req_plugin.h"
++
++static const char *
++cache_req_autofs_map_entries_create_debug_name(TALLOC_CTX *mem_ctx,
++                                               struct cache_req_data *data,
++                                               struct sss_domain_info *domain)
++{
++    return talloc_strdup(mem_ctx, data->name.name);
++}
++
++static errno_t
++cache_req_autofs_map_entries_lookup(TALLOC_CTX *mem_ctx,
++                                    struct cache_req *cr,
++                                    struct cache_req_data *data,
++                                    struct sss_domain_info *domain,
++                                    struct ldb_result **_result)
++{
++    TALLOC_CTX *tmp_ctx;
++    struct ldb_message *map;
++    struct ldb_message **mounts;
++    struct ldb_message **msgs;
++    struct ldb_result *result;
++    size_t count;
++    size_t i;
++    errno_t ret;
++
++    tmp_ctx = talloc_new(NULL);
++    if (tmp_ctx == NULL) {
++        return ENOMEM;
++    }
++
++    ret = sysdb_get_map_byname(tmp_ctx, domain, data->name.name, &map);
++    if (ret != EOK) {
++        goto done;
++    }
++
++    ret = sysdb_autofs_entries_by_map(tmp_ctx, domain, data->name.name,
++                                      &count, &mounts);
++    if (ret != EOK && ret != ENOENT) {
++        goto done;
++    }
++
++    msgs = talloc_zero_array(tmp_ctx, struct ldb_message *, count + 1);
++    if (msgs == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    msgs[0] = talloc_steal(msgs, map);
++    for (i = 0; i < count; i++) {
++        msgs[i + 1] = talloc_steal(msgs, mounts[i]);
++    }
++
++    result = cache_req_create_ldb_result_from_msg_list(tmp_ctx, msgs, count + 1);
++    if (result == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    *_result = talloc_steal(mem_ctx, result);
++    ret = EOK;
++
++done:
++    talloc_free(tmp_ctx);
++
++    return ret;
++}
++
++static struct tevent_req *
++cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx,
++                                     struct cache_req *cr,
++                                     struct cache_req_data *data,
++                                     struct sss_domain_info *domain,
++                                     struct ldb_result *result)
++{
++    return sss_dp_get_autofs_send(mem_ctx, cr->rctx, domain, true,
++                                  SSS_DP_AUTOFS, data->name.name);
++}
++
++const struct cache_req_plugin cache_req_autofs_map_entries = {
++    .name = "Get autofs entries",
++    .attr_expiration = SYSDB_ENUM_EXPIRE,
++    .parse_name = true,
++    .ignore_default_domain = true,
++    .bypass_cache = false,
++    .only_one_result = false,
++    .search_all_domains = false,
++    .require_enumeration = false,
++    .allow_missing_fqn = true,
++    .allow_switch_to_upn = false,
++    .upn_equivalent = CACHE_REQ_SENTINEL,
++    .get_next_domain_flags = 0,
++
++    .is_well_known_fn = NULL,
++    .prepare_domain_data_fn = NULL,
++    .create_debug_name_fn = cache_req_autofs_map_entries_create_debug_name,
++    .global_ncache_add_fn = NULL,
++    .ncache_check_fn = NULL,
++    .ncache_add_fn = NULL,
++    .ncache_filter_fn = NULL,
++    .lookup_fn = cache_req_autofs_map_entries_lookup,
++    .dp_send_fn = cache_req_autofs_map_entries_dp_send,
++    .dp_recv_fn = cache_req_common_dp_recv,
++    .dp_get_domain_check_fn = NULL,
++    .dp_get_domain_send_fn = NULL,
++    .dp_get_domain_recv_fn = NULL,
++};
++
++struct tevent_req *
++cache_req_autofs_map_entries_send(TALLOC_CTX *mem_ctx,
++                                  struct tevent_context *ev,
++                                  struct resp_ctx *rctx,
++                                  struct sss_nc_ctx *ncache,
++                                  int cache_refresh_percent,
++                                  const char *domain,
++                                  const char *name)
++{
++    struct cache_req_data *data;
++
++    data = cache_req_data_name(mem_ctx, CACHE_REQ_AUTOFS_MAP_ENTRIES, name);
++    if (data == NULL) {
++        return NULL;
++    }
++
++    return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
++                                         cache_refresh_percent,
++                                         CACHE_REQ_POSIX_DOM, domain,
++                                         data);
++}
+diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
+index 1edefc678..dfaf3f770 100644
+--- a/src/tests/cwrap/Makefile.am
++++ b/src/tests/cwrap/Makefile.am
+@@ -64,6 +64,7 @@ SSSD_CACHE_REQ_OBJ = \
+     ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \
+     ../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \
+     ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
++    ../../../src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c \
+     $(NULL)
+ 
+ SSSD_RESPONDER_IFACE_OBJ = \
+-- 
+2.20.1
+
diff --git a/SOURCES/0076-cache_req-add-autofs-map-by-name-plugin.patch b/SOURCES/0076-cache_req-add-autofs-map-by-name-plugin.patch
new file mode 100644
index 0000000..6dce4ab
--- /dev/null
+++ b/SOURCES/0076-cache_req-add-autofs-map-by-name-plugin.patch
@@ -0,0 +1,247 @@
+From e683556dc6671a6047de8bb970d32360d5aa59dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 6 Aug 2019 12:08:59 +0200
+Subject: [PATCH 76/90] cache_req: add autofs map by name plugin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We will use the current data provider call that downloads all map entries
+but we will replace it later when new call is available.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ Makefile.am                                   |   1 +
+ src/responder/common/cache_req/cache_req.c    |   1 +
+ src/responder/common/cache_req/cache_req.h    |  13 ++
+ .../common/cache_req/cache_req_data.c         |   1 +
+ .../common/cache_req/cache_req_plugin.h       |   1 +
+ .../plugins/cache_req_autofs_map_by_name.c    | 124 ++++++++++++++++++
+ src/tests/cwrap/Makefile.am                   |   1 +
+ 7 files changed, 142 insertions(+)
+ create mode 100644 src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+
+diff --git a/Makefile.am b/Makefile.am
+index 879f38311..461a9355f 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -560,6 +560,7 @@ SSSD_CACHE_REQ_OBJ = \
+ 	src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \
+ 	src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
+ 	src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c \
++	src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c \
+ 	$(NULL)
+ 
+ SSSD_RESPONDER_IFACE_OBJ = \
+diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
+index 2ce9deca0..75f396a23 100644
+--- a/src/responder/common/cache_req/cache_req.c
++++ b/src/responder/common/cache_req/cache_req.c
+@@ -62,6 +62,7 @@ cache_req_get_plugin(enum cache_req_type type)
+         &cache_req_host_by_name,
+ 
+         &cache_req_autofs_map_entries,
++        &cache_req_autofs_map_by_name
+     };
+ 
+     if (type >= CACHE_REQ_SENTINEL) {
+diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
+index 0c214a483..66a13445c 100644
+--- a/src/responder/common/cache_req/cache_req.h
++++ b/src/responder/common/cache_req/cache_req.h
+@@ -55,6 +55,7 @@ enum cache_req_type {
+     CACHE_REQ_HOST_BY_NAME,
+ 
+     CACHE_REQ_AUTOFS_MAP_ENTRIES,
++    CACHE_REQ_AUTOFS_MAP_BY_NAME,
+ 
+     CACHE_REQ_SENTINEL
+ };
+@@ -444,4 +445,16 @@ cache_req_autofs_map_entries_send(TALLOC_CTX *mem_ctx,
+ #define cache_req_autofs_map_entries_recv(mem_ctx, req, _result) \
+     cache_req_single_domain_recv(mem_ctx, req, _result)
+ 
++struct tevent_req *
++cache_req_autofs_map_by_name_send(TALLOC_CTX *mem_ctx,
++                                  struct tevent_context *ev,
++                                  struct resp_ctx *rctx,
++                                  struct sss_nc_ctx *ncache,
++                                  int cache_refresh_percent,
++                                  const char *domain,
++                                  const char *name);
++
++#define cache_req_autofs_map_by_name_recv(mem_ctx, req, _result) \
++    cache_req_single_domain_recv(mem_ctx, req, _result)
++
+ #endif /* _CACHE_REQ_H_ */
+diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
+index 20d73ebfd..ad6176641 100644
+--- a/src/responder/common/cache_req/cache_req_data.c
++++ b/src/responder/common/cache_req/cache_req_data.c
+@@ -94,6 +94,7 @@ cache_req_data_create(TALLOC_CTX *mem_ctx,
+     case CACHE_REQ_NETGROUP_BY_NAME:
+     case CACHE_REQ_OBJECT_BY_NAME:
+     case CACHE_REQ_AUTOFS_MAP_ENTRIES:
++    case CACHE_REQ_AUTOFS_MAP_BY_NAME:
+         if (input->name.input == NULL) {
+             DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n");
+             ret = ERR_INTERNAL;
+diff --git a/src/responder/common/cache_req/cache_req_plugin.h b/src/responder/common/cache_req/cache_req_plugin.h
+index 1071cd889..c040bf380 100644
+--- a/src/responder/common/cache_req/cache_req_plugin.h
++++ b/src/responder/common/cache_req/cache_req_plugin.h
+@@ -315,5 +315,6 @@ extern const struct cache_req_plugin cache_req_svc_by_port;
+ extern const struct cache_req_plugin cache_req_netgroup_by_name;
+ extern const struct cache_req_plugin cache_req_host_by_name;
+ extern const struct cache_req_plugin cache_req_autofs_map_entries;
++extern const struct cache_req_plugin cache_req_autofs_map_by_name;
+ 
+ #endif /* _CACHE_REQ_PLUGIN_H_ */
+diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+new file mode 100644
+index 000000000..2f69c762c
+--- /dev/null
++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+@@ -0,0 +1,124 @@
++/*
++    Authors:
++        Pavel Březina <pbrezina@redhat.com>
++
++    Copyright (C) 2019 Red Hat
++
++    This program is free software; you can redistribute it and/or modify
++    it under the terms of the GNU General Public License as published by
++    the Free Software Foundation; either version 3 of the License, or
++    (at your option) any later version.
++
++    This program is distributed in the hope that it will be useful,
++    but WITHOUT ANY WARRANTY; without even the implied warranty of
++    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++    GNU General Public License for more details.
++
++    You should have received a copy of the GNU General Public License
++    along with this program.  If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include <talloc.h>
++#include <ldb.h>
++
++#include "db/sysdb.h"
++#include "db/sysdb_autofs.h"
++#include "util/util.h"
++#include "providers/data_provider.h"
++#include "responder/common/cache_req/cache_req_plugin.h"
++
++static const char *
++cache_req_autofs_map_by_name_create_debug_name(TALLOC_CTX *mem_ctx,
++                                               struct cache_req_data *data,
++                                               struct sss_domain_info *domain)
++{
++    return talloc_strdup(mem_ctx, data->name.name);
++}
++
++static errno_t
++cache_req_autofs_map_by_name_lookup(TALLOC_CTX *mem_ctx,
++                                    struct cache_req *cr,
++                                    struct cache_req_data *data,
++                                    struct sss_domain_info *domain,
++                                    struct ldb_result **_result)
++{
++    struct ldb_message *map;
++    struct ldb_result *result;
++    errno_t ret;
++
++    ret = sysdb_get_map_byname(mem_ctx, domain, data->name.name, &map);
++    if (ret != EOK) {
++        return ret;
++    }
++
++    result = cache_req_create_ldb_result_from_msg(mem_ctx, map);
++    if (result == NULL) {
++        talloc_free(map);
++        return ENOMEM;
++    }
++
++    *_result = talloc_steal(mem_ctx, result);
++    return EOK;
++}
++
++static struct tevent_req *
++cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx,
++                                     struct cache_req *cr,
++                                     struct cache_req_data *data,
++                                     struct sss_domain_info *domain,
++                                     struct ldb_result *result)
++{
++    return sss_dp_get_autofs_send(mem_ctx, cr->rctx, domain, true,
++                                  SSS_DP_AUTOFS, data->name.name);
++}
++
++const struct cache_req_plugin cache_req_autofs_map_by_name = {
++    .name = "Get autofs map",
++    .attr_expiration = SYSDB_CACHE_EXPIRE,
++    .parse_name = true,
++    .ignore_default_domain = true,
++    .bypass_cache = false,
++    .only_one_result = false,
++    .search_all_domains = false,
++    .require_enumeration = false,
++    .allow_missing_fqn = true,
++    .allow_switch_to_upn = false,
++    .upn_equivalent = CACHE_REQ_SENTINEL,
++    .get_next_domain_flags = 0,
++
++    .is_well_known_fn = NULL,
++    .prepare_domain_data_fn = NULL,
++    .create_debug_name_fn = cache_req_autofs_map_by_name_create_debug_name,
++    .global_ncache_add_fn = NULL,
++    .ncache_check_fn = NULL,
++    .ncache_add_fn = NULL,
++    .ncache_filter_fn = NULL,
++    .lookup_fn = cache_req_autofs_map_by_name_lookup,
++    .dp_send_fn = cache_req_autofs_map_by_name_dp_send,
++    .dp_recv_fn = cache_req_common_dp_recv,
++    .dp_get_domain_check_fn = NULL,
++    .dp_get_domain_send_fn = NULL,
++    .dp_get_domain_recv_fn = NULL,
++};
++
++struct tevent_req *
++cache_req_autofs_map_by_name_send(TALLOC_CTX *mem_ctx,
++                                  struct tevent_context *ev,
++                                  struct resp_ctx *rctx,
++                                  struct sss_nc_ctx *ncache,
++                                  int cache_refresh_percent,
++                                  const char *domain,
++                                  const char *name)
++{
++    struct cache_req_data *data;
++
++    data = cache_req_data_name(mem_ctx, CACHE_REQ_AUTOFS_MAP_BY_NAME, name);
++    if (data == NULL) {
++        return NULL;
++    }
++
++    return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
++                                         cache_refresh_percent,
++                                         CACHE_REQ_POSIX_DOM, domain,
++                                         data);
++}
+diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
+index dfaf3f770..3fbcebf3c 100644
+--- a/src/tests/cwrap/Makefile.am
++++ b/src/tests/cwrap/Makefile.am
+@@ -65,6 +65,7 @@ SSSD_CACHE_REQ_OBJ = \
+     ../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \
+     ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
+     ../../../src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c \
++    ../../../src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c \
+     $(NULL)
+ 
+ SSSD_RESPONDER_IFACE_OBJ = \
+-- 
+2.20.1
+
diff --git a/SOURCES/0077-cache_req-add-autofs-entry-by-name-plugin.patch b/SOURCES/0077-cache_req-add-autofs-entry-by-name-plugin.patch
new file mode 100644
index 0000000..fcbf391
--- /dev/null
+++ b/SOURCES/0077-cache_req-add-autofs-entry-by-name-plugin.patch
@@ -0,0 +1,321 @@
+From 6fe479a210adb53d419ca75512dec3a584296289 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 13 Aug 2019 13:00:23 +0200
+Subject: [PATCH 77/90] cache_req: add autofs entry by name plugin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We will use the current data provider call that downloads all map entries
+but we will replace it later when new call is available.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ Makefile.am                                   |   1 +
+ src/responder/common/cache_req/cache_req.c    |   3 +-
+ src/responder/common/cache_req/cache_req.h    |  21 +++
+ .../common/cache_req/cache_req_data.c         |  33 +++++
+ .../common/cache_req/cache_req_plugin.h       |   1 +
+ .../common/cache_req/cache_req_private.h      |   1 +
+ .../plugins/cache_req_autofs_entry_by_name.c  | 129 ++++++++++++++++++
+ src/tests/cwrap/Makefile.am                   |   1 +
+ 8 files changed, 189 insertions(+), 1 deletion(-)
+ create mode 100644 src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+
+diff --git a/Makefile.am b/Makefile.am
+index 461a9355f..bc74906a7 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -561,6 +561,7 @@ SSSD_CACHE_REQ_OBJ = \
+ 	src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
+ 	src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c \
+ 	src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c \
++	src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c \
+ 	$(NULL)
+ 
+ SSSD_RESPONDER_IFACE_OBJ = \
+diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
+index 75f396a23..febca2468 100644
+--- a/src/responder/common/cache_req/cache_req.c
++++ b/src/responder/common/cache_req/cache_req.c
+@@ -62,7 +62,8 @@ cache_req_get_plugin(enum cache_req_type type)
+         &cache_req_host_by_name,
+ 
+         &cache_req_autofs_map_entries,
+-        &cache_req_autofs_map_by_name
++        &cache_req_autofs_map_by_name,
++        &cache_req_autofs_entry_by_name
+     };
+ 
+     if (type >= CACHE_REQ_SENTINEL) {
+diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
+index 66a13445c..412f6221b 100644
+--- a/src/responder/common/cache_req/cache_req.h
++++ b/src/responder/common/cache_req/cache_req.h
+@@ -56,6 +56,7 @@ enum cache_req_type {
+ 
+     CACHE_REQ_AUTOFS_MAP_ENTRIES,
+     CACHE_REQ_AUTOFS_MAP_BY_NAME,
++    CACHE_REQ_AUTOFS_ENTRY_BY_NAME,
+ 
+     CACHE_REQ_SENTINEL
+ };
+@@ -126,6 +127,13 @@ cache_req_data_host(TALLOC_CTX *mem_ctx,
+                     const char *name,
+                     const char *alias,
+                     const char **attrs);
++
++struct cache_req_data *
++cache_req_data_autofs_entry(TALLOC_CTX *mem_ctx,
++                            enum cache_req_type type,
++                            const char *mapname,
++                            const char *entryname);
++
+ void
+ cache_req_data_set_bypass_cache(struct cache_req_data *data,
+                                 bool bypass_cache);
+@@ -457,4 +465,17 @@ cache_req_autofs_map_by_name_send(TALLOC_CTX *mem_ctx,
+ #define cache_req_autofs_map_by_name_recv(mem_ctx, req, _result) \
+     cache_req_single_domain_recv(mem_ctx, req, _result)
+ 
++struct tevent_req *
++cache_req_autofs_entry_by_name_send(TALLOC_CTX *mem_ctx,
++                                    struct tevent_context *ev,
++                                    struct resp_ctx *rctx,
++                                    struct sss_nc_ctx *ncache,
++                                    int cache_refresh_percent,
++                                    const char *domain,
++                                    const char *mapname,
++                                    const char *entryname);
++
++#define cache_req_autofs_entry_by_name_recv(mem_ctx, req, _result) \
++    cache_req_single_domain_recv(mem_ctx, req, _result)
++
+ #endif /* _CACHE_REQ_H_ */
+diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
+index ad6176641..01eeedbc4 100644
+--- a/src/responder/common/cache_req/cache_req_data.c
++++ b/src/responder/common/cache_req/cache_req_data.c
+@@ -209,6 +209,25 @@ cache_req_data_create(TALLOC_CTX *mem_ctx,
+             goto done;
+         }
+         break;
++    case CACHE_REQ_AUTOFS_ENTRY_BY_NAME:
++        if (input->name.input == NULL) {
++            DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n");
++            ret = ERR_INTERNAL;
++            goto done;
++        }
++
++        data->name.input = talloc_strdup(data, input->name.input);
++        if (data->name.input == NULL) {
++            ret = ENOMEM;
++            goto done;
++        }
++
++        data->autofs_entry_name = talloc_strdup(data, input->autofs_entry_name);
++        if (data->autofs_entry_name == NULL) {
++            ret = ENOMEM;
++            goto done;
++        }
++        break;
+     case CACHE_REQ_SENTINEL:
+         DEBUG(SSSDBG_CRIT_FAILURE, "Invalid cache request type!\n");
+         ret = ERR_INTERNAL;
+@@ -356,6 +375,20 @@ cache_req_data_host(TALLOC_CTX *mem_ctx,
+     return cache_req_data_create(mem_ctx, type, &input);
+ }
+ 
++struct cache_req_data *
++cache_req_data_autofs_entry(TALLOC_CTX *mem_ctx,
++                            enum cache_req_type type,
++                            const char *mapname,
++                            const char *entryname)
++{
++    struct cache_req_data input = {0};
++
++    input.name.input = mapname;
++    input.autofs_entry_name = entryname;
++
++    return cache_req_data_create(mem_ctx, type, &input);
++}
++
+ void
+ cache_req_data_set_bypass_cache(struct cache_req_data *data,
+                                 bool bypass_cache)
+diff --git a/src/responder/common/cache_req/cache_req_plugin.h b/src/responder/common/cache_req/cache_req_plugin.h
+index c040bf380..745a36c0e 100644
+--- a/src/responder/common/cache_req/cache_req_plugin.h
++++ b/src/responder/common/cache_req/cache_req_plugin.h
+@@ -316,5 +316,6 @@ extern const struct cache_req_plugin cache_req_netgroup_by_name;
+ extern const struct cache_req_plugin cache_req_host_by_name;
+ extern const struct cache_req_plugin cache_req_autofs_map_entries;
+ extern const struct cache_req_plugin cache_req_autofs_map_by_name;
++extern const struct cache_req_plugin cache_req_autofs_entry_by_name;
+ 
+ #endif /* _CACHE_REQ_PLUGIN_H_ */
+diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h
+index a88c838d9..34bd3ce15 100644
+--- a/src/responder/common/cache_req/cache_req_private.h
++++ b/src/responder/common/cache_req/cache_req_private.h
+@@ -83,6 +83,7 @@ struct cache_req_data {
+     const char *sid;
+     const char *alias;
+     const char **attrs;
++    const char *autofs_entry_name;
+ 
+     struct {
+         struct cache_req_parsed_name *name;
+diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+new file mode 100644
+index 000000000..17b0b508e
+--- /dev/null
++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+@@ -0,0 +1,129 @@
++/*
++    Authors:
++        Pavel Březina <pbrezina@redhat.com>
++
++    Copyright (C) 2019 Red Hat
++
++    This program is free software; you can redistribute it and/or modify
++    it under the terms of the GNU General Public License as published by
++    the Free Software Foundation; either version 3 of the License, or
++    (at your option) any later version.
++
++    This program is distributed in the hope that it will be useful,
++    but WITHOUT ANY WARRANTY; without even the implied warranty of
++    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++    GNU General Public License for more details.
++
++    You should have received a copy of the GNU General Public License
++    along with this program.  If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include <talloc.h>
++#include <ldb.h>
++
++#include "db/sysdb.h"
++#include "db/sysdb_autofs.h"
++#include "util/util.h"
++#include "providers/data_provider.h"
++#include "responder/common/cache_req/cache_req_plugin.h"
++
++static const char *
++cache_req_autofs_entry_by_name_create_debug_name(TALLOC_CTX *mem_ctx,
++                                                 struct cache_req_data *data,
++                                                 struct sss_domain_info *domain)
++{
++    return talloc_asprintf(mem_ctx, "%s:%s",
++                           data->name.name,
++                           data->autofs_entry_name);
++}
++
++static errno_t
++cache_req_autofs_entry_by_name_lookup(TALLOC_CTX *mem_ctx,
++                                      struct cache_req *cr,
++                                      struct cache_req_data *data,
++                                      struct sss_domain_info *domain,
++                                      struct ldb_result **_result)
++{
++    struct ldb_message *entry;
++    struct ldb_result *result;
++    errno_t ret;
++
++    ret = sysdb_get_autofsentry(mem_ctx, domain, data->name.name,
++                                data->autofs_entry_name, &entry);
++    if (ret != EOK) {
++        return ret;
++    }
++
++    result = cache_req_create_ldb_result_from_msg(mem_ctx, entry);
++    if (result == NULL) {
++        talloc_free(entry);
++        return ENOMEM;
++    }
++
++    *_result = talloc_steal(mem_ctx, result);
++    return EOK;
++}
++
++static struct tevent_req *
++cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx,
++                                       struct cache_req *cr,
++                                       struct cache_req_data *data,
++                                       struct sss_domain_info *domain,
++                                       struct ldb_result *result)
++{
++    return sss_dp_get_autofs_send(mem_ctx, cr->rctx, domain, true,
++                                  SSS_DP_AUTOFS, data->name.name);
++}
++
++const struct cache_req_plugin cache_req_autofs_entry_by_name = {
++    .name = "Get autofs entry",
++    .attr_expiration = SYSDB_CACHE_EXPIRE,
++    .parse_name = true,
++    .ignore_default_domain = true,
++    .bypass_cache = false,
++    .only_one_result = false,
++    .search_all_domains = false,
++    .require_enumeration = false,
++    .allow_missing_fqn = true,
++    .allow_switch_to_upn = false,
++    .upn_equivalent = CACHE_REQ_SENTINEL,
++    .get_next_domain_flags = 0,
++
++    .is_well_known_fn = NULL,
++    .prepare_domain_data_fn = NULL,
++    .create_debug_name_fn = cache_req_autofs_entry_by_name_create_debug_name,
++    .global_ncache_add_fn = NULL,
++    .ncache_check_fn = NULL,
++    .ncache_add_fn = NULL,
++    .ncache_filter_fn = NULL,
++    .lookup_fn = cache_req_autofs_entry_by_name_lookup,
++    .dp_send_fn = cache_req_autofs_entry_by_name_dp_send,
++    .dp_recv_fn = cache_req_common_dp_recv,
++    .dp_get_domain_check_fn = NULL,
++    .dp_get_domain_send_fn = NULL,
++    .dp_get_domain_recv_fn = NULL,
++};
++
++struct tevent_req *
++cache_req_autofs_entry_by_name_send(TALLOC_CTX *mem_ctx,
++                                    struct tevent_context *ev,
++                                    struct resp_ctx *rctx,
++                                    struct sss_nc_ctx *ncache,
++                                    int cache_refresh_percent,
++                                    const char *domain,
++                                    const char *mapname,
++                                    const char *entryname)
++{
++    struct cache_req_data *data;
++
++    data = cache_req_data_autofs_entry(mem_ctx, CACHE_REQ_AUTOFS_ENTRY_BY_NAME,
++                                       mapname, entryname);
++    if (data == NULL) {
++        return NULL;
++    }
++
++    return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
++                                         cache_refresh_percent,
++                                         CACHE_REQ_POSIX_DOM, domain,
++                                         data);
++}
+diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
+index 3fbcebf3c..aaec6c700 100644
+--- a/src/tests/cwrap/Makefile.am
++++ b/src/tests/cwrap/Makefile.am
+@@ -66,6 +66,7 @@ SSSD_CACHE_REQ_OBJ = \
+     ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
+     ../../../src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c \
+     ../../../src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c \
++    ../../../src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c \
+     $(NULL)
+ 
+ SSSD_RESPONDER_IFACE_OBJ = \
+-- 
+2.20.1
+
diff --git a/SOURCES/0078-autofs-convert-code-to-cache_req.patch b/SOURCES/0078-autofs-convert-code-to-cache_req.patch
new file mode 100644
index 0000000..6446d23
--- /dev/null
+++ b/SOURCES/0078-autofs-convert-code-to-cache_req.patch
@@ -0,0 +1,2158 @@
+From b0043a95f86b240d0beb551ef4e9ff9a4be99995 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 7 Aug 2019 13:59:04 +0200
+Subject: [PATCH 78/90] autofs: convert code to cache_req
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This will simplify the code a lot so it can be further extended.
+At this point the conversion is done 1:1, we will do additional
+changes in next patches.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/responder/autofs/autofs_private.h |   72 +-
+ src/responder/autofs/autofssrv.c      |    7 +-
+ src/responder/autofs/autofssrv_cmd.c  | 1651 ++++++++-----------------
+ 3 files changed, 549 insertions(+), 1181 deletions(-)
+
+diff --git a/src/responder/autofs/autofs_private.h b/src/responder/autofs/autofs_private.h
+index 6a39b17ad..3be25d4d9 100644
+--- a/src/responder/autofs/autofs_private.h
++++ b/src/responder/autofs/autofs_private.h
+@@ -21,7 +21,9 @@
+ #ifndef _AUTOFSSRV_PRIVATE_H_
+ #define _AUTOFSSRV_PRIVATE_H_
+ 
++#include "responder/common/responder.h"
+ #include "responder/common/responder_sbus.h"
++#include "responder/common/cache_req/cache_req.h"
+ 
+ #define SSS_AUTOFS_PROTO_VERSION        0x001
+ 
+@@ -33,75 +35,33 @@ struct autofs_ctx {
+     hash_table_t *maps;
+ };
+ 
+-struct autofs_state_ctx {
+-    char *automntmap_name;
+-};
+-
+ struct autofs_cmd_ctx {
+-    struct cli_ctx *cctx;
+-    char *mapname;
+-    char *key;
+-    uint32_t cursor;
++    struct autofs_ctx *autofs_ctx;
++    struct cli_ctx *cli_ctx;
++
++    const char *mapname;
++    const char *keyname;
+     uint32_t max_entries;
+-    bool check_next;
++    uint32_t cursor;
+ };
+ 
+-struct autofs_dom_ctx {
+-    struct autofs_cmd_ctx  *cmd_ctx;
+-    struct sss_domain_info *domain;
+-    bool check_provider;
+-
+-    /* cache results */
+-    struct ldb_message *map;
+-
+-    size_t entry_count;
+-    struct ldb_message **entries;
+-
+-    struct autofs_map_ctx *map_ctx;
+-};
++struct autofs_enum_ctx {
++    /* Results. First result is the map objects, next results are map entries. */
++    struct cache_req_result *result;
+ 
+-struct autofs_map_ctx {
+-    /* state of the map entry */
+-    bool ready;
++    /* True if the map was found. */
+     bool found;
+ 
+-    /* requests */
+-    struct setent_req_list *reqs;
+-
+-    hash_table_t *map_table;
+-    char *mapname;
++    /* False if the result is being created. */
++    bool ready;
+ 
+-    /* map entry */
+-    struct ldb_message *map;
+-    size_t entry_count;
+-    struct ldb_message **entries;
++    /* Requests that awaits the data. */
++    struct setent_req_list *notify_list;
+ };
+ 
+ struct sss_cmd_table *get_autofs_cmds(void);
+ int autofs_connection_setup(struct cli_ctx *cctx);
+ 
+-void autofs_map_hash_delete_cb(hash_entry_t *item,
+-                               hash_destroy_enum deltype, void *pvt);
+-
+ errno_t autofs_orphan_maps(struct autofs_ctx *actx);
+ 
+-enum sss_dp_autofs_type {
+-    SSS_DP_AUTOFS
+-};
+-
+-struct tevent_req *
+-sss_dp_get_autofs_send(TALLOC_CTX *mem_ctx,
+-                       struct resp_ctx *rctx,
+-                       struct sss_domain_info *dom,
+-                       bool fast_reply,
+-                       enum sss_dp_autofs_type type,
+-                       const char *name);
+-
+-errno_t
+-sss_dp_get_autofs_recv(TALLOC_CTX *mem_ctx,
+-                       struct tevent_req *req,
+-                       dbus_uint16_t *dp_err,
+-                       dbus_uint32_t *dp_ret,
+-                       char **err_msg);
+-
+ #endif /* _AUTOFSSRV_PRIVATE_H_ */
+diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c
+index 7d236f4d9..309ed76b1 100644
+--- a/src/responder/autofs/autofssrv.c
++++ b/src/responder/autofs/autofssrv.c
+@@ -28,6 +28,7 @@
+ #include "responder/common/responder.h"
+ #include "providers/data_provider.h"
+ #include "responder/autofs/autofs_private.h"
++#include "util/sss_ptr_hash.h"
+ 
+ static int autofs_clean_hash_table(struct sbus_request *dbus_req, void *data);
+ 
+@@ -105,7 +106,6 @@ autofs_process_init(TALLOC_CTX *mem_ctx,
+     struct autofs_ctx *autofs_ctx;
+     struct be_conn *iter;
+     int ret;
+-    int hret;
+     int max_retries;
+ 
+     autofs_cmds = get_autofs_cmds();
+@@ -158,9 +158,8 @@ autofs_process_init(TALLOC_CTX *mem_ctx,
+     }
+ 
+     /* Create the lookup table for setautomntent results */
+-    hret = sss_hash_create_ex(autofs_ctx, 10, &autofs_ctx->maps, 0, 0, 0, 0,
+-                              autofs_map_hash_delete_cb, NULL);
+-    if (hret != HASH_SUCCESS) {
++    autofs_ctx->maps = sss_ptr_hash_create(autofs_ctx, NULL, NULL);
++    if (autofs_ctx->maps == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE,
+               "Unable to initialize automount maps hash table\n");
+         ret = EIO;
+diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
+index 9ea2ab71b..670b6d50d 100644
+--- a/src/responder/autofs/autofssrv_cmd.c
++++ b/src/responder/autofs/autofssrv_cmd.c
+@@ -25,20 +25,22 @@
+ #include "util/util.h"
+ #include "responder/common/responder.h"
+ #include "responder/common/responder_packet.h"
++#include "responder/common/cache_req/cache_req.h"
+ #include "responder/autofs/autofs_private.h"
+ #include "db/sysdb.h"
+ #include "db/sysdb_autofs.h"
+ #include "confdb/confdb.h"
++#include "util/sss_ptr_hash.h"
+ 
+ static int autofs_cmd_send_error(struct autofs_cmd_ctx *cmdctx, int err)
+ {
+-    return sss_cmd_send_error(cmdctx->cctx, err);
++    return sss_cmd_send_error(cmdctx->cli_ctx, err);
+ }
+ 
+ static int
+ autofs_cmd_send_empty(struct autofs_cmd_ctx *cmdctx)
+ {
+-    return sss_cmd_send_empty(cmdctx->cctx);
++    return sss_cmd_send_empty(cmdctx->cli_ctx);
+ }
+ 
+ static int
+@@ -54,7 +56,7 @@ autofs_cmd_done(struct autofs_cmd_ctx *cmdctx, int ret)
+         if (ret) {
+             return EFAULT;
+         }
+-        sss_cmd_done(cmdctx->cctx, cmdctx);
++        sss_cmd_done(cmdctx->cli_ctx, cmdctx);
+         break;
+ 
+     case EAGAIN:
+@@ -70,7 +72,7 @@ autofs_cmd_done(struct autofs_cmd_ctx *cmdctx, int ret)
+         if (ret) {
+             return EFAULT;
+         }
+-        sss_cmd_done(cmdctx->cctx, cmdctx);
++        sss_cmd_done(cmdctx->cli_ctx, cmdctx);
+         break;
+     }
+ 
+@@ -78,1058 +80,524 @@ autofs_cmd_done(struct autofs_cmd_ctx *cmdctx, int ret)
+ }
+ 
+ static errno_t
+-autofs_setent_add_ref(TALLOC_CTX *memctx,
+-                      struct autofs_map_ctx *map_ctx,
+-                      struct tevent_req *req)
++autofs_fill_entry(struct ldb_message *entry, struct sss_packet *packet, size_t *rp)
+ {
+-    return setent_add_ref(memctx, &map_ctx->reqs, req);
+-}
+-
+-static void
+-autofs_setent_notify(struct autofs_map_ctx *map_ctx, errno_t ret)
+-{
+-    setent_notify(&map_ctx->reqs, ret);
+-}
+-
+-errno_t
+-autofs_orphan_maps(struct autofs_ctx *actx)
+-{
+-    int hret;
+-    unsigned long mcount;
+-    unsigned long i;
+-    hash_key_t *maps;
++    errno_t ret;
++    const char *key;
++    size_t keylen;
++    const char *value;
++    size_t valuelen;
++    uint8_t *body;
++    size_t blen;
++    size_t len;
+ 
+-    if (!actx || !actx->maps) {
++    key = ldb_msg_find_attr_as_string(entry, SYSDB_AUTOFS_ENTRY_KEY, NULL);
++    value = ldb_msg_find_attr_as_string(entry, SYSDB_AUTOFS_ENTRY_VALUE, NULL);
++    if (!key || !value) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Incomplete entry\n");
+         return EINVAL;
+     }
+ 
+-    hret = hash_keys(actx->maps, &mcount, &maps);
+-    if (hret != HASH_SUCCESS) {
+-        return EIO;
+-    }
+-
+-    for (i = 0; i < mcount; i++) {
+-        hret = hash_delete(actx->maps, &maps[i]);
+-        if (hret != HASH_SUCCESS) {
+-            DEBUG(SSSDBG_MINOR_FAILURE, "Could not delete key from hash\n");
+-            continue;
+-        }
+-    }
+-
+-    return EOK;
+-}
++    keylen = 1 + strlen(key);
++    valuelen = 1 + strlen(value);
++    len = sizeof(uint32_t) + sizeof(uint32_t) + keylen + sizeof(uint32_t) + valuelen;
+ 
+-static errno_t
+-get_autofs_map(struct autofs_ctx *actx,
+-               char *mapname,
+-               struct autofs_map_ctx **map)
+-{
+-    hash_key_t key;
+-    hash_value_t value;
+-    int hret;
+-
+-    key.type = HASH_KEY_STRING;
+-    key.str = mapname;
+-
+-    hret = hash_lookup(actx->maps, &key, &value);
+-    if (hret == HASH_SUCCESS) {
+-        *map = talloc_get_type(value.ptr, struct autofs_map_ctx);
+-        return EOK;
+-    } else if (hret == HASH_ERROR_KEY_NOT_FOUND) {
+-        return ENOENT;
++    ret = sss_packet_grow(packet, len);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE, "Cannot grow packet\n");
++        return ret;
+     }
+ 
+-    DEBUG(SSSDBG_CRIT_FAILURE,
+-          "Unexpected error reading from autofs map hash [%d][%s]\n",
+-          hret, hash_error_string(hret));
+-    return EIO;
+-}
+-
+-static int autofs_map_hash_remove (TALLOC_CTX *ctx);
++    sss_packet_get_body(packet, &body, &blen);
+ 
+-void
+-autofs_map_hash_delete_cb(hash_entry_t *item,
+-                          hash_destroy_enum deltype, void *pvt)
+-{
+-    struct autofs_map_ctx *map;
++    SAFEALIGN_SET_UINT32(&body[*rp], len, rp);
++    SAFEALIGN_SET_UINT32(&body[*rp], keylen, rp);
+ 
+-    if (deltype != HASH_ENTRY_DESTROY) {
+-        return;
++    if (keylen == 1) {
++        body[*rp] = '\0';
++    } else {
++        memcpy(&body[*rp], key, keylen);
+     }
++    *rp += keylen;
+ 
+-    map = talloc_get_type(item->value.ptr, struct autofs_map_ctx);
+-    if (!map) {
+-        DEBUG(SSSDBG_OP_FAILURE, "Invalid autofs map\n");
+-        return;
++    SAFEALIGN_SET_UINT32(&body[*rp], valuelen, rp);
++    if (valuelen == 1) {
++        body[*rp] = '\0';
++    } else {
++        memcpy(&body[*rp], value, valuelen);
+     }
++    *rp += valuelen;
+ 
+-    /* So that the destructor wouldn't attempt to remove the map from hash
+-     * table */
+-    map->map_table = NULL;
++    return EOK;
+ }
+ 
+-static errno_t
+-set_autofs_map(struct autofs_ctx *actx,
+-               struct autofs_map_ctx *map)
++errno_t
++autofs_orphan_maps(struct autofs_ctx *autofs_ctx)
+ {
+-    hash_key_t key;
+-    hash_value_t value;
+-    int hret;
+-
+-    if (map->mapname == NULL) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Missing autofs map name.\n");
+-        return EINVAL;
+-    }
+-
+-    /* Add this entry to the hash table */
+-    key.type = HASH_KEY_STRING;
+-    key.str = map->mapname;
+-    value.type = HASH_VALUE_PTR;
+-    value.ptr = map;
+-    hret = hash_enter(actx->maps, &key, &value);
+-    if (hret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "Unable to add hash table entry for [%s]\n", key.str);
+-        DEBUG(SSSDBG_MINOR_FAILURE,
+-              "Hash error [%d][%s]\n", hret, hash_error_string(hret));
+-        return EIO;
+-    }
+-    talloc_steal(actx->maps, map);
+-    talloc_set_destructor((TALLOC_CTX *) map, autofs_map_hash_remove);
++    sss_ptr_hash_delete_all(autofs_ctx->maps, true);
+ 
+     return EOK;
+ }
+ 
+-static int
+-autofs_map_hash_remove(TALLOC_CTX *ctx)
++static void
++autofs_enumctx_lifetime_timeout(struct tevent_context *ev,
++                                struct tevent_timer *te,
++                                struct timeval current_time,
++                                void *pvt)
+ {
+-    int hret;
+-    hash_key_t key;
+-    struct autofs_map_ctx *map =
+-            talloc_get_type(ctx, struct autofs_map_ctx);
+-
+-    if (map->map_table == NULL) {
+-        DEBUG(SSSDBG_TRACE_LIBS, "autofs map [%s] was already removed\n",
+-              map->mapname);
+-        return 0;
+-    }
++    struct autofs_enum_ctx *enum_ctx;
+ 
+-    key.type = HASH_KEY_STRING;
+-    key.str = map->mapname;
++    enum_ctx = talloc_get_type(pvt, struct autofs_enum_ctx);
+ 
+-    /* Remove the autofs map result object from the lookup table */
+-    hret = hash_delete(map->map_table, &key);
+-    if (hret != HASH_SUCCESS) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "Could not remove key from table! [%d][%s]\n",
+-              hret, hash_error_string(hret));
+-        return -1;
+-    }
+-    return 0;
++    /* Free the context. It will be automatically removed from the hash table. */
++    talloc_free(enum_ctx);
+ }
+ 
+-static struct tevent_req *
+-setautomntent_send(TALLOC_CTX *mem_ctx,
+-                   const char *rawname,
+-                   struct autofs_cmd_ctx *cmdctx);
+-static errno_t setautomntent_recv(struct tevent_req *req);
+-static void sss_autofs_cmd_setautomntent_done(struct tevent_req *req);
+-
+-/* FIXME - file a ticket to have per-responder private
+- * data instead of growing the cli_ctx structure */
+-static int
+-sss_autofs_cmd_setautomntent(struct cli_ctx *client)
++static void
++autofs_set_enumctx_lifetime(struct autofs_ctx *autofs_ctx,
++                            struct autofs_enum_ctx *enum_ctx,
++                            uint32_t lifetime)
+ {
+-    struct autofs_cmd_ctx *cmdctx;
+-    struct cli_protocol *pctx;
+-    uint8_t *body;
+-    size_t blen;
+-    errno_t ret = EOK;
+-    const char *rawname;
+-    struct tevent_req *req;
+-
+-    DEBUG(SSSDBG_TRACE_INTERNAL, "sss_autofs_cmd_setautomntent\n");
+-
+-    cmdctx = talloc_zero(client, struct autofs_cmd_ctx);
+-    if (!cmdctx) {
+-        return ENOMEM;
+-    }
+-    cmdctx->cctx = client;
+-
+-    pctx = talloc_get_type(cmdctx->cctx->protocol_ctx, struct cli_protocol);
+-
+-    sss_packet_get_body(pctx->creq->in, &body, &blen);
+-
+-    /* if not terminated fail */
+-    if (body[blen -1] != '\0') {
+-        ret = EINVAL;
+-        goto done;
+-    }
+-
+-    /* If the body isn't valid UTF-8, fail */
+-    if (!sss_utf8_check(body, blen -1)) {
+-        ret = EINVAL;
+-        goto done;
+-    }
+-
+-    rawname = (const char *)body;
+-    DEBUG(SSSDBG_TRACE_FUNC,
+-          "Got request for automount map named %s\n", rawname);
++    struct timeval tv;
++    struct tevent_timer *te;
+ 
+-    req = setautomntent_send(cmdctx, rawname, cmdctx);
+-    if (!req) {
++    tv = tevent_timeval_current_ofs(lifetime, 0);
++    te = tevent_add_timer(autofs_ctx->rctx->ev, enum_ctx, tv,
++                          autofs_enumctx_lifetime_timeout, enum_ctx);
++    if (te == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE,
+-              "Fatal error calling setautomntent_send\n");
+-        ret = EIO;
+-        goto done;
++              "Could not set up life timer for autofs maps. "
++              "Entries may become stale.\n");
+     }
+-    tevent_req_set_callback(req, sss_autofs_cmd_setautomntent_done, cmdctx);
+-
+-    ret = EOK;
+-done:
+-    return autofs_cmd_done(cmdctx, ret);
+ }
+ 
+-static void sss_autofs_cmd_setautomntent_done(struct tevent_req *req)
++static struct autofs_enum_ctx *
++autofs_create_enumeration_context(TALLOC_CTX *mem_ctx,
++                                  struct autofs_ctx *autofs_ctx,
++                                  const char *mapname)
+ {
+-    struct autofs_cmd_ctx *cmdctx =
+-        tevent_req_callback_data(req, struct autofs_cmd_ctx);
+-    struct cli_protocol *pctx;
++    struct autofs_enum_ctx *enum_ctx;
+     errno_t ret;
+-    errno_t reqret;
+-    uint8_t *body;
+-    size_t blen;
+ 
+-    DEBUG(SSSDBG_TRACE_INTERNAL, "setautomntent done\n");
+-
+-    reqret = setautomntent_recv(req);
+-    talloc_zfree(req);
+-    if (reqret != EOK && reqret != ENOENT) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_recv failed\n");
+-        autofs_cmd_done(cmdctx, reqret);
+-        return;
++    enum_ctx = talloc_zero(mem_ctx, struct autofs_enum_ctx);
++    if (enum_ctx == NULL) {
++        return NULL;
+     }
+ 
+-    pctx = talloc_get_type(cmdctx->cctx->protocol_ctx, struct cli_protocol);
++    enum_ctx->ready = false;
+ 
+-    /* Either we succeeded or no domains were eligible */
+-    ret = sss_packet_new(pctx->creq, 0,
+-                         sss_packet_get_cmd(pctx->creq->in),
+-                         &pctx->creq->out);
+-    if (ret == EOK) {
+-        if (reqret == ENOENT) {
+-            DEBUG(SSSDBG_TRACE_FUNC, "setautomntent did not find requested map\n");
+-            /* Notify the caller that this entry wasn't found */
+-            ret = sss_cmd_empty_packet(pctx->creq->out);
+-            if (ret != EOK) {
+-                DEBUG(SSSDBG_TRACE_INTERNAL,
+-                      "sss_cmd_empty_packet() failed: %s [%d]\n",
+-                      sss_strerror(ret), ret);
+-            }
+-        } else {
+-            DEBUG(SSSDBG_TRACE_FUNC, "setautomntent found data\n");
+-            ret = sss_packet_grow(pctx->creq->out, 2*sizeof(uint32_t));
+-            if (ret != EOK) {
+-                DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't grow the packet\n");
+-                talloc_free(cmdctx);
+-                return;
+-            }
+-
+-            sss_packet_get_body(pctx->creq->out, &body, &blen);
+-
+-            /* Got some results */
+-            SAFEALIGN_SETMEM_UINT32(body, 1, NULL);
+-
+-            /* Reserved padding */
+-            SAFEALIGN_SETMEM_UINT32(body + sizeof(uint32_t), 0, NULL);
+-        }
+-
+-        sss_cmd_done(cmdctx->cctx, NULL);
+-        return;
++    ret = sss_ptr_hash_add(autofs_ctx->maps, mapname,
++                           enum_ctx, struct autofs_enum_ctx);
++    if (ret != EOK) {
++        talloc_free(enum_ctx);
++        return NULL;
+     }
+ 
+-    DEBUG(SSSDBG_CRIT_FAILURE, "Error creating packet\n");
+-    return;
++    return enum_ctx;
+ }
+ 
+-struct setautomntent_state {
+-    struct autofs_cmd_ctx *cmdctx;
+-    struct autofs_dom_ctx *dctx;
+-
+-    char *mapname;
+-    struct autofs_map_ctx *map;
++struct autofs_setent_state {
++    struct autofs_ctx *autofs_ctx;
++    struct autofs_enum_ctx *enum_ctx;
+ };
+ 
+-struct setautomntent_lookup_ctx {
+-    struct autofs_ctx *actx;
+-    struct autofs_dom_ctx *dctx;
+-    struct resp_ctx *rctx;
+-    struct cli_ctx *cctx;
+-
+-    bool returned_to_mainloop;
+-
+-    char *mapname;
+-    struct autofs_map_ctx *map;
+-};
+-
+-static errno_t
+-lookup_automntmap_step(struct setautomntent_lookup_ctx *lookup_ctx);
+-
+-static void
+-autofs_map_result_timeout(struct tevent_context *ev,
+-                          struct tevent_timer *te,
+-                          struct timeval current_time,
+-                          void *pvt)
+-{
+-    struct autofs_map_ctx *map =
+-            talloc_get_type(pvt, struct autofs_map_ctx);
+-
+-    /* Free the autofs map result context
+-     * The destructor for the autofs map will remove itself
+-     * from the hash table
+-     */
+-    talloc_free(map);
+-}
+-
+-static void
+-set_autofs_map_lifetime(uint32_t lifetime,
+-                        struct setautomntent_lookup_ctx *lookup_ctx,
+-                        struct autofs_map_ctx *map)
+-{
+-    struct timeval tv;
+-    struct tevent_timer *te;
+-
+-    tv = tevent_timeval_current_ofs(lifetime, 0);
+-    te = tevent_add_timer(lookup_ctx->rctx->ev,
+-                          map, tv,
+-                          autofs_map_result_timeout,
+-                          map);
+-    if (!te) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "Could not set up life timer for autofs maps. "
+-               "Entries may become stale.\n");
+-    }
+-}
+-
+-static errno_t
+-setautomntent_get_autofs_map(struct autofs_ctx *actx,
+-                             char *mapname,
+-                             struct autofs_map_ctx **map);
++static void autofs_setent_done(struct tevent_req *subreq);
+ 
+ static struct tevent_req *
+-setautomntent_send(TALLOC_CTX *mem_ctx,
+-                   const char *rawname,
+-                   struct autofs_cmd_ctx *cmdctx)
++autofs_setent_send(TALLOC_CTX *mem_ctx,
++                   struct tevent_context *ev,
++                   struct autofs_ctx *autofs_ctx,
++                   const char *mapname)
+ {
+-    char *domname;
+-    errno_t ret;
++    struct autofs_setent_state *state;
++    struct tevent_req *subreq;
+     struct tevent_req *req;
+-    struct setautomntent_state *state;
+-    struct cli_ctx *client = cmdctx->cctx;
+-    struct autofs_dom_ctx *dctx;
+-    struct autofs_ctx *actx;
+-    struct autofs_state_ctx *state_ctx;
+-    struct setautomntent_lookup_ctx *lookup_ctx;
+-
+-    actx = talloc_get_type(client->rctx->pvt_ctx, struct autofs_ctx);
+-    state_ctx = talloc_get_type(client->state_ctx, struct autofs_state_ctx);
+-
+-    req = tevent_req_create(mem_ctx, &state, struct setautomntent_state);
+-    if (!req) {
+-        DEBUG(SSSDBG_FATAL_FAILURE,
+-              "Could not create tevent request for setautomntent\n");
+-        return NULL;
+-    }
+-    state->cmdctx = cmdctx;
+-
+-    dctx = talloc_zero(state, struct autofs_dom_ctx);
+-    if (!dctx) {
+-        DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory\n");
+-        ret = ENOMEM;
+-        goto fail;
+-    }
+-    dctx->cmd_ctx = state->cmdctx;
+-    state->dctx = dctx;
++    errno_t ret;
+ 
+-    ret = sss_parse_name_for_domains(state, client->rctx->domains,
+-                                     NULL, rawname,
+-                                     &domname, &state->mapname);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_FATAL_FAILURE,
+-              "Invalid name received [%s]\n", rawname);
+-        goto fail;
++    req = tevent_req_create(mem_ctx, &state, struct autofs_setent_state);
++    if (req == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n");
++        return NULL;
+     }
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC,
+-         "Requesting info for automount map [%s] from [%s]\n",
+-         state->mapname, domname?domname:"<ALL>");
+-
+-    if (domname) {
+-        dctx->domain = responder_get_domain(client->rctx, domname);
+-        if (!dctx->domain) {
+-            ret = EINVAL;
+-            goto fail;
+-        }
++    state->autofs_ctx = autofs_ctx;
+ 
+-        state_ctx->automntmap_name = talloc_strdup(client, rawname);
+-        if (!state_ctx->automntmap_name) {
+-            ret = ENOMEM;
+-            goto fail;
+-        }
+-    } else {
+-        /* this is a multidomain search */
+-        dctx->domain = client->rctx->domains;
+-        cmdctx->check_next = true;
+-
+-        state_ctx->automntmap_name = talloc_strdup(client, state->mapname);
+-        if (!state_ctx->automntmap_name) {
+-            ret = ENOMEM;
+-            goto fail;
+-        }
+-    }
+-
+-    dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
+-    /* Is the result context already available?
+-     * Check for existing lookups for this map
+-     */
+-    ret = setautomntent_get_autofs_map(actx, state->mapname, &state->map);
+-    if (ret == EOK) {
+-        /* Another process already requested this map
+-         * Check whether it's ready for processing.
+-         */
+-        if (state->map->ready) {
+-            if (state->map->found) {
+-                DEBUG(SSSDBG_TRACE_LIBS,
+-                      "Map %s is ready to be processed\n", state->mapname);
+-                tevent_req_done(req);
+-                tevent_req_post(req, actx->rctx->ev);
+-                return req;
+-            } else {
+-                DEBUG(SSSDBG_TRACE_LIBS,
+-                      "Map %s was marked as nonexistent\n", state->mapname);
+-                tevent_req_error(req, ENOENT);
+-                tevent_req_post(req, actx->rctx->ev);
+-                return req;
+-            }
++    /* Lookup current results if available. */
++    state->enum_ctx = sss_ptr_hash_lookup(autofs_ctx->maps, mapname,
++                                          struct autofs_enum_ctx);
++    if (state->enum_ctx != NULL) {
++        if (state->enum_ctx->ready) {
++            ret = EOK;
++            goto done;
+         }
+ 
+-        /* Result object is still being constructed
+-         * Register for notification when it's ready
+-         */
+-        DEBUG(SSSDBG_TRACE_LIBS,
+-              "Map %s is being looked up, registering for notification\n",
+-               state->mapname);
+-        ret = autofs_setent_add_ref(state, state->map, req);
++        /* Map is still being created. We will watch the request. */
++        ret = setent_add_ref(state, &state->enum_ctx->notify_list, req);
+         if (ret != EOK) {
+-            goto fail;
+-        }
+-        /* Will return control below */
+-    } else if (ret == ENOENT) {
+-        DEBUG(SSSDBG_TRACE_LIBS,
+-              "Map %s needs to be looked up\n", state->mapname);
+-
+-        state->map = talloc_zero(actx, struct autofs_map_ctx);
+-        if (!state->map) {
+-            ret = ENOMEM;
+-            goto fail;
+-        }
+-        dctx->map_ctx = state->map;
+-
+-        state->map->mapname = talloc_strdup(state->map, state->mapname);
+-        if (!state->map->mapname) {
+-            talloc_free(state->map);
+-            ret = ENOMEM;
+-            goto fail;
++            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to watch enumeration request "
++                  "[%d]: %s\n", ret, sss_strerror(ret));
++            goto done;
+         }
+-        state->map->map_table = actx->maps;
+ 
+-        ret = autofs_setent_add_ref(state, state->map, req);
+-        if (ret != EOK) {
+-            talloc_free(state->map);
+-            goto fail;
+-        }
++        ret = EAGAIN;
++        goto done;
++    }
+ 
+-        ret = set_autofs_map(actx, state->map);
+-        if (ret != EOK) {
+-            talloc_free(state->map);
+-            goto fail;
+-        }
++    /* Map does not yet exist. Create the enumeration object and fetch data. */
++    state->enum_ctx = autofs_create_enumeration_context(state, autofs_ctx, mapname);
++    if (state->enum_ctx == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create enumeration context!\n");
++        ret = ENOMEM;
++        goto done;
++    }
+ 
+-        /* Perform lookup */
+-        lookup_ctx = talloc_zero(state->map, struct setautomntent_lookup_ctx);
+-        if (!lookup_ctx) {
+-            talloc_free(state->map);
+-            ret = ENOMEM;
+-            goto fail;
+-        }
++    subreq = cache_req_autofs_map_entries_send(mem_ctx, ev, autofs_ctx->rctx,
++                                               autofs_ctx->rctx->ncache,
++                                               0, NULL, mapname);
++    if (subreq == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
++        ret = ENOMEM;
++        goto done;
++    }
+ 
+-        /* Steal the dom_ctx onto the lookup_ctx so it doesn't go out of scope if
+-        * this request is canceled while other requests are in-progress.
+-        */
+-        lookup_ctx->dctx = talloc_steal(lookup_ctx, state->dctx);
+-        lookup_ctx->actx = actx;
+-        lookup_ctx->map = state->map;
+-        lookup_ctx->rctx = client->rctx;
+-        lookup_ctx->mapname =
+-                    talloc_strdup(lookup_ctx, state->mapname);
+-        if (!lookup_ctx->mapname) {
+-            talloc_free(state->map);
+-            ret = ENOMEM;
+-            goto fail;
+-        }
++    tevent_req_set_callback(subreq, autofs_setent_done, req);
+ 
+-        ret = lookup_automntmap_step(lookup_ctx);
+-        if (ret == EAGAIN) {
+-            DEBUG(SSSDBG_TRACE_INTERNAL, "lookup_automntmap_step "
+-                  "is refreshing the cache, re-entering the mainloop\n");
+-            return req;
+-        } else if (ret != EOK) {
+-            DEBUG(SSSDBG_CRIT_FAILURE, "Could not get data from cache\n");
+-            talloc_free(state->map);
+-            ret = ENOMEM;
+-            goto fail;
+-        }
++    ret = EAGAIN;
+ 
++done:
++    if (ret == EOK) {
+         tevent_req_done(req);
+-        tevent_req_post(req, cmdctx->cctx->ev);
+-        return req;
+-    } else {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "Unexpected error from get_autofs_map [%d]: %s\n",
+-               ret, strerror(ret));
+-        goto fail;
++        tevent_req_post(req, ev);
++    } else if (ret != EAGAIN) {
++        tevent_req_error(req, ret);
++        tevent_req_post(req, ev);
+     }
+ 
+     return req;
+-
+-fail:
+-    tevent_req_error(req, ret);
+-    tevent_req_post(req, actx->rctx->ev);
+-    return req;
+ }
+ 
+-static errno_t
+-setautomntent_get_autofs_map(struct autofs_ctx *actx,
+-                             char *mapname,
+-                             struct autofs_map_ctx **map)
++static void autofs_setent_done(struct tevent_req *subreq)
+ {
++    struct autofs_setent_state *state;
++    struct cache_req_result *result;
++    struct tevent_req *req;
+     errno_t ret;
+ 
+-    if (strcmp(mapname, "auto.master") == 0) {
+-        /* Iterate over the hash and remove all maps */
+-        ret = autofs_orphan_maps(actx);
+-        if (ret != EOK) {
+-            DEBUG(SSSDBG_MINOR_FAILURE, "Could not remove existing maps from hash\n");
+-        }
+-        return ENOENT;
+-    }
++    req = tevent_req_callback_data(subreq, struct tevent_req);
++    state = tevent_req_data(req, struct autofs_setent_state);
+ 
+-    return get_autofs_map(actx, mapname, map);
+-}
++    ret = cache_req_autofs_map_entries_recv(state, subreq, &result);
++    talloc_zfree(subreq);
+ 
+-static errno_t
+-lookup_automntmap_update_cache(struct setautomntent_lookup_ctx *lookup_ctx);
+-
+-static errno_t
+-lookup_automntmap_step(struct setautomntent_lookup_ctx *lookup_ctx)
+-{
+-    errno_t ret;
+-    struct sss_domain_info *dom = lookup_ctx->dctx->domain;
+-    struct autofs_dom_ctx *dctx = lookup_ctx->dctx;
+-    struct sysdb_ctx *sysdb;
+-    struct autofs_map_ctx *map;
+-
+-    /* Check each domain for this map name */
+-    while (dom) {
+-        if (dom != dctx->domain) {
+-            /* make sure we reset the check_provider flag when we check
+-             * a new domain */
+-            dctx->check_provider =
+-                    NEED_CHECK_PROVIDER(dom->provider);
+-        }
++    switch (ret) {
++    case EOK:
++        state->enum_ctx->found = true;
++        state->enum_ctx->result = talloc_steal(state->enum_ctx, result);
++        autofs_set_enumctx_lifetime(state->autofs_ctx, state->enum_ctx,
++                        state->enum_ctx->result->domain->autofsmap_timeout);
++        break;
++    case ENOENT:
++        state->enum_ctx->found = false;
++        state->enum_ctx->result = NULL;
++        autofs_set_enumctx_lifetime(state->autofs_ctx, state->enum_ctx,
++                                    state->autofs_ctx->neg_timeout);
++        break;
++    default:
++        DEBUG(SSSDBG_OP_FAILURE, "Unable to get map data [%d]: %s\n",
++              ret, sss_strerror(ret));
+ 
+-        /* make sure to update the dctx if we changed domain */
+-        dctx->domain = dom;
++        setent_notify(&state->enum_ctx->notify_list, ret);
++        talloc_zfree(state->enum_ctx);
++        tevent_req_error(req, ret);
++        return;
++    }
+ 
+-        DEBUG(SSSDBG_TRACE_FUNC, "Requesting info for [%s@%s]\n",
+-              lookup_ctx->mapname, dom->name);
+-        sysdb = dom->sysdb;
+-        if (sysdb == NULL) {
+-            DEBUG(SSSDBG_FATAL_FAILURE,
+-                  "Fatal: Sysdb CTX not found for this domain!\n");
+-            return EIO;
+-        }
++    state->enum_ctx->ready = true;
+ 
+-        /* Look into the cache */
+-        talloc_free(dctx->map);
+-        ret = sysdb_get_map_byname(dctx, dom, lookup_ctx->mapname,
+-                                   &dctx->map);
+-        if (ret != EOK && ret != ENOENT) {
+-            DEBUG(SSSDBG_OP_FAILURE, "Could not check cache\n");
+-            return ret;
+-        } else if (ret == ENOENT) {
+-            DEBUG(SSSDBG_MINOR_FAILURE,
+-                  "No automount map [%s] in cache for domain [%s]\n",
+-                   lookup_ctx->mapname, dom->name);
+-            if (!dctx->check_provider) {
+-                if (dctx->cmd_ctx->check_next) {
+-                    DEBUG(SSSDBG_TRACE_INTERNAL, "Moving on to next domain\n");
+-                    dom = get_next_domain(dom, 0);
+-                    continue;
+-                }
+-                else break;
+-            }
+-        }
++    /* Make the enumeration context disappear with maps table. */
++    talloc_steal(state->autofs_ctx->maps, state->enum_ctx);
+ 
+-        ret = get_autofs_map(lookup_ctx->actx, lookup_ctx->mapname, &map);
+-        if (ret != EOK) {
+-            /* Something really bad happened! */
+-            DEBUG(SSSDBG_CRIT_FAILURE, "Autofs map entry was lost!\n");
+-            return ret;
+-        }
++    setent_notify_done(&state->enum_ctx->notify_list);
++    tevent_req_done(req);
++    return;
++}
+ 
+-        if (dctx->map == NULL && !dctx->check_provider) {
+-            DEBUG(SSSDBG_MINOR_FAILURE,
+-                  "Autofs map not found, setting negative cache\n");
+-            map->ready = true;
+-            map->found = false;
+-            set_autofs_map_lifetime(lookup_ctx->actx->neg_timeout, lookup_ctx, map);
+-            return ENOENT;
+-        }
++static errno_t
++autofs_setent_recv(struct tevent_req *req,
++                   struct autofs_enum_ctx **_enum_ctx)
++{
++    struct autofs_setent_state *state;
++    state = tevent_req_data(req, struct autofs_setent_state);
+ 
+-        if (dctx->check_provider) {
+-            ret = lookup_automntmap_update_cache(lookup_ctx);
+-            if (ret == EAGAIN) {
+-                DEBUG(SSSDBG_TRACE_INTERNAL,
+-                      "Looking up automount maps from the DP\n");
+-                return EAGAIN;
+-            } else if (ret != EOK) {
+-                DEBUG(SSSDBG_OP_FAILURE,
+-                      "Error looking up automount maps [%d]: %s\n",
+-                       ret, strerror(ret));
+-                return ret;
+-            }
+-        }
++    TEVENT_REQ_RETURN_ON_ERROR(req);
+ 
+-        /* OK, the map is in cache and valid.
+-         * Let's get all members and return it
+-         */
+-        ret = sysdb_autofs_entries_by_map(map, dom, map->mapname,
+-                                          &map->entry_count,
+-                                          &map->entries);
+-        if (ret != EOK && ret != ENOENT) {
+-            DEBUG(SSSDBG_OP_FAILURE,
+-                  "Error looking automount map entries [%d]: %s\n",
+-                  ret, strerror(ret));
+-            map->ready = true;
+-            map->found = false;
+-            set_autofs_map_lifetime(lookup_ctx->actx->neg_timeout, lookup_ctx, map);
+-            return EIO;
+-        }
++    *_enum_ctx = state->enum_ctx;
+ 
+-        map->map = talloc_steal(map, dctx->map);
++    return EOK;
++}
+ 
+-        DEBUG(SSSDBG_TRACE_FUNC,
+-              "setautomntent done for map %s\n", lookup_ctx->mapname);
+-        map->ready = true;
+-        map->found = true;
+-        set_autofs_map_lifetime(dom->autofsmap_timeout, lookup_ctx, map);
+-        return EOK;
+-    }
++static errno_t
++autofs_read_setautomntent_input(struct cli_ctx *cli_ctx,
++                                const char **_mapname)
++{
++    struct cli_protocol *pctx;
++    uint8_t *body;
++    size_t blen;
+ 
+-    map = talloc_zero(lookup_ctx->actx, struct autofs_map_ctx);
+-    if (!map) {
+-        return ENOMEM;
+-    }
++    pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol);
+ 
+-    map->ready = true;
+-    map->found = false;
+-    map->map_table = lookup_ctx->actx->maps;
++    sss_packet_get_body(pctx->creq->in, &body, &blen);
+ 
+-    map->mapname = talloc_strdup(map, lookup_ctx->mapname);
+-    if (!map->mapname) {
+-        talloc_free(map);
+-        return ENOMEM;
++    /* if not terminated fail */
++    if (body[blen - 1] != '\0') {
++        return EINVAL;
+     }
+ 
+-    ret = set_autofs_map(lookup_ctx->actx, map);
+-    if (ret != EOK) {
+-        talloc_free(map);
+-        return ENOMEM;
++    /* If the body isn't valid UTF-8, fail */
++    if (!sss_utf8_check(body, blen - 1)) {
++        return EINVAL;
+     }
+ 
+-    set_autofs_map_lifetime(lookup_ctx->actx->neg_timeout, lookup_ctx, map);
++    *_mapname = (const char *)body;
+ 
+-    /* If we've gotten here, then no domain contained this map */
+-    return ENOENT;
++    return EOK;
+ }
+ 
+-static void lookup_automntmap_cache_updated(uint16_t err_maj, uint32_t err_min,
+-                                            const char *err_msg, void *ptr);
+-static void autofs_dp_send_map_req_done(struct tevent_req *req);
+-
+ static errno_t
+-lookup_automntmap_update_cache(struct setautomntent_lookup_ctx *lookup_ctx)
++autofs_write_setautomntent_output(struct cli_ctx *cli_ctx,
++                                  struct autofs_enum_ctx *enum_ctx)
+ {
++    struct cli_protocol *pctx;
++    uint8_t *body;
++    size_t blen;
+     errno_t ret;
+-    uint64_t cache_expire = 0;
+-    struct autofs_dom_ctx *dctx = lookup_ctx->dctx;
+-    struct tevent_req *req = NULL;
+-    struct dp_callback_ctx *cb_ctx = NULL;
+-
+-    if (dctx->map != NULL) {
+-        if (strcmp(lookup_ctx->mapname, "auto.master") != 0) {
+-            cache_expire = ldb_msg_find_attr_as_uint64(dctx->map,
+-                                                       SYSDB_CACHE_EXPIRE, 0);
+-        }
+ 
+-        /* if we have any reply let's check cache validity */
+-        ret = sss_cmd_check_cache(dctx->map, 0, cache_expire);
+-        if (ret == EOK) {
+-            DEBUG(SSSDBG_TRACE_FUNC, "Cached entry is valid, returning..\n");
+-            return EOK;
+-        } else if (ret != EAGAIN && ret != ENOENT) {
+-            DEBUG(SSSDBG_CRIT_FAILURE, "Error checking cache: %d\n", ret);
+-            goto error;
+-        }
+-    }
++    pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol);
+ 
+-    /* dont loop forever :-) */
+-    dctx->check_provider = false;
+-
+-    /* keep around current data in case backend is offline */
+-    /* FIXME - do this by default */
+-#if 0
+-    if (dctx->res->count) {
+-        dctx->res = talloc_steal(dctx, dctx->res);
+-    }
+-#endif
+-
+-    req = sss_dp_get_autofs_send(lookup_ctx->cctx, lookup_ctx->rctx,
+-                                 lookup_ctx->dctx->domain, true,
+-                                 SSS_DP_AUTOFS, lookup_ctx->mapname);
+-    if (!req) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "Out of memory sending data provider request\n");
+-        ret = ENOMEM;
+-        goto error;
++    ret = sss_packet_new(pctx->creq, 0, sss_packet_get_cmd(pctx->creq->in),
++                         &pctx->creq->out);
++    if (ret != EOK) {
++        return ret;
+     }
+ 
+-    cb_ctx = talloc_zero(lookup_ctx->dctx, struct dp_callback_ctx);
+-    if(!cb_ctx) {
+-        talloc_zfree(req);
+-        ret = ENOMEM;
+-        goto error;
++    if (!enum_ctx->found) {
++        DEBUG(SSSDBG_TRACE_FUNC, "Map was not found\n");
++        return sss_cmd_empty_packet(pctx->creq->out);
+     }
+-    cb_ctx->callback = lookup_automntmap_cache_updated;
+-    cb_ctx->ptr = lookup_ctx;
+-    cb_ctx->cctx = lookup_ctx->dctx->cmd_ctx->cctx;
+-    cb_ctx->mem_ctx = lookup_ctx->dctx;
+-
+-    tevent_req_set_callback(req, autofs_dp_send_map_req_done, cb_ctx);
+ 
+-    return EAGAIN;
++    DEBUG(SSSDBG_TRACE_FUNC, "Map found\n");
+ 
+-error:
+-    ret = autofs_cmd_send_error(lookup_ctx->dctx->cmd_ctx, ret);
++    ret = sss_packet_grow(pctx->creq->out, 2 * sizeof(uint32_t));
+     if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Fatal error, killing connection!\n");
+-        talloc_free(lookup_ctx->cctx);
+         return ret;
+     }
+-    autofs_cmd_done(lookup_ctx->dctx->cmd_ctx, ret);
+-    return EOK;
+-}
+-
+-static void autofs_dp_send_map_req_done(struct tevent_req *req)
+-{
+-    struct dp_callback_ctx *cb_ctx =
+-            tevent_req_callback_data(req, struct dp_callback_ctx);
+-    struct setautomntent_lookup_ctx *lookup_ctx =
+-            talloc_get_type(cb_ctx->ptr, struct setautomntent_lookup_ctx);
+-
+-    errno_t ret;
+-    dbus_uint16_t err_maj;
+-    dbus_uint32_t err_min;
+-    char *err_msg;
+-
+-    ret = sss_dp_get_autofs_recv(cb_ctx->mem_ctx, req,
+-                                 &err_maj, &err_min,
+-                                 &err_msg);
+-    talloc_free(req);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Fatal error, killing connection!\n");
+-        talloc_free(lookup_ctx->cctx);
+-        return;
+-    }
+-
+-    cb_ctx->callback(err_maj, err_min, err_msg, cb_ctx->ptr);
+-}
+-
+-static void lookup_automntmap_cache_updated(uint16_t err_maj, uint32_t err_min,
+-                                            const char *err_msg, void *ptr)
+-{
+-    struct setautomntent_lookup_ctx *lookup_ctx =
+-            talloc_get_type(ptr, struct setautomntent_lookup_ctx);
+-    struct autofs_dom_ctx *dctx = lookup_ctx->dctx;
+-    errno_t ret;
+-
+-    if (err_maj) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "Unable to get information from Data Provider\n"
+-              "Error: %u, %u, %s\n"
+-              "Will try to return what we have in cache\n",
+-               (unsigned int)err_maj, (unsigned int)err_min, err_msg);
+-
+-        /* Try to fall back to cache */
+-        ret = lookup_automntmap_step(lookup_ctx);
+-        if (ret == EOK) {
+-            /* We have cached results to return */
+-            autofs_setent_notify(lookup_ctx->map, ret);
+-            return;
+-        }
+ 
+-        /* Otherwise try the next domain */
+-        if (dctx->cmd_ctx->check_next
+-                && (dctx->domain = get_next_domain(dctx->domain, 0))) {
+-            dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
+-        }
+-    }
++    sss_packet_get_body(pctx->creq->out, &body, &blen);
+ 
+-    ret = lookup_automntmap_step(lookup_ctx);
+-    if (ret != EOK) {
+-        if (ret == EAGAIN) {
+-            return;
+-        }
+-    }
++    /* Got some results */
++    SAFEALIGN_SETMEM_UINT32(body, 1, NULL);
+ 
+-    /* We have results to return */
+-    autofs_setent_notify(lookup_ctx->map, ret);
+-}
++    /* Reserved padding */
++    SAFEALIGN_SETMEM_UINT32(body + sizeof(uint32_t), 0, NULL);
+ 
+-static errno_t
+-setautomntent_recv(struct tevent_req *req)
+-{
+-    TEVENT_REQ_RETURN_ON_ERROR(req);
+     return EOK;
+ }
+ 
+-static errno_t
+-getautomntent_process(struct autofs_cmd_ctx *cmdctx,
+-                      struct autofs_map_ctx *map,
+-                      uint32_t cursor, uint32_t max_entries);
+ static void
+-getautomntent_implicit_done(struct tevent_req *req);
+-static errno_t
+-fill_autofs_entry(struct ldb_message *entry, struct sss_packet *packet, size_t *rp);
+-
++sss_autofs_cmd_setautomntent_done(struct tevent_req *req);
+ 
+ static int
+-sss_autofs_cmd_getautomntent(struct cli_ctx *client)
++sss_autofs_cmd_setautomntent(struct cli_ctx *cli_ctx)
+ {
+-    struct autofs_cmd_ctx *cmdctx;
+-    struct autofs_map_ctx *map;
+-    struct autofs_ctx *actx;
+-    struct cli_protocol *pctx;
+-    uint8_t *body;
+-    size_t blen;
+-    errno_t ret;
+-    uint32_t namelen;
+-    size_t c = 0;
++    struct autofs_cmd_ctx *cmd_ctx;
++    struct autofs_ctx *autofs_ctx;
+     struct tevent_req *req;
++    errno_t ret;
+ 
+-    DEBUG(SSSDBG_TRACE_INTERNAL, "sss_autofs_cmd_getautomntent\n");
++    autofs_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct autofs_ctx);
+ 
+-    cmdctx = talloc_zero(client, struct autofs_cmd_ctx);
+-    if (!cmdctx) {
++    cmd_ctx = talloc_zero(cli_ctx, struct autofs_cmd_ctx);
++    if (cmd_ctx == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create command context.\n");
+         return ENOMEM;
+     }
+-    cmdctx->cctx = client;
+ 
+-    actx = talloc_get_type(client->rctx->pvt_ctx, struct autofs_ctx);
+-    if (!actx) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Missing autofs context\n");
+-        return EIO;
+-    }
++    cmd_ctx->cli_ctx = cli_ctx;
++    cmd_ctx->autofs_ctx = autofs_ctx;
+ 
+-    pctx = talloc_get_type(cmdctx->cctx->protocol_ctx, struct cli_protocol);
+-
+-    /* get autofs map name and index to query */
+-    sss_packet_get_body(pctx->creq->in, &body, &blen);
+-
+-    SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
+-
+-    if (namelen == 0 || namelen > blen - c) {
+-        ret = EINVAL;
++    ret = autofs_read_setautomntent_input(cli_ctx, &cmd_ctx->mapname);
++    if (ret != EOK) {
+         goto done;
+     }
+ 
+-    cmdctx->mapname = (char *) body+c;
++    DEBUG(SSSDBG_TRACE_FUNC, "Creating enumeration context for %s\n",
++          cmd_ctx->mapname);
+ 
+-    /* if not null-terminated fail */
+-    if (cmdctx->mapname[namelen] != '\0') {
+-        ret = EINVAL;
++    req = autofs_setent_send(cli_ctx, cli_ctx->ev, autofs_ctx,
++                             cmd_ctx->mapname);
++    if (req == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request\n");
++        ret = ENOMEM;
+         goto done;
+     }
+ 
+-    /* If the name isn't valid UTF-8, fail */
+-    if (!sss_utf8_check((const uint8_t *) cmdctx->mapname, namelen -1)) {
+-        ret = EINVAL;
+-        goto done;
+-    }
++    tevent_req_set_callback(req, sss_autofs_cmd_setautomntent_done, cmd_ctx);
+ 
+-    SAFEALIGN_COPY_UINT32_CHECK(&cmdctx->cursor, body+c+namelen+1, blen, &c);
+-    SAFEALIGN_COPY_UINT32_CHECK(&cmdctx->max_entries, body+c+namelen+1, blen, &c);
++    ret = EOK;
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC,
+-          "Requested data of map %s cursor %d max entries %d\n",
+-           cmdctx->mapname, cmdctx->cursor, cmdctx->max_entries);
++done:
++    return autofs_cmd_done(cmd_ctx, ret);
++}
+ 
+-    ret = get_autofs_map(actx, cmdctx->mapname, &map);
+-    if (ret == ENOENT) {
+-        DEBUG(SSSDBG_TRACE_FUNC, "Performing implicit setautomntent\n");
+-        req = setautomntent_send(cmdctx, cmdctx->mapname, cmdctx);
+-        if (req == NULL) {
+-            DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_send failed\n");
+-            ret = EIO;
+-            goto done;
+-        }
++static void
++sss_autofs_cmd_setautomntent_done(struct tevent_req *req)
++{
++    struct autofs_enum_ctx *enum_ctx;
++    struct autofs_cmd_ctx *cmd_ctx;
++    errno_t ret;
+ 
+-        tevent_req_set_callback(req, getautomntent_implicit_done, cmdctx);
+-        ret = EOK;
+-        goto done;
+-    } else if (ret != EOK) {
+-        DEBUG(SSSDBG_OP_FAILURE,
+-              "An unexpected error occurred: [%d][%s]\n",
+-              ret, strerror(ret));
+-        goto done;
+-    }
++    cmd_ctx = tevent_req_callback_data(req, struct autofs_cmd_ctx);
+ 
+-    if (map->ready == false) {
+-        DEBUG(SSSDBG_TRACE_FUNC, "Performing implicit setautomntent\n");
+-        req = setautomntent_send(cmdctx, cmdctx->mapname, cmdctx);
+-        if (req == NULL) {
+-            DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_send failed\n");
+-            ret = EIO;
+-            goto done;
+-        }
++    ret = autofs_setent_recv(req, &enum_ctx);
++    talloc_zfree(req);
++    if (ret != EOK) {
++        autofs_cmd_done(cmd_ctx, ret);
++        return;
++    }
+ 
+-        tevent_req_set_callback(req, getautomntent_implicit_done, cmdctx);
+-        ret = EOK;
+-        goto done;
+-    } else if (map->found == false) {
+-        DEBUG(SSSDBG_TRACE_FUNC, "negative cache hit\n");
+-        ret = ENOENT;
+-        goto done;
++    ret = autofs_write_setautomntent_output(cmd_ctx->cli_ctx, enum_ctx);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create reply packet "
++              "[%d]: %s\n", ret, sss_strerror(ret));
++        autofs_cmd_done(cmd_ctx, ret);
++        return;
+     }
+ 
+-    DEBUG(SSSDBG_TRACE_INTERNAL,
+-          "returning entries for [%s]\n", map->mapname);
++    sss_cmd_done(cmd_ctx->cli_ctx, NULL);
++}
+ 
+-    ret = getautomntent_process(cmdctx, map, cmdctx->cursor, cmdctx->max_entries);
++static int
++sss_autofs_cmd_endautomntent(struct cli_ctx *client)
++{
++    struct cli_protocol *pctx;
++    errno_t ret;
+ 
+-done:
+-    return autofs_cmd_done(cmdctx, ret);
++    DEBUG(SSSDBG_TRACE_FUNC, "endautomntent called\n");
++
++    pctx = talloc_get_type(client->protocol_ctx, struct cli_protocol);
++
++    /* create response packet */
++    ret = sss_packet_new(pctx->creq, 0,
++                         sss_packet_get_cmd(pctx->creq->in),
++                         &pctx->creq->out);
++
++    if (ret != EOK) {
++        return ret;
++    }
++
++    sss_cmd_done(client, NULL);
++    return EOK;
+ }
+ 
+-static void
+-getautomntent_implicit_done(struct tevent_req *req)
++static errno_t
++autofs_read_getautomntent_input(struct cli_ctx *cli_ctx,
++                                const char **_mapname,
++                                uint32_t *_cursor,
++                                uint32_t *_max_entries)
+ {
+-    errno_t ret;
+-    struct autofs_map_ctx *map;
+-    struct autofs_cmd_ctx *cmdctx =
+-        tevent_req_callback_data(req, struct autofs_cmd_ctx);
+-    struct autofs_ctx *actx =
+-        talloc_get_type(cmdctx->cctx->rctx->pvt_ctx, struct autofs_ctx);
++    struct cli_protocol *pctx;
++    const char *mapname;
++    uint32_t namelen;
++    uint8_t *body;
++    size_t blen;
++    size_t c = 0;
+ 
+-    ret = setautomntent_recv(req);
+-    talloc_zfree(req);
+-    if (ret != EOK) {
+-        if (ret != ENOENT) {
+-            DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_recv failed\n");
+-        } else {
+-            DEBUG(SSSDBG_MINOR_FAILURE, "No such map\n");
+-        }
+-        goto done;
++    pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol);
++
++    sss_packet_get_body(pctx->creq->in, &body, &blen);
++
++    SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
++    if (namelen == 0 || namelen > blen - c) {
++        return EINVAL;
+     }
+ 
+-    ret = get_autofs_map(actx, cmdctx->mapname, &map);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "Cannot get map after setautomntent succeeded?\n");
+-        goto done;
++    mapname = (const char *)body + c;
++
++    /* if not null-terminated fail */
++    if (mapname[namelen] != '\0') {
++        return EINVAL;
+     }
+ 
+-    if (map->ready == false) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "Map not ready after setautomntent succeeded\n");
+-        goto done;
++    /* If the name isn't valid UTF-8, fail */
++    if (!sss_utf8_check((const uint8_t *)mapname, namelen - 1)) {
++        return EINVAL;
+     }
+ 
+-    ret = getautomntent_process(cmdctx, map,
+-                                cmdctx->cursor, cmdctx->max_entries);
+-done:
+-    autofs_cmd_done(cmdctx, ret);
+-    return;
++    SAFEALIGN_COPY_UINT32_CHECK(_cursor, body + c + namelen + 1, blen, &c);
++    SAFEALIGN_COPY_UINT32_CHECK(_max_entries, body + c + namelen + 1, blen, &c);
++    *_mapname = mapname;
++
++    return EOK;
+ }
+ 
+ static errno_t
+-getautomntent_process(struct autofs_cmd_ctx *cmdctx,
+-                      struct autofs_map_ctx *map,
+-                      uint32_t cursor, uint32_t max_entries)
++autofs_write_getautomntent_output(struct cli_ctx *cli_ctx,
++                                  struct autofs_enum_ctx *enum_ctx,
++                                  uint32_t cursor,
++                                  uint32_t max_entries)
+ {
+     struct cli_protocol *pctx;
+-    errno_t ret;
++    struct ldb_message **entries;
+     struct ldb_message *entry;
+-    size_t rp;
+-    uint32_t i, stop, left, nentries;
++    size_t count;
++    size_t num_entries;
+     uint8_t *body;
+     size_t blen;
++    size_t rp;
++    uint32_t i;
++    uint32_t stop;
++    uint32_t left;
++    errno_t ret;
+ 
+-    pctx = talloc_get_type(cmdctx->cctx->protocol_ctx, struct cli_protocol);
++    pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol);
+ 
+-    /* create response packet */
+-    ret = sss_packet_new(pctx->creq, 0,
+-                         sss_packet_get_cmd(pctx->creq->in),
++    count = enum_ctx->found ? enum_ctx->result->count - 1 : 0;
++    entries = count > 0 ? enum_ctx->result->msgs + 1 : NULL;
++
++    ret = sss_packet_new(pctx->creq, 0, sss_packet_get_cmd(pctx->creq->in),
+                          &pctx->creq->out);
+     if (ret != EOK) {
+         return ret;
+     }
+ 
+-    if (!map->map || !map->entries || !map->entries[0] ||
+-        cursor >= map->entry_count) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "No entries found\n");
+-        ret = sss_cmd_empty_packet(pctx->creq->out);
+-        if (ret != EOK) {
+-            return autofs_cmd_done(cmdctx, ret);
+-        }
+-        goto done;
++    if (!enum_ctx->found || count == 0 || cursor >= count) {
++        DEBUG(SSSDBG_TRACE_FUNC, "No entries was not found\n");
++        return sss_cmd_empty_packet(pctx->creq->out);
+     }
+ 
+     /* allocate memory for number of entries in the packet */
+     ret = sss_packet_grow(pctx->creq->out, sizeof(uint32_t));
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE, "Cannot grow packet\n");
+-        goto done;
++        return ret;
+     }
+ 
+-    rp = sizeof(uint32_t);  /* We'll write the number of entries here */
+-
+-    left = map->entry_count - cursor;
++    rp = sizeof(uint32_t);  /* We will first write the elements. */
++    left = count - cursor;
+     stop = max_entries < left ? max_entries : left;
+ 
+-    nentries = 0;
+-    for (i=0; i < stop; i++) {
+-        entry = map->entries[cursor];
++    num_entries = 0;
++    for (i = 0; i < stop; i++) {
++        entry = entries[cursor];
+         cursor++;
+ 
+-        ret = fill_autofs_entry(entry, pctx->creq->out, &rp);
++        ret = autofs_fill_entry(entry, pctx->creq->out, &rp);
+         if (ret != EOK) {
+             DEBUG(SSSDBG_MINOR_FAILURE,
+                   "Cannot fill entry %d/%d, skipping\n", i, stop);
+             continue;
+         }
+-        nentries++;
++        num_entries++;
+     }
+ 
+     /* packet grows in fill_autofs_entry, body pointer may change,
+@@ -1137,311 +605,212 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx,
+     sss_packet_get_body(pctx->creq->out, &body, &blen);
+ 
+     rp = 0;
+-    SAFEALIGN_SET_UINT32(&body[rp], nentries, &rp);
+-
+-    ret = EOK;
+-done:
+-    sss_packet_set_error(pctx->creq->out, ret);
+-    sss_cmd_done(cmdctx->cctx, cmdctx);
++    SAFEALIGN_SET_UINT32(&body[rp], num_entries, &rp);
+ 
+     return EOK;
+ }
+ 
+-static errno_t
+-fill_autofs_entry(struct ldb_message *entry, struct sss_packet *packet, size_t *rp)
++static void
++sss_autofs_cmd_getautomntent_done(struct tevent_req *req);
++
++static int
++sss_autofs_cmd_getautomntent(struct cli_ctx *cli_ctx)
+ {
++    struct autofs_cmd_ctx *cmd_ctx;
++    struct autofs_ctx *autofs_ctx;
++    struct tevent_req *req;
+     errno_t ret;
+-    const char *key;
+-    size_t keylen;
+-    const char *value;
+-    size_t valuelen;
+-    uint8_t *body;
+-    size_t blen;
+-    size_t len;
+ 
+-    key = ldb_msg_find_attr_as_string(entry, SYSDB_AUTOFS_ENTRY_KEY, NULL);
+-    value = ldb_msg_find_attr_as_string(entry, SYSDB_AUTOFS_ENTRY_VALUE, NULL);
+-    if (!key || !value) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "Incomplete entry\n");
+-        return EINVAL;
++    autofs_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct autofs_ctx);
++
++    cmd_ctx = talloc_zero(cli_ctx, struct autofs_cmd_ctx);
++    if (cmd_ctx == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create command context.\n");
++        return ENOMEM;
+     }
+ 
+-    keylen = 1 + strlen(key);
+-    valuelen = 1 + strlen(value);
+-    len = sizeof(uint32_t) + sizeof(uint32_t) + keylen + sizeof(uint32_t) + valuelen;
++    cmd_ctx->cli_ctx = cli_ctx;
++    cmd_ctx->autofs_ctx = autofs_ctx;
+ 
+-    ret = sss_packet_grow(packet, len);
++    ret = autofs_read_getautomntent_input(cli_ctx, &cmd_ctx->mapname,
++                                          &cmd_ctx->cursor,
++                                          &cmd_ctx->max_entries);
+     if (ret != EOK) {
+-        DEBUG(SSSDBG_OP_FAILURE, "Cannot grow packet\n");
+-        return ret;
++        goto done;
+     }
+ 
+-    sss_packet_get_body(packet, &body, &blen);
+-
+-    SAFEALIGN_SET_UINT32(&body[*rp], len, rp);
+-    SAFEALIGN_SET_UINT32(&body[*rp], keylen, rp);
++    DEBUG(SSSDBG_TRACE_FUNC, "Obtaining enumeration context for %s\n",
++          cmd_ctx->mapname);
+ 
+-    if (keylen == 1) {
+-        body[*rp] = '\0';
+-    } else {
+-        memcpy(&body[*rp], key, keylen);
++    req = autofs_setent_send(cli_ctx, cli_ctx->ev, autofs_ctx, cmd_ctx->mapname);
++    if (req == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request\n");
++        ret = ENOMEM;
++        goto done;
+     }
+-    *rp += keylen;
+ 
+-    SAFEALIGN_SET_UINT32(&body[*rp], valuelen, rp);
+-    if (valuelen == 1) {
+-        body[*rp] = '\0';
+-    } else {
+-        memcpy(&body[*rp], value, valuelen);
+-    }
+-    *rp += valuelen;
++    tevent_req_set_callback(req, sss_autofs_cmd_getautomntent_done, cmd_ctx);
+ 
+-    return EOK;
++    ret = EOK;
++
++done:
++    return autofs_cmd_done(cmd_ctx, ret);
+ }
+ 
+-static errno_t
+-getautomntbyname_process(struct autofs_cmd_ctx *cmdctx,
+-                         struct autofs_map_ctx *map,
+-                         const char *key);
+ static void
+-getautomntbyname_implicit_done(struct tevent_req *req);
+-
+-static int
+-sss_autofs_cmd_getautomntbyname(struct cli_ctx *client)
++sss_autofs_cmd_getautomntent_done(struct tevent_req *req)
+ {
++    struct autofs_enum_ctx *enum_ctx;
++    struct autofs_cmd_ctx *cmd_ctx;
+     errno_t ret;
+-    struct autofs_cmd_ctx *cmdctx;
+-    struct autofs_map_ctx *map;
+-    struct autofs_ctx *actx;
+-    struct cli_protocol *pctx;
+-    uint8_t *body;
+-    size_t blen;
+-    uint32_t namelen;
+-    uint32_t keylen;
+-    size_t c = 0;
+-    struct tevent_req *req;
+ 
+-    DEBUG(SSSDBG_TRACE_INTERNAL, "sss_autofs_cmd_getautomntbyname\n");
++    cmd_ctx = tevent_req_callback_data(req, struct autofs_cmd_ctx);
+ 
+-    cmdctx = talloc_zero(client, struct autofs_cmd_ctx);
+-    if (!cmdctx) {
+-        return ENOMEM;
++    ret = autofs_setent_recv(req, &enum_ctx);
++    talloc_zfree(req);
++    if (ret != EOK) {
++        autofs_cmd_done(cmd_ctx, ret);
++        return;
+     }
+-    cmdctx->cctx = client;
+ 
+-    actx = talloc_get_type(client->rctx->pvt_ctx, struct autofs_ctx);
+-    if (!actx) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Missing autofs context\n");
+-        return EIO;
++    ret = autofs_write_getautomntent_output(cmd_ctx->cli_ctx, enum_ctx,
++                                            cmd_ctx->cursor,
++                                            cmd_ctx->max_entries);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create reply packet "
++              "[%d]: %s\n", ret, sss_strerror(ret));
++        autofs_cmd_done(cmd_ctx, ret);
++        return;
+     }
+ 
+-    pctx = talloc_get_type(cmdctx->cctx->protocol_ctx, struct cli_protocol);
++    sss_cmd_done(cmd_ctx->cli_ctx, NULL);
++}
+ 
+-    /* get autofs map name and index to query */
+-    sss_packet_get_body(pctx->creq->in, &body, &blen);
++static errno_t
++autofs_read_getautomntbyname_input(struct cli_ctx *cli_ctx,
++                                   const char **_mapname,
++                                   const char **_keyname)
++{
++    struct cli_protocol *pctx;
++    const char *mapname;
++    const char *keyname;
++    uint32_t namelen;
++    uint32_t keylen;
++    uint8_t *body;
++    size_t blen;
++    size_t c = 0;
+ 
+-    /* FIXME - split out a function to get string from <len><str>\0 */
+-    SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
++    pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol);
++
++    sss_packet_get_body(pctx->creq->in, &body, &blen);
+ 
++    /* Get map name. */
++    SAFEALIGN_COPY_UINT32_CHECK(&namelen, body + c, blen, &c);
+     if (namelen == 0 || namelen > blen - c) {
+-        ret = EINVAL;
+-        goto done;
++        return EINVAL;
+     }
+ 
+-    cmdctx->mapname = (char *) body+c;
++    mapname = (const  char *) body + c;
+ 
+     /* if not null-terminated fail */
+-    if (cmdctx->mapname[namelen] != '\0') {
+-        ret = EINVAL;
+-        goto done;
++    if (mapname[namelen] != '\0') {
++        return EINVAL;
+     }
+ 
+     /* If the name isn't valid UTF-8, fail */
+-    if (!sss_utf8_check((const uint8_t *) cmdctx->mapname, namelen -1)) {
+-        ret = EINVAL;
+-        goto done;
++    if (!sss_utf8_check((const uint8_t *)mapname, namelen - 1)) {
++        return EINVAL;
+     }
+ 
+     c += namelen + 1;
+ 
+-    /* FIXME - split out a function to get string from <len><str>\0 */
+-    SAFEALIGN_COPY_UINT32_CHECK(&keylen, body+c, blen, &c);
+-
++    /* Get key name. */
++    SAFEALIGN_COPY_UINT32_CHECK(&keylen, body + c, blen, &c);
+     if (keylen == 0 || keylen > blen - c) {
+-        ret = EINVAL;
+-        goto done;
++        return EINVAL;
+     }
+ 
+-    cmdctx->key = (char *) body+c;
++    keyname = (const char *) body + c;
+ 
+     /* if not null-terminated fail */
+-    if (cmdctx->key[keylen] != '\0') {
+-        ret = EINVAL;
+-        goto done;
++    if (keyname[keylen] != '\0') {
++        return EINVAL;
+     }
+ 
+     /* If the key isn't valid UTF-8, fail */
+-    if (!sss_utf8_check((const uint8_t *) cmdctx->key, keylen -1)) {
+-        ret = EINVAL;
+-        goto done;
+-    }
+-
+-    DEBUG(SSSDBG_TRACE_FUNC,
+-          "Requested data of map %s key %s\n", cmdctx->mapname, cmdctx->key);
+-
+-    ret = get_autofs_map(actx, cmdctx->mapname, &map);
+-    if (ret == ENOENT) {
+-        DEBUG(SSSDBG_TRACE_FUNC, "Performing implicit setautomntent\n");
+-        req = setautomntent_send(cmdctx, cmdctx->mapname, cmdctx);
+-        if (req == NULL) {
+-            DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_send failed\n");
+-            ret = EIO;
+-            goto done;
+-        }
+-
+-        tevent_req_set_callback(req, getautomntbyname_implicit_done, cmdctx);
+-        ret = EOK;
+-        goto done;
+-    } else if (ret != EOK) {
+-        DEBUG(SSSDBG_OP_FAILURE,
+-              "An unexpected error occurred: [%d][%s]\n",
+-              ret, strerror(ret));
+-        goto done;
+-    }
+-
+-    if (map->ready == false) {
+-        DEBUG(SSSDBG_TRACE_FUNC, "Performing implicit setautomntent\n");
+-        req = setautomntent_send(cmdctx, cmdctx->mapname, cmdctx);
+-        if (req == NULL) {
+-            DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_send failed\n");
+-            ret = EIO;
+-            goto done;
+-        }
+-
+-        tevent_req_set_callback(req, getautomntbyname_implicit_done, cmdctx);
+-        ret = EOK;
+-        goto done;
+-    } else if (map->found == false) {
+-        DEBUG(SSSDBG_TRACE_FUNC, "negative cache hit\n");
+-        ret = ENOENT;
+-        goto done;
+-    }
+-
+-    DEBUG(SSSDBG_TRACE_INTERNAL,
+-          "Looking up value for [%s] in [%s]\n", cmdctx->key, map->mapname);
+-
+-    ret = getautomntbyname_process(cmdctx, map, cmdctx->key);
+-
+-done:
+-    return autofs_cmd_done(cmdctx, ret);
+-}
+-
+-static void
+-getautomntbyname_implicit_done(struct tevent_req *req)
+-{
+-    errno_t ret;
+-    struct autofs_map_ctx *map;
+-    struct autofs_cmd_ctx *cmdctx =
+-        tevent_req_callback_data(req, struct autofs_cmd_ctx);
+-    struct autofs_ctx *actx =
+-        talloc_get_type(cmdctx->cctx->rctx->pvt_ctx, struct autofs_ctx);
+-
+-    ret = setautomntent_recv(req);
+-    talloc_zfree(req);
+-    if (ret != EOK) {
+-        if (ret != ENOENT) {
+-            DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_recv failed\n");
+-        } else {
+-            DEBUG(SSSDBG_MINOR_FAILURE, "No such map\n");
+-        }
+-        goto done;
+-    }
+-
+-    ret = get_autofs_map(actx, cmdctx->mapname, &map);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "Cannot get map after setautomntent succeeded?\n");
+-        goto done;
++    if (!sss_utf8_check((const uint8_t *)keyname, keylen - 1)) {
++        return EINVAL;
+     }
+ 
+-    if (map->ready == false) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "Map not ready after setautomntent succeeded\n");
+-        goto done;
+-    }
++    *_mapname = mapname;
++    *_keyname = keyname;
+ 
+-    ret = getautomntbyname_process(cmdctx, map, cmdctx->key);
+-done:
+-    autofs_cmd_done(cmdctx, ret);
+-    return;
++    return EOK;
+ }
+ 
+ static errno_t
+-getautomntbyname_process(struct autofs_cmd_ctx *cmdctx,
+-                         struct autofs_map_ctx *map,
+-                         const char *key)
++autofs_write_getautomntbyname_output(struct cli_ctx *cli_ctx,
++                                     struct autofs_enum_ctx *enum_ctx,
++                                     const char *keyname)
+ {
+     struct cli_protocol *pctx;
+-    errno_t ret;
+-    size_t i;
+-    const char *k;
++    struct ldb_message **entries;
++    struct ldb_message *entry = NULL;
++    const char *entry_key;
+     const char *value;
+-    size_t valuelen;
++    size_t value_len;
+     size_t len;
++    size_t count;
+     uint8_t *body;
+-    size_t blen, rp;
++    size_t blen;
++    size_t rp;
++    size_t i;
++    errno_t ret;
+ 
+-    pctx = talloc_get_type(cmdctx->cctx->protocol_ctx, struct cli_protocol);
++    pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol);
+ 
+-    /* create response packet */
+-    ret = sss_packet_new(pctx->creq, 0,
+-                         sss_packet_get_cmd(pctx->creq->in),
++    count = enum_ctx->found ? enum_ctx->result->count - 1 : 0;
++    entries = count > 0 ? enum_ctx->result->msgs + 1 : NULL;
++
++    ret = sss_packet_new(pctx->creq, 0, sss_packet_get_cmd(pctx->creq->in),
+                          &pctx->creq->out);
+     if (ret != EOK) {
+         return ret;
+     }
+ 
+-    if (!map->map || !map->entries || !map->entries[0]) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "No entries found\n");
+-        ret = sss_cmd_empty_packet(pctx->creq->out);
+-        if (ret != EOK) {
+-            return autofs_cmd_done(cmdctx, ret);
+-        }
+-        goto done;
+-    }
+-
+-    for (i=0; i < map->entry_count; i++) {
+-        k = ldb_msg_find_attr_as_string(map->entries[i],
+-                                        SYSDB_AUTOFS_ENTRY_KEY, NULL);
+-        if (!k) {
++    for (i = 0; i < count; i++) {
++        entry_key = ldb_msg_find_attr_as_string(entries[i],
++                                                SYSDB_AUTOFS_ENTRY_KEY,
++                                                NULL);
++        if (entry_key == NULL) {
+             DEBUG(SSSDBG_MINOR_FAILURE, "Skipping incomplete entry\n");
+             continue;
+         }
+ 
+-        if (strcmp(k, key) == 0) {
+-            DEBUG(SSSDBG_TRACE_INTERNAL, "Found key [%s]\n", key);
++        if (strcmp(entry_key, keyname) == 0) {
++            DEBUG(SSSDBG_TRACE_INTERNAL, "Found key [%s]\n", keyname);
++            entry = entries[i];
+             break;
+         }
+     }
+ 
+-    if (i >= map->entry_count) {
+-        DEBUG(SSSDBG_MINOR_FAILURE, "No key named [%s] found\n", key);
+-        ret = sss_cmd_empty_packet(pctx->creq->out);
+-        if (ret != EOK) {
+-            return autofs_cmd_done(cmdctx, ret);
+-        }
+-        goto done;
++    if (!enum_ctx->found || count == 0 || entry == NULL) {
++        DEBUG(SSSDBG_TRACE_FUNC, "Key [%s] was not found\n", keyname);
++        return sss_cmd_empty_packet(pctx->creq->out);
+     }
+ 
+-    value = ldb_msg_find_attr_as_string(map->entries[i],
+-                                        SYSDB_AUTOFS_ENTRY_VALUE, NULL);
++    value = ldb_msg_find_attr_as_string(entry, SYSDB_AUTOFS_ENTRY_VALUE, NULL);
++    if (value == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "No entry value found in [%s]\n", keyname);
++        return EINVAL;
++    }
+ 
+-    valuelen = 1 + strlen(value);
+-    len = sizeof(uint32_t) + sizeof(uint32_t) + valuelen;
++    value_len = 1 + strlen(value);
++    len = sizeof(uint32_t) + sizeof(uint32_t) + value_len;
+ 
+     ret = sss_packet_grow(pctx->creq->out, len);
+     if (ret != EOK) {
+-        goto done;
++        return ret;
+     }
+ 
+     sss_packet_get_body(pctx->creq->out, &body, &blen);
+@@ -1449,43 +818,88 @@ getautomntbyname_process(struct autofs_cmd_ctx *cmdctx,
+     rp = 0;
+     SAFEALIGN_SET_UINT32(&body[rp], len, &rp);
+ 
+-    SAFEALIGN_SET_UINT32(&body[rp], valuelen, &rp);
+-    if (valuelen == 1) {
++    SAFEALIGN_SET_UINT32(&body[rp], value_len, &rp);
++    if (value_len == 1) {
+         body[rp] = '\0';
+     } else {
+-        memcpy(&body[rp], value, valuelen);
++        memcpy(&body[rp], value, value_len);
+     }
+-    rp += valuelen;
+-
+-    ret = EOK;
+-done:
+-    sss_packet_set_error(pctx->creq->out, ret);
+-    sss_cmd_done(cmdctx->cctx, cmdctx);
+ 
+     return EOK;
+ }
+ 
++static void
++sss_autofs_cmd_getautomntbyname_done(struct tevent_req *req);
++
+ static int
+-sss_autofs_cmd_endautomntent(struct cli_ctx *client)
++sss_autofs_cmd_getautomntbyname(struct cli_ctx *cli_ctx)
+ {
+-    struct cli_protocol *pctx;
++    struct autofs_cmd_ctx *cmd_ctx;
++    struct autofs_ctx *autofs_ctx;
++    struct tevent_req *req;
+     errno_t ret;
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC, "endautomntent called\n");
++    autofs_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct autofs_ctx);
+ 
+-    pctx = talloc_get_type(client->protocol_ctx, struct cli_protocol);
++    cmd_ctx = talloc_zero(cli_ctx, struct autofs_cmd_ctx);
++    if (cmd_ctx == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create command context.\n");
++        return ENOMEM;
++    }
+ 
+-    /* create response packet */
+-    ret = sss_packet_new(pctx->creq, 0,
+-                         sss_packet_get_cmd(pctx->creq->in),
+-                         &pctx->creq->out);
++    cmd_ctx->cli_ctx = cli_ctx;
++    cmd_ctx->autofs_ctx = autofs_ctx;
+ 
++    ret = autofs_read_getautomntbyname_input(cli_ctx, &cmd_ctx->mapname,
++                                             &cmd_ctx->keyname);
+     if (ret != EOK) {
+-        return ret;
++        goto done;
+     }
+ 
+-    sss_cmd_done(client, NULL);
+-    return EOK;
++    DEBUG(SSSDBG_TRACE_FUNC, "Obtaining enumeration context for %s\n",
++          cmd_ctx->mapname);
++
++    req = autofs_setent_send(cli_ctx, cli_ctx->ev, autofs_ctx, cmd_ctx->mapname);
++    if (req == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request\n");
++        ret = ENOMEM;
++        goto done;
++    }
++
++    tevent_req_set_callback(req, sss_autofs_cmd_getautomntbyname_done, cmd_ctx);
++
++    ret = EOK;
++
++done:
++    return autofs_cmd_done(cmd_ctx, ret);
++}
++
++static void
++sss_autofs_cmd_getautomntbyname_done(struct tevent_req *req)
++{
++    struct autofs_enum_ctx *enum_ctx;
++    struct autofs_cmd_ctx *cmd_ctx;
++    errno_t ret;
++
++    cmd_ctx = tevent_req_callback_data(req, struct autofs_cmd_ctx);
++
++    ret = autofs_setent_recv(req, &enum_ctx);
++    talloc_zfree(req);
++    if (ret != EOK) {
++        autofs_cmd_done(cmd_ctx, ret);
++        return;
++    }
++
++    ret = autofs_write_getautomntbyname_output(cmd_ctx->cli_ctx, enum_ctx,
++                                               cmd_ctx->keyname);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create reply packet "
++              "[%d]: %s\n", ret, sss_strerror(ret));
++        autofs_cmd_done(cmd_ctx, ret);
++        return;
++    }
++
++    sss_cmd_done(cmd_ctx->cli_ctx, NULL);
+ }
+ 
+ struct cli_protocol_version *register_cli_protocol_version(void)
+@@ -1518,10 +932,5 @@ int autofs_connection_setup(struct cli_ctx *cctx)
+     ret = sss_connection_setup(cctx);
+     if (ret != EOK) return ret;
+ 
+-    cctx->state_ctx = talloc_zero(cctx, struct autofs_state_ctx);
+-    if (!cctx->state_ctx) {
+-        return ENOMEM;
+-    }
+-
+     return EOK;
+ }
+-- 
+2.20.1
+
diff --git a/SOURCES/0079-autofs-use-cache_req-to-obtain-single-entry-in-geten.patch b/SOURCES/0079-autofs-use-cache_req-to-obtain-single-entry-in-geten.patch
new file mode 100644
index 0000000..3e308a2
--- /dev/null
+++ b/SOURCES/0079-autofs-use-cache_req-to-obtain-single-entry-in-geten.patch
@@ -0,0 +1,131 @@
+From 27d2dcfb76625bffe34d2fe185d7677db3f372d6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 13 Aug 2019 13:10:03 +0200
+Subject: [PATCH 79/90] autofs: use cache_req to obtain single entry in
+ getentrybyname
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/responder/autofs/autofssrv_cmd.c | 54 ++++++++++------------------
+ 1 file changed, 19 insertions(+), 35 deletions(-)
+
+diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
+index 670b6d50d..59e64014d 100644
+--- a/src/responder/autofs/autofssrv_cmd.c
++++ b/src/responder/autofs/autofssrv_cmd.c
+@@ -750,27 +750,28 @@ autofs_read_getautomntbyname_input(struct cli_ctx *cli_ctx,
+ 
+ static errno_t
+ autofs_write_getautomntbyname_output(struct cli_ctx *cli_ctx,
+-                                     struct autofs_enum_ctx *enum_ctx,
++                                     struct cache_req_result *result,
+                                      const char *keyname)
+ {
+     struct cli_protocol *pctx;
+-    struct ldb_message **entries;
+-    struct ldb_message *entry = NULL;
+-    const char *entry_key;
++    struct ldb_message *entry;
+     const char *value;
+     size_t value_len;
+     size_t len;
+-    size_t count;
+     uint8_t *body;
+     size_t blen;
+     size_t rp;
+-    size_t i;
+     errno_t ret;
+ 
+     pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol);
+ 
+-    count = enum_ctx->found ? enum_ctx->result->count - 1 : 0;
+-    entries = count > 0 ? enum_ctx->result->msgs + 1 : NULL;
++    if (result == NULL || result->count == 0) {
++        DEBUG(SSSDBG_TRACE_FUNC, "Key [%s] was not found\n", keyname);
++        return sss_cmd_empty_packet(pctx->creq->out);
++    }
++
++    DEBUG(SSSDBG_TRACE_INTERNAL, "Found key [%s]\n", keyname);
++    entry = result->msgs[0];
+ 
+     ret = sss_packet_new(pctx->creq, 0, sss_packet_get_cmd(pctx->creq->in),
+                          &pctx->creq->out);
+@@ -778,27 +779,6 @@ autofs_write_getautomntbyname_output(struct cli_ctx *cli_ctx,
+         return ret;
+     }
+ 
+-    for (i = 0; i < count; i++) {
+-        entry_key = ldb_msg_find_attr_as_string(entries[i],
+-                                                SYSDB_AUTOFS_ENTRY_KEY,
+-                                                NULL);
+-        if (entry_key == NULL) {
+-            DEBUG(SSSDBG_MINOR_FAILURE, "Skipping incomplete entry\n");
+-            continue;
+-        }
+-
+-        if (strcmp(entry_key, keyname) == 0) {
+-            DEBUG(SSSDBG_TRACE_INTERNAL, "Found key [%s]\n", keyname);
+-            entry = entries[i];
+-            break;
+-        }
+-    }
+-
+-    if (!enum_ctx->found || count == 0 || entry == NULL) {
+-        DEBUG(SSSDBG_TRACE_FUNC, "Key [%s] was not found\n", keyname);
+-        return sss_cmd_empty_packet(pctx->creq->out);
+-    }
+-
+     value = ldb_msg_find_attr_as_string(entry, SYSDB_AUTOFS_ENTRY_VALUE, NULL);
+     if (value == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "No entry value found in [%s]\n", keyname);
+@@ -856,10 +836,14 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *cli_ctx)
+         goto done;
+     }
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC, "Obtaining enumeration context for %s\n",
+-          cmd_ctx->mapname);
++    DEBUG(SSSDBG_TRACE_FUNC, "Obtaining autofs entry %s:%s\n",
++          cmd_ctx->mapname, cmd_ctx->keyname);
+ 
+-    req = autofs_setent_send(cli_ctx, cli_ctx->ev, autofs_ctx, cmd_ctx->mapname);
++    req = cache_req_autofs_entry_by_name_send(cli_ctx, cli_ctx->ev,
++                                              autofs_ctx->rctx,
++                                              autofs_ctx->rctx->ncache, 0, NULL,
++                                              cmd_ctx->mapname,
++                                              cmd_ctx->keyname);
+     if (req == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request\n");
+         ret = ENOMEM;
+@@ -877,20 +861,20 @@ done:
+ static void
+ sss_autofs_cmd_getautomntbyname_done(struct tevent_req *req)
+ {
+-    struct autofs_enum_ctx *enum_ctx;
++    struct cache_req_result *result;
+     struct autofs_cmd_ctx *cmd_ctx;
+     errno_t ret;
+ 
+     cmd_ctx = tevent_req_callback_data(req, struct autofs_cmd_ctx);
+ 
+-    ret = autofs_setent_recv(req, &enum_ctx);
++    ret = cache_req_autofs_entry_by_name_recv(cmd_ctx, req, &result);
+     talloc_zfree(req);
+     if (ret != EOK) {
+         autofs_cmd_done(cmd_ctx, ret);
+         return;
+     }
+ 
+-    ret = autofs_write_getautomntbyname_output(cmd_ctx->cli_ctx, enum_ctx,
++    ret = autofs_write_getautomntbyname_output(cmd_ctx->cli_ctx, result,
+                                                cmd_ctx->keyname);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create reply packet "
+-- 
+2.20.1
+
diff --git a/SOURCES/0080-autofs-use-cache_req-to-obtain-map-in-setent.patch b/SOURCES/0080-autofs-use-cache_req-to-obtain-map-in-setent.patch
new file mode 100644
index 0000000..ecca7e3
--- /dev/null
+++ b/SOURCES/0080-autofs-use-cache_req-to-obtain-map-in-setent.patch
@@ -0,0 +1,82 @@
+From 61a7bf4d2a93f99a5c94da4367d350f8038bb935 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 14 Aug 2019 11:41:56 +0200
+Subject: [PATCH 80/90] autofs: use cache_req to obtain map in setent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/responder/autofs/autofssrv_cmd.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
+index 59e64014d..d413f8570 100644
+--- a/src/responder/autofs/autofssrv_cmd.c
++++ b/src/responder/autofs/autofssrv_cmd.c
+@@ -365,7 +365,7 @@ autofs_read_setautomntent_input(struct cli_ctx *cli_ctx,
+ 
+ static errno_t
+ autofs_write_setautomntent_output(struct cli_ctx *cli_ctx,
+-                                  struct autofs_enum_ctx *enum_ctx)
++                                  struct cache_req_result *result)
+ {
+     struct cli_protocol *pctx;
+     uint8_t *body;
+@@ -380,7 +380,7 @@ autofs_write_setautomntent_output(struct cli_ctx *cli_ctx,
+         return ret;
+     }
+ 
+-    if (!enum_ctx->found) {
++    if (result == NULL || result->count == 0) {
+         DEBUG(SSSDBG_TRACE_FUNC, "Map was not found\n");
+         return sss_cmd_empty_packet(pctx->creq->out);
+     }
+@@ -430,11 +430,13 @@ sss_autofs_cmd_setautomntent(struct cli_ctx *cli_ctx)
+         goto done;
+     }
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC, "Creating enumeration context for %s\n",
++    DEBUG(SSSDBG_TRACE_FUNC, "Obtaining autofs map %s\n",
+           cmd_ctx->mapname);
+ 
+-    req = autofs_setent_send(cli_ctx, cli_ctx->ev, autofs_ctx,
+-                             cmd_ctx->mapname);
++    req = cache_req_autofs_map_by_name_send(cli_ctx, cli_ctx->ev,
++                                            autofs_ctx->rctx,
++                                            autofs_ctx->rctx->ncache, 0, NULL,
++                                            cmd_ctx->mapname);
+     if (req == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request\n");
+         ret = ENOMEM;
+@@ -452,20 +454,20 @@ done:
+ static void
+ sss_autofs_cmd_setautomntent_done(struct tevent_req *req)
+ {
+-    struct autofs_enum_ctx *enum_ctx;
++    struct cache_req_result *result;
+     struct autofs_cmd_ctx *cmd_ctx;
+     errno_t ret;
+ 
+     cmd_ctx = tevent_req_callback_data(req, struct autofs_cmd_ctx);
+ 
+-    ret = autofs_setent_recv(req, &enum_ctx);
++    ret = cache_req_autofs_map_by_name_recv(cmd_ctx, req, &result);
+     talloc_zfree(req);
+     if (ret != EOK) {
+         autofs_cmd_done(cmd_ctx, ret);
+         return;
+     }
+ 
+-    ret = autofs_write_setautomntent_output(cmd_ctx->cli_ctx, enum_ctx);
++    ret = autofs_write_setautomntent_output(cmd_ctx->cli_ctx, result);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create reply packet "
+               "[%d]: %s\n", ret, sss_strerror(ret));
+-- 
+2.20.1
+
diff --git a/SOURCES/0081-dp-replace-autofs-handler-with-enumerate-method.patch b/SOURCES/0081-dp-replace-autofs-handler-with-enumerate-method.patch
new file mode 100644
index 0000000..0525173
--- /dev/null
+++ b/SOURCES/0081-dp-replace-autofs-handler-with-enumerate-method.patch
@@ -0,0 +1,196 @@
+From ca1ee9933b9cdb474cef46bde127eaf85f1861d1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 28 Aug 2019 12:11:51 +0200
+Subject: [PATCH 81/90] dp: replace autofs handler with enumerate method
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/providers/data_provider/dp.h              |  3 +-
+ .../data_provider/dp_target_autofs.c          |  2 +-
+ src/providers/ipa/ipa_autofs.c                |  4 +-
+ src/providers/ldap/ldap_common.h              | 14 +++----
+ src/providers/ldap/sdap_autofs.c              | 38 +++++++++----------
+ 5 files changed, 31 insertions(+), 30 deletions(-)
+
+diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
+index e8b2f9c8f..8ef4a92ae 100644
+--- a/src/providers/data_provider/dp.h
++++ b/src/providers/data_provider/dp.h
+@@ -78,7 +78,6 @@ enum dp_methods {
+     DPM_ACCESS_HANDLER,
+     DPM_SELINUX_HANDLER,
+     DPM_SUDO_HANDLER,
+-    DPM_AUTOFS_HANDLER,
+     DPM_HOSTID_HANDLER,
+     DPM_DOMAINS_HANDLER,
+     DPM_SESSION_HANDLER,
+@@ -86,6 +85,8 @@ enum dp_methods {
+ 
+     DPM_REFRESH_ACCESS_RULES,
+ 
++    DPM_AUTOFS_ENUMERATE,
++
+     DP_METHOD_SENTINEL
+ };
+ 
+diff --git a/src/providers/data_provider/dp_target_autofs.c b/src/providers/data_provider/dp_target_autofs.c
+index 13b12f5dd..5f24f2975 100644
+--- a/src/providers/data_provider/dp_target_autofs.c
++++ b/src/providers/data_provider/dp_target_autofs.c
+@@ -48,7 +48,7 @@ errno_t dp_autofs_handler(struct sbus_request *sbus_req,
+     key = mapname;
+ 
+     dp_req_with_reply(dp_cli, NULL, "AutoFS", key, sbus_req, DPT_AUTOFS,
+-                      DPM_AUTOFS_HANDLER, dp_flags, data,
++                      DPM_AUTOFS_ENUMERATE, dp_flags, data,
+                       dp_req_reply_std, struct dp_reply_std);
+ 
+     return EOK;
+diff --git a/src/providers/ipa/ipa_autofs.c b/src/providers/ipa/ipa_autofs.c
+index b2e4cbc06..50e30f39f 100644
+--- a/src/providers/ipa/ipa_autofs.c
++++ b/src/providers/ipa/ipa_autofs.c
+@@ -47,8 +47,8 @@ errno_t ipa_autofs_init(TALLOC_CTX *mem_ctx,
+         return ret;
+     }
+ 
+-    dp_set_method(dp_methods, DPM_AUTOFS_HANDLER,
+-                  sdap_autofs_handler_send, sdap_autofs_handler_recv, id_ctx->sdap_id_ctx,
++    dp_set_method(dp_methods, DPM_AUTOFS_ENUMERATE,
++                  sdap_autofs_enumerate_handler_send, sdap_autofs_enumerate_handler_recv, id_ctx,
+                   struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
+ 
+     return ret;
+diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
+index f30b67eb3..85dc6949c 100644
+--- a/src/providers/ldap/ldap_common.h
++++ b/src/providers/ldap/ldap_common.h
+@@ -156,15 +156,15 @@ sdap_pam_chpass_handler_recv(TALLOC_CTX *mem_ctx,
+ 
+ /* autofs */
+ struct tevent_req *
+-sdap_autofs_handler_send(TALLOC_CTX *mem_ctx,
+-                         struct sdap_id_ctx *id_ctx,
+-                         struct dp_autofs_data *data,
+-                         struct dp_req_params *params);
++sdap_autofs_enumerate_handler_send(TALLOC_CTX *mem_ctx,
++                                   struct sdap_id_ctx *id_ctx,
++                                   struct dp_autofs_data *data,
++                                   struct dp_req_params *params);
+ 
+ errno_t
+-sdap_autofs_handler_recv(TALLOC_CTX *mem_ctx,
+-                         struct tevent_req *req,
+-                         struct dp_reply_std *data);
++sdap_autofs_enumerate_handler_recv(TALLOC_CTX *mem_ctx,
++                                   struct tevent_req *req,
++                                   struct dp_reply_std *data);
+ 
+ int sdap_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
+                       const char *service_name, const char *dns_service_name,
+diff --git a/src/providers/ldap/sdap_autofs.c b/src/providers/ldap/sdap_autofs.c
+index c02c04d5c..f65028d4e 100644
+--- a/src/providers/ldap/sdap_autofs.c
++++ b/src/providers/ldap/sdap_autofs.c
+@@ -201,26 +201,26 @@ sdap_autofs_get_map_recv(struct tevent_req *req, int *dp_error_out)
+     return EOK;
+ }
+ 
+-struct sdap_autofs_handler_state {
++struct sdap_autofs_enumerate_handler_state {
+     struct dp_reply_std reply;
+ };
+ 
+-static void sdap_autofs_handler_done(struct tevent_req *subreq);
++static void sdap_autofs_enumerate_handler_done(struct tevent_req *subreq);
+ 
+ struct tevent_req *
+-sdap_autofs_handler_send(TALLOC_CTX *mem_ctx,
+-                         struct sdap_id_ctx *id_ctx,
+-                         struct dp_autofs_data *data,
+-                         struct dp_req_params *params)
++sdap_autofs_enumerate_handler_send(TALLOC_CTX *mem_ctx,
++                                   struct sdap_id_ctx *id_ctx,
++                                   struct dp_autofs_data *data,
++                                   struct dp_req_params *params)
+ {
+-    struct sdap_autofs_handler_state *state;
++    struct sdap_autofs_enumerate_handler_state *state;
+     struct tevent_req *subreq;
+     struct tevent_req *req;
+     const char *master_map;
+ 
+     errno_t ret;
+ 
+-    req = tevent_req_create(mem_ctx, &state, struct sdap_autofs_handler_state);
++    req = tevent_req_create(mem_ctx, &state, struct sdap_autofs_enumerate_handler_state);
+     if (req == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
+         return NULL;
+@@ -250,7 +250,7 @@ sdap_autofs_handler_send(TALLOC_CTX *mem_ctx,
+         goto immediately;
+     }
+ 
+-    tevent_req_set_callback(subreq, sdap_autofs_handler_done, req);
++    tevent_req_set_callback(subreq, sdap_autofs_enumerate_handler_done, req);
+ 
+     return req;
+ 
+@@ -264,15 +264,15 @@ immediately:
+     return req;
+ }
+ 
+-static void sdap_autofs_handler_done(struct tevent_req *subreq)
++static void sdap_autofs_enumerate_handler_done(struct tevent_req *subreq)
+ {
+-    struct sdap_autofs_handler_state *state;
++    struct sdap_autofs_enumerate_handler_state *state;
+     struct tevent_req *req;
+     int dp_error;
+     errno_t ret;
+ 
+     req = tevent_req_callback_data(subreq, struct tevent_req);
+-    state = tevent_req_data(req, struct sdap_autofs_handler_state);
++    state = tevent_req_data(req, struct sdap_autofs_enumerate_handler_state);
+ 
+     ret = sdap_autofs_get_map_recv(subreq, &dp_error);
+     talloc_zfree(subreq);
+@@ -283,13 +283,13 @@ static void sdap_autofs_handler_done(struct tevent_req *subreq)
+ }
+ 
+ errno_t
+-sdap_autofs_handler_recv(TALLOC_CTX *mem_ctx,
+-                         struct tevent_req *req,
+-                         struct dp_reply_std *data)
++sdap_autofs_enumerate_handler_recv(TALLOC_CTX *mem_ctx,
++                                   struct tevent_req *req,
++                                   struct dp_reply_std *data)
+ {
+-    struct sdap_autofs_handler_state *state = NULL;
++    struct sdap_autofs_enumerate_handler_state *state = NULL;
+ 
+-    state = tevent_req_data(req, struct sdap_autofs_handler_state);
++    state = tevent_req_data(req, struct sdap_autofs_enumerate_handler_state);
+ 
+     TEVENT_REQ_RETURN_ON_ERROR(req);
+ 
+@@ -313,8 +313,8 @@ errno_t sdap_autofs_init(TALLOC_CTX *mem_ctx,
+         return ret;
+     }
+ 
+-    dp_set_method(dp_methods, DPM_AUTOFS_HANDLER,
+-                  sdap_autofs_handler_send, sdap_autofs_handler_recv, id_ctx,
++    dp_set_method(dp_methods, DPM_AUTOFS_ENUMERATE,
++                  sdap_autofs_enumerate_handler_send, sdap_autofs_enumerate_handler_recv, id_ctx,
+                   struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
+ 
+     return EOK;
+-- 
+2.20.1
+
diff --git a/SOURCES/0082-dp-add-additional-autofs-methods.patch b/SOURCES/0082-dp-add-additional-autofs-methods.patch
new file mode 100644
index 0000000..f4124ee
--- /dev/null
+++ b/SOURCES/0082-dp-add-additional-autofs-methods.patch
@@ -0,0 +1,358 @@
+From 0b780a0d50e4ebb279b3ba36869d8e62c3c38044 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 28 Aug 2019 12:40:56 +0200
+Subject: [PATCH 82/90] dp: add additional autofs methods
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/providers/data_provider/dp.h              |  2 ++
+ src/providers/data_provider/dp_custom_data.h  |  1 +
+ src/providers/data_provider/dp_iface.h        |  4 ++-
+ src/providers/data_provider/dp_iface.xml      |  2 ++
+ .../data_provider/dp_iface_generated.c        | 36 +++++++++++++++++--
+ .../data_provider/dp_iface_generated.h        |  2 +-
+ .../data_provider/dp_target_autofs.c          | 28 +++++++++++++--
+ .../plugins/cache_req_autofs_entry_by_name.c  |  3 +-
+ .../plugins/cache_req_autofs_map_by_name.c    |  3 +-
+ .../plugins/cache_req_autofs_map_entries.c    |  3 +-
+ src/responder/common/responder.h              |  7 ++--
+ src/responder/common/responder_dp_autofs.c    | 19 ++++++----
+ 12 files changed, 91 insertions(+), 19 deletions(-)
+
+diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
+index 8ef4a92ae..df774fcf4 100644
+--- a/src/providers/data_provider/dp.h
++++ b/src/providers/data_provider/dp.h
+@@ -85,6 +85,8 @@ enum dp_methods {
+ 
+     DPM_REFRESH_ACCESS_RULES,
+ 
++    DPM_AUTOFS_GET_MAP,
++    DPM_AUTOFS_GET_ENTRY,
+     DPM_AUTOFS_ENUMERATE,
+ 
+     DP_METHOD_SENTINEL
+diff --git a/src/providers/data_provider/dp_custom_data.h b/src/providers/data_provider/dp_custom_data.h
+index 7c64bde45..b5f41786c 100644
+--- a/src/providers/data_provider/dp_custom_data.h
++++ b/src/providers/data_provider/dp_custom_data.h
+@@ -37,6 +37,7 @@ struct dp_hostid_data {
+ 
+ struct dp_autofs_data {
+     const char *mapname;
++    const char *entryname;
+ };
+ 
+ struct dp_subdomains_data {
+diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h
+index 0a2f81eb5..5af1fdff0 100644
+--- a/src/providers/data_provider/dp_iface.h
++++ b/src/providers/data_provider/dp_iface.h
+@@ -52,7 +52,9 @@ errno_t dp_host_handler(struct sbus_request *sbus_req,
+ errno_t dp_autofs_handler(struct sbus_request *sbus_req,
+                           void *dp_cli,
+                           uint32_t dp_flags,
+-                          const char *mapname);
++                          uint32_t method,
++                          const char *mapname,
++                          const char *entryname);
+ 
+ errno_t dp_subdomains_handler(struct sbus_request *sbus_req,
+                               void *dp_cli,
+diff --git a/src/providers/data_provider/dp_iface.xml b/src/providers/data_provider/dp_iface.xml
+index c2431850b..545d9aaa4 100644
+--- a/src/providers/data_provider/dp_iface.xml
++++ b/src/providers/data_provider/dp_iface.xml
+@@ -50,7 +50,9 @@
+         </method>
+         <method name="autofsHandler">
+             <arg name="dp_flags" type="u" direction="in" />
++            <arg name="method" type="u" direction="in" />
+             <arg name="mapname" type="s" direction="in" />
++            <arg name="entryname" type="s" direction="in" />
+             <arg name="dp_error" type="q" direction="out" />
+             <arg name="error" type="u" direction="out" />
+             <arg name="error_message" type="s" direction="out" />
+diff --git a/src/providers/data_provider/dp_iface_generated.c b/src/providers/data_provider/dp_iface_generated.c
+index 4d0934445..453ca8854 100644
+--- a/src/providers/data_provider/dp_iface_generated.c
++++ b/src/providers/data_provider/dp_iface_generated.c
+@@ -12,8 +12,8 @@
+ /* invokes a handler with a 's' DBus signature */
+ static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr);
+ 
+-/* invokes a handler with a 'us' DBus signature */
+-static int invoke_us_method(struct sbus_request *dbus_req, void *function_ptr);
++/* invokes a handler with a 'uuss' DBus signature */
++static int invoke_uuss_method(struct sbus_request *dbus_req, void *function_ptr);
+ 
+ /* invokes a handler with a 'uss' DBus signature */
+ static int invoke_uss_method(struct sbus_request *dbus_req, void *function_ptr);
+@@ -21,6 +21,9 @@ static int invoke_uss_method(struct sbus_request *dbus_req, void *function_ptr);
+ /* invokes a handler with a 'uusss' DBus signature */
+ static int invoke_uusss_method(struct sbus_request *dbus_req, void *function_ptr);
+ 
++/* invokes a handler with a 'us' DBus signature */
++static int invoke_us_method(struct sbus_request *dbus_req, void *function_ptr);
++
+ /* arguments for org.freedesktop.sssd.DataProvider.Client.Register */
+ const struct sbus_arg_meta iface_dp_client_Register__in[] = {
+     { "Name", "s" },
+@@ -217,7 +220,9 @@ const struct sbus_interface_meta iface_dp_access_control_meta = {
+ /* arguments for org.freedesktop.sssd.dataprovider.autofsHandler */
+ const struct sbus_arg_meta iface_dp_autofsHandler__in[] = {
+     { "dp_flags", "u" },
++    { "method", "u" },
+     { "mapname", "s" },
++    { "entryname", "s" },
+     { NULL, }
+ };
+ 
+@@ -358,7 +363,7 @@ const struct sbus_method_meta iface_dp__methods[] = {
+         iface_dp_autofsHandler__in,
+         iface_dp_autofsHandler__out,
+         offsetof(struct iface_dp, autofsHandler),
+-        invoke_us_method,
++        invoke_uuss_method,
+     },
+     {
+         "hostHandler", /* name */
+@@ -400,6 +405,31 @@ const struct sbus_interface_meta iface_dp_meta = {
+     sbus_invoke_get_all, /* GetAll invoker */
+ };
+ 
++/* invokes a handler with a 'uuss' DBus signature */
++static int invoke_uuss_method(struct sbus_request *dbus_req, void *function_ptr)
++{
++    uint32_t arg_0;
++    uint32_t arg_1;
++    const char * arg_2;
++    const char * arg_3;
++    int (*handler)(struct sbus_request *, void *, uint32_t, uint32_t, const char *, const char *) = function_ptr;
++
++    if (!sbus_request_parse_or_finish(dbus_req,
++                               DBUS_TYPE_UINT32, &arg_0,
++                               DBUS_TYPE_UINT32, &arg_1,
++                               DBUS_TYPE_STRING, &arg_2,
++                               DBUS_TYPE_STRING, &arg_3,
++                               DBUS_TYPE_INVALID)) {
++         return EOK; /* request handled */
++    }
++
++    return (handler)(dbus_req, dbus_req->intf->handler_data,
++                     arg_0,
++                     arg_1,
++                     arg_2,
++                     arg_3);
++}
++
+ /* invokes a handler with a 's' DBus signature */
+ static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr)
+ {
+diff --git a/src/providers/data_provider/dp_iface_generated.h b/src/providers/data_provider/dp_iface_generated.h
+index b629ec774..7dd0f27cc 100644
+--- a/src/providers/data_provider/dp_iface_generated.h
++++ b/src/providers/data_provider/dp_iface_generated.h
+@@ -107,7 +107,7 @@ struct iface_dp {
+     struct sbus_vtable vtable; /* derive from sbus_vtable */
+     sbus_msg_handler_fn pamHandler;
+     sbus_msg_handler_fn sudoHandler;
+-    int (*autofsHandler)(struct sbus_request *req, void *data, uint32_t arg_dp_flags, const char *arg_mapname);
++    int (*autofsHandler)(struct sbus_request *req, void *data, uint32_t arg_dp_flags, uint32_t arg_method, const char *arg_mapname, const char *arg_entryname);
+     int (*hostHandler)(struct sbus_request *req, void *data, uint32_t arg_dp_flags, const char *arg_name, const char *arg_alias);
+     int (*getDomains)(struct sbus_request *req, void *data, const char *arg_domain_hint);
+     int (*getAccountInfo)(struct sbus_request *req, void *data, uint32_t arg_dp_flags, uint32_t arg_entry_type, const char *arg_filter, const char *arg_domain, const char *arg_extra);
+diff --git a/src/providers/data_provider/dp_target_autofs.c b/src/providers/data_provider/dp_target_autofs.c
+index 5f24f2975..8b5447aef 100644
+--- a/src/providers/data_provider/dp_target_autofs.c
++++ b/src/providers/data_provider/dp_target_autofs.c
+@@ -26,14 +26,19 @@
+ #include "providers/data_provider/dp_iface.h"
+ #include "providers/backend.h"
+ #include "util/util.h"
++#include "responder/common/responder.h"
+ 
+ errno_t dp_autofs_handler(struct sbus_request *sbus_req,
+                           void *dp_cli,
+                           uint32_t dp_flags,
+-                          const char *mapname)
++                          uint32_t method,
++                          const char *mapname,
++                          const char *entryname)
+ {
+     struct dp_autofs_data *data;
+     const char *key;
++    enum dp_methods dp_method;
++
+ 
+     if (mapname == NULL) {
+         return EINVAL;
+@@ -45,10 +50,27 @@ errno_t dp_autofs_handler(struct sbus_request *sbus_req,
+     }
+ 
+     data->mapname = mapname;
+-    key = mapname;
++    data->entryname = entryname;
++
++    key = talloc_asprintf(sbus_req, "%u:%s:%s", method, mapname, entryname);
++    if (key == NULL) {
++        return ENOMEM;
++    }
++
++    switch (method) {
++    case SSS_DP_AUTOFS_ENUMERATE:
++        dp_method = DPM_AUTOFS_ENUMERATE;
++        break;
++    case SSS_DP_AUTOFS_GET_MAP:
++        dp_method = DPM_AUTOFS_GET_MAP;
++        break;
++    case SSS_DP_AUTOFS_GET_ENTRY:
++        dp_method = DPM_AUTOFS_GET_ENTRY;
++        break;
++    }
+ 
+     dp_req_with_reply(dp_cli, NULL, "AutoFS", key, sbus_req, DPT_AUTOFS,
+-                      DPM_AUTOFS_ENUMERATE, dp_flags, data,
++                      dp_method, dp_flags, data,
+                       dp_req_reply_std, struct dp_reply_std);
+ 
+     return EOK;
+diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+index 17b0b508e..f4d0cb140 100644
+--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+@@ -72,7 +72,8 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx,
+                                        struct ldb_result *result)
+ {
+     return sss_dp_get_autofs_send(mem_ctx, cr->rctx, domain, true,
+-                                  SSS_DP_AUTOFS, data->name.name);
++                                  SSS_DP_AUTOFS_ENUMERATE,
++                                  data->name.name, NULL);
+ }
+ 
+ const struct cache_req_plugin cache_req_autofs_entry_by_name = {
+diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+index 2f69c762c..268711678 100644
+--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+@@ -69,7 +69,8 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx,
+                                      struct ldb_result *result)
+ {
+     return sss_dp_get_autofs_send(mem_ctx, cr->rctx, domain, true,
+-                                  SSS_DP_AUTOFS, data->name.name);
++                                  SSS_DP_AUTOFS_ENUMERATE,
++                                  data->name.name, NULL);
+ }
+ 
+ const struct cache_req_plugin cache_req_autofs_map_by_name = {
+diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+index 73d2b3cf2..7a2691f2f 100644
+--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+@@ -101,7 +101,8 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx,
+                                      struct ldb_result *result)
+ {
+     return sss_dp_get_autofs_send(mem_ctx, cr->rctx, domain, true,
+-                                  SSS_DP_AUTOFS, data->name.name);
++                                  SSS_DP_AUTOFS_ENUMERATE,
++                                  data->name.name, NULL);
+ }
+ 
+ const struct cache_req_plugin cache_req_autofs_map_entries = {
+diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
+index 17b04c3de..4007bfd41 100644
+--- a/src/responder/common/responder.h
++++ b/src/responder/common/responder.h
+@@ -364,7 +364,9 @@ sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx,
+                          char **err_msg);
+ 
+ enum sss_dp_autofs_type {
+-    SSS_DP_AUTOFS
++    SSS_DP_AUTOFS_ENUMERATE,
++    SSS_DP_AUTOFS_GET_MAP,
++    SSS_DP_AUTOFS_GET_ENTRY
+ };
+ 
+ struct tevent_req *
+@@ -373,7 +375,8 @@ sss_dp_get_autofs_send(TALLOC_CTX *mem_ctx,
+                        struct sss_domain_info *dom,
+                        bool fast_reply,
+                        enum sss_dp_autofs_type type,
+-                       const char *name);
++                       const char *mapname,
++                       const char *entryname);
+ 
+ errno_t
+ sss_dp_get_autofs_recv(TALLOC_CTX *mem_ctx,
+diff --git a/src/responder/common/responder_dp_autofs.c b/src/responder/common/responder_dp_autofs.c
+index bb8c2a428..edf31d035 100644
+--- a/src/responder/common/responder_dp_autofs.c
++++ b/src/responder/common/responder_dp_autofs.c
+@@ -34,7 +34,8 @@ struct sss_dp_get_autofs_info {
+ 
+     bool fast_reply;
+     enum sss_dp_autofs_type type;
+-    const char *name;
++    const char *mapname;
++    const char *entryname;
+ };
+ 
+ static DBusMessage *
+@@ -46,7 +47,8 @@ sss_dp_get_autofs_send(TALLOC_CTX *mem_ctx,
+                        struct sss_domain_info *dom,
+                        bool fast_reply,
+                        enum sss_dp_autofs_type type,
+-                       const char *name)
++                       const char *mapname,
++                       const char *entryname)
+ {
+     struct tevent_req *req;
+     struct sss_dp_req_state *state;
+@@ -64,6 +66,8 @@ sss_dp_get_autofs_send(TALLOC_CTX *mem_ctx,
+         goto error;
+     }
+ 
++    entryname = entryname == NULL ? "" : entryname;
++
+     info = talloc_zero(state, struct sss_dp_get_autofs_info);
+     if (info == NULL) {
+         ret = ENOMEM;
+@@ -71,10 +75,11 @@ sss_dp_get_autofs_send(TALLOC_CTX *mem_ctx,
+     }
+     info->fast_reply = fast_reply;
+     info->type = type;
+-    info->name = name;
++    info->mapname = mapname;
++    info->entryname = entryname;
+     info->dom = dom;
+ 
+-    key = talloc_asprintf(state, "%d:%s@%s", type, name, dom->name);
++    key = talloc_asprintf(state, "%d:%s@%s:%s", type, mapname, dom->name, entryname);
+     if (!key) {
+         ret = ENOMEM;
+         goto error;
+@@ -124,11 +129,13 @@ sss_dp_get_autofs_msg(void *pvt)
+     /* create the message */
+     DEBUG(SSSDBG_TRACE_FUNC,
+           "Creating autofs request for [%s][%u][%s]\n",
+-           info->dom->name, dp_flags, info->name);
++           info->dom->name, dp_flags, info->mapname);
+ 
+     dbret = dbus_message_append_args(msg,
+                                      DBUS_TYPE_UINT32, &dp_flags,
+-                                     DBUS_TYPE_STRING, &info->name,
++                                     DBUS_TYPE_UINT32, &info->type,
++                                     DBUS_TYPE_STRING, &info->mapname,
++                                     DBUS_TYPE_STRING, &info->entryname,
+                                      DBUS_TYPE_INVALID);
+     if (!dbret) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build message\n");
+-- 
+2.20.1
+
diff --git a/SOURCES/0083-ldap-add-base_dn-to-sdap_search_bases.patch b/SOURCES/0083-ldap-add-base_dn-to-sdap_search_bases.patch
new file mode 100644
index 0000000..053eab0
--- /dev/null
+++ b/SOURCES/0083-ldap-add-base_dn-to-sdap_search_bases.patch
@@ -0,0 +1,257 @@
+From fb9a42d952924b5ff084a103d43b6192c4ff0c1f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 15 Aug 2019 13:51:59 +0200
+Subject: [PATCH 83/90] ldap: add base_dn to sdap_search_bases
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+To implement cases where we need to search a specific dn but we need
+to filter the result with configured filters.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/providers/ad/ad_subdomains.c              |  5 ++--
+ src/providers/ipa/ipa_subdomains.c            |  6 ++---
+ src/providers/ipa/ipa_subdomains_ext_groups.c |  2 +-
+ src/providers/ipa/ipa_sudo_async.c            |  8 +++----
+ src/providers/ldap/sdap_async_sudo.c          |  2 +-
+ src/providers/ldap/sdap_ops.c                 | 24 ++++++++++++-------
+ src/providers/ldap/sdap_ops.h                 |  6 +++--
+ 7 files changed, 31 insertions(+), 22 deletions(-)
+
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index 45a8fe0fc..f0b5d59d2 100644
+--- a/src/providers/ad/ad_subdomains.c
++++ b/src/providers/ad/ad_subdomains.c
+@@ -1110,7 +1110,7 @@ static void ad_get_slave_domain_connect_done(struct tevent_req *subreq)
+                                     sdap_id_op_handle(state->sdap_op),
+                                     state->root_sdom->search_bases,
+                                     NULL, false, 0,
+-                                    SLAVE_DOMAIN_FILTER, attrs);
++                                    SLAVE_DOMAIN_FILTER, attrs, NULL);
+     if (subreq == NULL) {
+         tevent_req_error(req, ret);
+         return;
+@@ -1304,7 +1304,8 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
+ 
+     subreq = sdap_search_bases_return_first_send(state, ev, opts, sh,
+                                                  opts->sdom->search_bases,
+-                                                 NULL, false, 0, filter, attrs);
++                                                 NULL, false, 0, filter, attrs,
++                                                 NULL);
+     if (subreq == NULL) {
+         ret = ENOMEM;
+         goto immediately;
+diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
+index 3a17c851d..322420264 100644
+--- a/src/providers/ipa/ipa_subdomains.c
++++ b/src/providers/ipa/ipa_subdomains.c
+@@ -1005,7 +1005,7 @@ ipa_subdomains_ranges_send(TALLOC_CTX *mem_ctx,
+ 
+     subreq = sdap_search_bases_send(state, ev, sd_ctx->sdap_id_ctx->opts, sh,
+                                     sd_ctx->ranges_search_bases, NULL, false,
+-                                    0, RANGE_FILTER, attrs);
++                                    0, RANGE_FILTER, attrs, NULL);
+     if (subreq == NULL) {
+         ret = ENOMEM;
+         goto immediately;
+@@ -1251,7 +1251,7 @@ ipa_subdomains_master_send(TALLOC_CTX *mem_ctx,
+     subreq = sdap_search_bases_return_first_send(state, ev,
+                                      sd_ctx->sdap_id_ctx->opts, sh,
+                                      sd_ctx->master_search_bases, NULL, false,
+-                                     0, MASTER_DOMAIN_FILTER, attrs);
++                                     0, MASTER_DOMAIN_FILTER, attrs, NULL);
+     if (subreq == NULL) {
+         ret = ENOMEM;
+         goto immediately;
+@@ -1397,7 +1397,7 @@ ipa_subdomains_slave_send(TALLOC_CTX *mem_ctx,
+ 
+     subreq = sdap_search_bases_send(state, ev, sd_ctx->sdap_id_ctx->opts, sh,
+                                     sd_ctx->search_bases, NULL, false,
+-                                    0, SUBDOMAINS_FILTER, attrs);
++                                    0, SUBDOMAINS_FILTER, attrs, NULL);
+     if (subreq == NULL) {
+         ret = ENOMEM;
+         goto immediately;
+diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
+index 75963bef1..cd80048b3 100644
+--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
++++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
+@@ -545,7 +545,7 @@ static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq)
+                             dp_opt_get_int(state->sdap_id_ctx->opts->basic,
+                                             SDAP_ENUM_SEARCH_TIMEOUT),
+                             IPA_EXT_GROUPS_FILTER,
+-                            NULL);
++                            NULL, NULL);
+     if (subreq == NULL) {
+         DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
+         ret = ENOMEM;
+diff --git a/src/providers/ipa/ipa_sudo_async.c b/src/providers/ipa/ipa_sudo_async.c
+index 060687c77..19bcd94c9 100644
+--- a/src/providers/ipa/ipa_sudo_async.c
++++ b/src/providers/ipa/ipa_sudo_async.c
+@@ -492,7 +492,7 @@ ipa_sudo_fetch_addtl_cmdgroups(struct tevent_req *req)
+ 
+     subreq = sdap_search_bases_send(state, state->ev, state->sdap_opts,
+                                     state->sh, state->sudo_sb, map, true, 0,
+-                                    filter, NULL);
++                                    filter, NULL, NULL);
+     if (subreq == NULL) {
+         return ENOMEM;
+     }
+@@ -582,7 +582,7 @@ ipa_sudo_fetch_rules(struct tevent_req *req)
+ 
+     subreq = sdap_search_bases_send(state, state->ev, state->sdap_opts,
+                                     state->sh, state->sudo_sb, map, true, 0,
+-                                    filter, NULL);
++                                    filter, NULL, NULL);
+     if (subreq == NULL) {
+         return ENOMEM;
+     }
+@@ -662,7 +662,7 @@ ipa_sudo_fetch_cmdgroups(struct tevent_req *req)
+     subreq = sdap_search_bases_send(state, state->ev, state->sdap_opts,
+                                     state->sh, state->sudo_sb,
+                                     state->map_cmdgroup, true, 0,
+-                                    filter, NULL);
++                                    filter, NULL, NULL);
+     if (subreq == NULL) {
+         return ENOMEM;
+     }
+@@ -742,7 +742,7 @@ ipa_sudo_fetch_cmds(struct tevent_req *req)
+     subreq = sdap_search_bases_send(state, state->ev, state->sdap_opts,
+                                     state->sh, state->sudo_sb,
+                                     state->map_cmd, true, 0,
+-                                    filter, NULL);
++                                    filter, NULL, NULL);
+     if (subreq == NULL) {
+         return ENOMEM;
+     }
+diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c
+index 5ccfad61f..c19ee87c2 100644
+--- a/src/providers/ldap/sdap_async_sudo.c
++++ b/src/providers/ldap/sdap_async_sudo.c
+@@ -75,7 +75,7 @@ sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
+ 
+     subreq = sdap_search_bases_send(state, ev, opts, sh, sb,
+                                     opts->sudorule_map, true, 0,
+-                                    ldap_filter, NULL);
++                                    ldap_filter, NULL, NULL);
+     if (subreq == NULL) {
+         ret = ENOMEM;
+         goto immediately;
+diff --git a/src/providers/ldap/sdap_ops.c b/src/providers/ldap/sdap_ops.c
+index a90857469..2125b21aa 100644
+--- a/src/providers/ldap/sdap_ops.c
++++ b/src/providers/ldap/sdap_ops.c
+@@ -37,6 +37,7 @@ struct sdap_search_bases_ex_state {
+     int timeout;
+     bool allow_paging;
+     bool return_first_reply;
++    const char *base_dn;
+ 
+     size_t base_iter;
+     struct sdap_search_base *cur_base;
+@@ -60,7 +61,8 @@ sdap_search_bases_ex_send(TALLOC_CTX *mem_ctx,
+                           bool return_first_reply,
+                           int timeout,
+                           const char *filter,
+-                          const char **attrs)
++                          const char **attrs,
++                          const char *base_dn)
+ {
+     struct tevent_req *req;
+     struct sdap_search_bases_ex_state *state;
+@@ -86,6 +88,7 @@ sdap_search_bases_ex_send(TALLOC_CTX *mem_ctx,
+     state->attrs = attrs;
+     state->allow_paging = allow_paging;
+     state->return_first_reply = return_first_reply;
++    state->base_dn = base_dn;
+ 
+     state->timeout = timeout == 0
+                      ? dp_opt_get_int(opts->basic, SDAP_SEARCH_TIMEOUT)
+@@ -133,6 +136,7 @@ static errno_t sdap_search_bases_ex_next_base(struct tevent_req *req)
+ {
+     struct sdap_search_bases_ex_state *state;
+     struct tevent_req *subreq;
++    const char *base_dn;
+     char *filter;
+ 
+     state = tevent_req_data(req, struct sdap_search_bases_ex_state);
+@@ -148,12 +152,12 @@ static errno_t sdap_search_bases_ex_next_base(struct tevent_req *req)
+         return ENOMEM;
+     }
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC, "Issuing LDAP lookup with base [%s]\n",
+-                             state->cur_base->basedn);
++    base_dn = state->base_dn != NULL ? state->base_dn : state->cur_base->basedn;
++
++    DEBUG(SSSDBG_TRACE_FUNC, "Issuing LDAP lookup with base [%s]\n", base_dn);
+ 
+     subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
+-                                   state->cur_base->basedn,
+-                                   state->cur_base->scope, filter,
++                                   base_dn, state->cur_base->scope, filter,
+                                    state->attrs, state->map,
+                                    state->map_num_attrs, state->timeout,
+                                    state->allow_paging);
+@@ -253,11 +257,12 @@ sdap_search_bases_send(TALLOC_CTX *mem_ctx,
+                        bool allow_paging,
+                        int timeout,
+                        const char *filter,
+-                       const char **attrs)
++                       const char **attrs,
++                       const char *base_dn)
+ {
+     return sdap_search_bases_ex_send(mem_ctx, ev, opts, sh, bases, map,
+                                      allow_paging, false, timeout,
+-                                     filter, attrs);
++                                     filter, attrs, base_dn);
+ }
+ 
+ int sdap_search_bases_recv(struct tevent_req *req,
+@@ -278,11 +283,12 @@ sdap_search_bases_return_first_send(TALLOC_CTX *mem_ctx,
+                                     bool allow_paging,
+                                     int timeout,
+                                     const char *filter,
+-                                    const char **attrs)
++                                    const char **attrs,
++                                    const char *base_dn)
+ {
+     return sdap_search_bases_ex_send(mem_ctx, ev, opts, sh, bases, map,
+                                      allow_paging, true, timeout,
+-                                     filter, attrs);
++                                     filter, attrs, base_dn);
+ }
+ 
+ int sdap_search_bases_return_first_recv(struct tevent_req *req,
+diff --git a/src/providers/ldap/sdap_ops.h b/src/providers/ldap/sdap_ops.h
+index cc9de00d2..648a2b68c 100644
+--- a/src/providers/ldap/sdap_ops.h
++++ b/src/providers/ldap/sdap_ops.h
+@@ -34,7 +34,8 @@ struct tevent_req *sdap_search_bases_send(TALLOC_CTX *mem_ctx,
+                                           bool allow_paging,
+                                           int timeout,
+                                           const char *filter,
+-                                          const char **attrs);
++                                          const char **attrs,
++                                          const char *base_dn);
+ 
+ int sdap_search_bases_recv(struct tevent_req *req,
+                            TALLOC_CTX *mem_ctx,
+@@ -51,7 +52,8 @@ sdap_search_bases_return_first_send(TALLOC_CTX *mem_ctx,
+                                     bool allow_paging,
+                                     int timeout,
+                                     const char *filter,
+-                                    const char **attrs);
++                                    const char **attrs,
++                                    const char *base_dn);
+ 
+ int sdap_search_bases_return_first_recv(struct tevent_req *req,
+                                         TALLOC_CTX *mem_ctx,
+-- 
+2.20.1
+
diff --git a/SOURCES/0084-ldap-rename-sdap_autofs_get_map-to-sdap_autofs_enume.patch b/SOURCES/0084-ldap-rename-sdap_autofs_get_map-to-sdap_autofs_enume.patch
new file mode 100644
index 0000000..75575e6
--- /dev/null
+++ b/SOURCES/0084-ldap-rename-sdap_autofs_get_map-to-sdap_autofs_enume.patch
@@ -0,0 +1,194 @@
+From bd15a135c1b73996208557f36718410a7a6b20b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 15 Aug 2019 11:56:55 +0200
+Subject: [PATCH 84/90] ldap: rename sdap_autofs_get_map to
+ sdap_autofs_enumerate
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+get_map name will be later used to obtain only the map object.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/providers/ldap/sdap_autofs.c | 60 ++++++++++++++++----------------
+ 1 file changed, 30 insertions(+), 30 deletions(-)
+
+diff --git a/src/providers/ldap/sdap_autofs.c b/src/providers/ldap/sdap_autofs.c
+index f65028d4e..5b9146199 100644
+--- a/src/providers/ldap/sdap_autofs.c
++++ b/src/providers/ldap/sdap_autofs.c
+@@ -34,7 +34,7 @@
+ #include "db/sysdb_autofs.h"
+ #include "util/util.h"
+ 
+-struct autofs_get_map_state {
++struct sdap_autofs_enumerate_state {
+     struct tevent_context *ev;
+     struct sdap_id_ctx *ctx;
+     struct sdap_id_op *op;
+@@ -44,23 +44,23 @@ struct autofs_get_map_state {
+ };
+ 
+ static errno_t
+-sdap_autofs_get_map_retry(struct tevent_req *req);
++sdap_autofs_enumerate_retry(struct tevent_req *req);
+ static void
+-sdap_autofs_get_map_connect_done(struct tevent_req *subreq);
++sdap_autofs_enumerate_connect_done(struct tevent_req *subreq);
+ static void
+-sdap_autofs_get_map_done(struct tevent_req *req);
++sdap_autofs_enumerate_done(struct tevent_req *req);
+ 
+ static struct tevent_req *
+-sdap_autofs_get_map_send(TALLOC_CTX *mem_ctx,
+-                         struct tevent_context *ev,
+-                         struct sdap_id_ctx *ctx,
+-                         const char *map_name)
++sdap_autofs_enumerate_send(TALLOC_CTX *mem_ctx,
++                           struct tevent_context *ev,
++                           struct sdap_id_ctx *ctx,
++                           const char *map_name)
+ {
+     struct tevent_req *req;
+-    struct autofs_get_map_state *state;
++    struct sdap_autofs_enumerate_state *state;
+     int ret;
+ 
+-    req = tevent_req_create(mem_ctx, &state, struct autofs_get_map_state);
++    req = tevent_req_create(mem_ctx, &state, struct sdap_autofs_enumerate_state);
+     if (!req) return NULL;
+ 
+     state->ev = ev;
+@@ -75,7 +75,7 @@ sdap_autofs_get_map_send(TALLOC_CTX *mem_ctx,
+         goto fail;
+     }
+ 
+-    ret = sdap_autofs_get_map_retry(req);
++    ret = sdap_autofs_enumerate_retry(req);
+     if (ret != EOK) {
+         goto fail;
+     }
+@@ -89,10 +89,10 @@ fail:
+ }
+ 
+ static errno_t
+-sdap_autofs_get_map_retry(struct tevent_req *req)
++sdap_autofs_enumerate_retry(struct tevent_req *req)
+ {
+-    struct autofs_get_map_state *state =
+-                tevent_req_data(req, struct autofs_get_map_state);
++    struct sdap_autofs_enumerate_state *state =
++                tevent_req_data(req, struct sdap_autofs_enumerate_state);
+     struct tevent_req *subreq;
+     int ret = EOK;
+ 
+@@ -101,17 +101,17 @@ sdap_autofs_get_map_retry(struct tevent_req *req)
+         return ret;
+     }
+ 
+-    tevent_req_set_callback(subreq, sdap_autofs_get_map_connect_done, req);
++    tevent_req_set_callback(subreq, sdap_autofs_enumerate_connect_done, req);
+     return EOK;
+ }
+ 
+ static void
+-sdap_autofs_get_map_connect_done(struct tevent_req *subreq)
++sdap_autofs_enumerate_connect_done(struct tevent_req *subreq)
+ {
+     struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                       struct tevent_req);
+-    struct autofs_get_map_state *state =
+-                tevent_req_data(req, struct autofs_get_map_state);
++    struct sdap_autofs_enumerate_state *state =
++                tevent_req_data(req, struct sdap_autofs_enumerate_state);
+     int dp_error = DP_ERR_FATAL;
+     int ret;
+ 
+@@ -137,17 +137,17 @@ sdap_autofs_get_map_connect_done(struct tevent_req *subreq)
+         tevent_req_error(req, ENOMEM);
+         return;
+     }
+-    tevent_req_set_callback(subreq, sdap_autofs_get_map_done, req);
++    tevent_req_set_callback(subreq, sdap_autofs_enumerate_done, req);
+ 
+ }
+ 
+ static void
+-sdap_autofs_get_map_done(struct tevent_req *subreq)
++sdap_autofs_enumerate_done(struct tevent_req *subreq)
+ {
+     struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                       struct tevent_req);
+-    struct autofs_get_map_state *state =
+-        tevent_req_data(req, struct autofs_get_map_state);
++    struct sdap_autofs_enumerate_state *state =
++        tevent_req_data(req, struct sdap_autofs_enumerate_state);
+     int dp_error = DP_ERR_FATAL;
+     int ret;
+ 
+@@ -157,7 +157,7 @@ sdap_autofs_get_map_done(struct tevent_req *subreq)
+     ret = sdap_id_op_done(state->op, ret, &dp_error);
+     if (dp_error == DP_ERR_OK && ret != EOK) {
+         /* retry */
+-        ret = sdap_autofs_get_map_retry(req);
++        ret = sdap_autofs_enumerate_retry(req);
+         if (ret != EOK) {
+             tevent_req_error(req, ret);
+             return;
+@@ -187,10 +187,10 @@ sdap_autofs_get_map_done(struct tevent_req *subreq)
+ }
+ 
+ static errno_t
+-sdap_autofs_get_map_recv(struct tevent_req *req, int *dp_error_out)
++sdap_autofs_enumerate_recv(struct tevent_req *req, int *dp_error_out)
+ {
+-    struct autofs_get_map_state *state =
+-        tevent_req_data(req, struct autofs_get_map_state);
++    struct sdap_autofs_enumerate_state *state =
++        tevent_req_data(req, struct sdap_autofs_enumerate_state);
+ 
+     if (dp_error_out) {
+         *dp_error_out = state->dp_error;
+@@ -217,7 +217,6 @@ sdap_autofs_enumerate_handler_send(TALLOC_CTX *mem_ctx,
+     struct tevent_req *subreq;
+     struct tevent_req *req;
+     const char *master_map;
+-
+     errno_t ret;
+ 
+     req = tevent_req_create(mem_ctx, &state, struct sdap_autofs_enumerate_handler_state);
+@@ -241,8 +240,8 @@ sdap_autofs_enumerate_handler_send(TALLOC_CTX *mem_ctx,
+         }
+     }
+ 
+-    subreq = sdap_autofs_get_map_send(mem_ctx, params->ev,
+-                                      id_ctx, data->mapname);
++    subreq = sdap_autofs_enumerate_send(mem_ctx, params->ev,
++                                        id_ctx, data->mapname);
+     if (subreq == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send request for %s.\n",
+               data->mapname);
+@@ -262,6 +261,7 @@ immediately:
+     tevent_req_post(req, params->ev);
+ 
+     return req;
++
+ }
+ 
+ static void sdap_autofs_enumerate_handler_done(struct tevent_req *subreq)
+@@ -274,7 +274,7 @@ static void sdap_autofs_enumerate_handler_done(struct tevent_req *subreq)
+     req = tevent_req_callback_data(subreq, struct tevent_req);
+     state = tevent_req_data(req, struct sdap_autofs_enumerate_handler_state);
+ 
+-    ret = sdap_autofs_get_map_recv(subreq, &dp_error);
++    ret = sdap_autofs_enumerate_recv(subreq, &dp_error);
+     talloc_zfree(subreq);
+ 
+     /* TODO For backward compatibility we always return EOK to DP now. */
+-- 
+2.20.1
+
diff --git a/SOURCES/0085-ldap-implement-autofs-get-map.patch b/SOURCES/0085-ldap-implement-autofs-get-map.patch
new file mode 100644
index 0000000..29d4651
--- /dev/null
+++ b/SOURCES/0085-ldap-implement-autofs-get-map.patch
@@ -0,0 +1,475 @@
+From fcb6f55c09d1d6f6487d771ac829e02565393c56 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 15 Aug 2019 12:42:05 +0200
+Subject: [PATCH 85/90] ldap: implement autofs get map
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This will obtain only the map object.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/providers/ipa/ipa_autofs.c                |   4 +
+ src/providers/ldap/ldap_common.h              |  11 +
+ src/providers/ldap/sdap_async_autofs.c        | 207 ++++++++++++++++++
+ src/providers/ldap/sdap_autofs.c              | 123 +++++++++--
+ src/providers/ldap/sdap_autofs.h              |   7 +
+ .../plugins/cache_req_autofs_map_by_name.c    |   2 +-
+ 6 files changed, 340 insertions(+), 14 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_autofs.c b/src/providers/ipa/ipa_autofs.c
+index 50e30f39f..19d74071f 100644
+--- a/src/providers/ipa/ipa_autofs.c
++++ b/src/providers/ipa/ipa_autofs.c
+@@ -51,5 +51,9 @@ errno_t ipa_autofs_init(TALLOC_CTX *mem_ctx,
+                   sdap_autofs_enumerate_handler_send, sdap_autofs_enumerate_handler_recv, id_ctx,
+                   struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
+ 
++    dp_set_method(dp_methods, DPM_AUTOFS_GET_MAP,
++                  sdap_autofs_get_map_handler_send, sdap_autofs_get_map_handler_recv, id_ctx,
++                  struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
++
+     return ret;
+ }
+diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
+index 85dc6949c..36623aca8 100644
+--- a/src/providers/ldap/ldap_common.h
++++ b/src/providers/ldap/ldap_common.h
+@@ -166,6 +166,17 @@ sdap_autofs_enumerate_handler_recv(TALLOC_CTX *mem_ctx,
+                                    struct tevent_req *req,
+                                    struct dp_reply_std *data);
+ 
++struct tevent_req *
++sdap_autofs_get_map_handler_send(TALLOC_CTX *mem_ctx,
++                                 struct sdap_id_ctx *id_ctx,
++                                 struct dp_autofs_data *data,
++                                 struct dp_req_params *params);
++
++errno_t
++sdap_autofs_get_map_handler_recv(TALLOC_CTX *mem_ctx,
++                                 struct tevent_req *req,
++                                 struct dp_reply_std *data);
++
+ int sdap_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
+                       const char *service_name, const char *dns_service_name,
+                       const char *urls, const char *backup_urls,
+diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c
+index 7548d4a67..52ceb84ac 100644
+--- a/src/providers/ldap/sdap_async_autofs.c
++++ b/src/providers/ldap/sdap_async_autofs.c
+@@ -28,6 +28,7 @@
+ #include "db/sysdb_autofs.h"
+ #include "providers/ldap/ldap_common.h"
+ #include "providers/ldap/sdap_autofs.h"
++#include "providers/ldap/sdap_ops.h"
+ 
+ enum autofs_map_op {
+     AUTOFS_MAP_OP_ADD,
+@@ -970,3 +971,209 @@ sdap_autofs_setautomntent_recv(struct tevent_req *req)
+     return EOK;
+ }
+ 
++struct sdap_autofs_get_map_state {
++    struct sdap_id_ctx *id_ctx;
++    struct sdap_options *opts;
++    struct sdap_id_op *sdap_op;
++    const char *mapname;
++    int dp_error;
++};
++
++static errno_t sdap_autofs_get_map_retry(struct tevent_req *req);
++static void sdap_autofs_get_map_connect_done(struct tevent_req *subreq);
++static void sdap_autofs_get_map_done(struct tevent_req *subreq);
++
++struct tevent_req *sdap_autofs_get_map_send(TALLOC_CTX *mem_ctx,
++                                            struct sdap_id_ctx *id_ctx,
++                                            const char *mapname)
++{
++    struct tevent_req *req;
++    struct sdap_autofs_get_map_state *state;
++    int ret;
++
++    req = tevent_req_create(mem_ctx, &state, struct sdap_autofs_get_map_state);
++    if (!req) {
++        return NULL;
++    }
++
++    state->id_ctx = id_ctx;
++    state->opts = id_ctx->opts;
++    state->mapname = mapname;
++    state->dp_error = DP_ERR_FATAL;
++
++    state->sdap_op = sdap_id_op_create(state, id_ctx->conn->conn_cache);
++    if (!state->sdap_op) {
++        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n");
++        ret = ENOMEM;
++        goto done;
++    }
++
++    ret = sdap_autofs_get_map_retry(req);
++    if (ret == EAGAIN) {
++        /* asynchronous processing */
++        return req;
++    }
++
++done:
++    if (ret == EOK) {
++        tevent_req_done(req);
++    } else {
++        tevent_req_error(req, ret);
++    }
++    tevent_req_post(req, id_ctx->be->ev);
++
++    return req;
++}
++
++static errno_t sdap_autofs_get_map_retry(struct tevent_req *req)
++{
++    struct sdap_autofs_get_map_state *state;
++    struct tevent_req *subreq;
++    int ret;
++
++    state = tevent_req_data(req, struct sdap_autofs_get_map_state);
++
++    subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
++    if (subreq == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send() failed: "
++                                   "%d(%s)\n", ret, strerror(ret));
++        return ret;
++    }
++
++    tevent_req_set_callback(subreq, sdap_autofs_get_map_connect_done, req);
++
++    return EAGAIN;
++}
++
++static void sdap_autofs_get_map_connect_done(struct tevent_req *subreq)
++{
++    struct tevent_req *req;
++    struct sdap_autofs_get_map_state *state;
++    char *filter;
++    char *safe_mapname;
++    const char **attrs;
++    int dp_error;
++    int ret;
++
++    req = tevent_req_callback_data(subreq, struct tevent_req);
++    state = tevent_req_data(req, struct sdap_autofs_get_map_state);
++
++    ret = sdap_id_op_connect_recv(subreq, &dp_error);
++    talloc_zfree(subreq);
++
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "LDAP connection failed "
++                                   "[%d]: %s\n", ret, strerror(ret));
++        state->dp_error = dp_error;
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    DEBUG(SSSDBG_TRACE_FUNC, "LDAP connection successful\n");
++
++    ret = sss_filter_sanitize(state, state->mapname, &safe_mapname);
++    if (ret != EOK) {
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
++                 state->opts->autofs_mobject_map[SDAP_AT_AUTOFS_MAP_NAME].name,
++                 safe_mapname,
++                 state->opts->autofs_mobject_map[SDAP_OC_AUTOFS_MAP].name);
++    if (filter == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build filter\n");
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    ret = build_attrs_from_map(state, state->opts->autofs_mobject_map,
++                               SDAP_OPTS_AUTOFS_MAP, NULL, &attrs, NULL);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build attributes from map\n");
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    subreq = sdap_search_bases_return_first_send(state, state->id_ctx->be->ev,
++                    state->opts, sdap_id_op_handle(state->sdap_op),
++                    state->opts->sdom->autofs_search_bases,
++                    state->opts->autofs_mobject_map, false,
++                    dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT),
++                    filter, attrs);
++    if (subreq == NULL) {
++        state->dp_error = DP_ERR_FATAL;
++        tevent_req_error(req, ENOMEM);
++        return;
++    }
++
++    tevent_req_set_callback(subreq, sdap_autofs_get_map_done, req);
++}
++
++static void sdap_autofs_get_map_done(struct tevent_req *subreq)
++{
++    struct tevent_req *req;
++    struct sdap_autofs_get_map_state *state;
++    struct sysdb_attrs **reply;
++    size_t reply_count;
++    errno_t ret;
++
++    req = tevent_req_callback_data(subreq, struct tevent_req);
++    state = tevent_req_data(req, struct sdap_autofs_get_map_state);
++
++    ret = sdap_search_bases_return_first_recv(subreq, state, &reply_count,
++                                              &reply);
++    talloc_zfree(subreq);
++
++    ret = sdap_id_op_done(state->sdap_op, ret, &state->dp_error);
++    if (state->dp_error == DP_ERR_OK && ret != EOK) {
++        /* retry */
++        ret = sdap_autofs_get_map_retry(req);
++        if (ret != EOK) {
++            tevent_req_error(req, ret);
++        }
++        return;
++    } else if (ret != EOK) {
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    if (reply_count == 0) {
++        ret = sysdb_delete_autofsmap(state->id_ctx->be->domain, state->mapname);
++        if (ret != EOK && ret != ENOENT) {
++            DEBUG(SSSDBG_OP_FAILURE,
++                "Cannot delete autofs map %s [%d]: %s\n",
++                 state->mapname, ret, strerror(ret));
++            tevent_req_error(req, ret);
++            return;
++        }
++
++        tevent_req_done(req);
++        return;
++    }
++
++    ret = save_autofs_map(state->id_ctx->be->domain, state->opts, reply[0], false);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE,
++             "Cannot save autofs map %s [%d]: %s\n",
++              state->mapname, ret, strerror(ret));
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    tevent_req_done(req);
++}
++
++errno_t sdap_autofs_get_map_recv(struct tevent_req *req,
++                                 int *dp_error)
++{
++    struct sdap_autofs_get_map_state *state;
++
++    state = tevent_req_data(req, struct sdap_autofs_get_map_state);
++
++    TEVENT_REQ_RETURN_ON_ERROR(req);
++
++    *dp_error = state->dp_error;
++
++    return EOK;
++}
+diff --git a/src/providers/ldap/sdap_autofs.c b/src/providers/ldap/sdap_autofs.c
+index 5b9146199..9a5ed11e8 100644
+--- a/src/providers/ldap/sdap_autofs.c
++++ b/src/providers/ldap/sdap_autofs.c
+@@ -34,6 +34,27 @@
+ #include "db/sysdb_autofs.h"
+ #include "util/util.h"
+ 
++static void
++sdap_autofs_invalidate_maps(struct sdap_id_ctx *id_ctx,
++                            const char *mapname)
++{
++    const char *master_map;
++    errno_t ret;
++
++    master_map = dp_opt_get_string(id_ctx->opts->basic,
++                                   SDAP_AUTOFS_MAP_MASTER_NAME);
++    if (strcmp(master_map, mapname) == 0) {
++        DEBUG(SSSDBG_FUNC_DATA, "Refresh of automount master map triggered: "
++              "%s\n", mapname);
++
++        ret = sysdb_invalidate_autofs_maps(id_ctx->be->domain);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_MINOR_FAILURE, "Could not invalidate autofs maps, "
++                  "backend might return stale entries\n");
++        }
++    }
++}
++
+ struct sdap_autofs_enumerate_state {
+     struct tevent_context *ev;
+     struct sdap_id_ctx *ctx;
+@@ -216,7 +237,6 @@ sdap_autofs_enumerate_handler_send(TALLOC_CTX *mem_ctx,
+     struct sdap_autofs_enumerate_handler_state *state;
+     struct tevent_req *subreq;
+     struct tevent_req *req;
+-    const char *master_map;
+     errno_t ret;
+ 
+     req = tevent_req_create(mem_ctx, &state, struct sdap_autofs_enumerate_handler_state);
+@@ -227,18 +247,7 @@ sdap_autofs_enumerate_handler_send(TALLOC_CTX *mem_ctx,
+ 
+     DEBUG(SSSDBG_FUNC_DATA, "Requested refresh for: %s\n", data->mapname);
+ 
+-    master_map = dp_opt_get_string(id_ctx->opts->basic,
+-                                   SDAP_AUTOFS_MAP_MASTER_NAME);
+-    if (strcmp(master_map, data->mapname) == 0) {
+-        DEBUG(SSSDBG_FUNC_DATA, "Refresh of automount master map triggered: "
+-              "%s\n", data->mapname);
+-
+-        ret = sysdb_invalidate_autofs_maps(id_ctx->be->domain);
+-        if (ret != EOK) {
+-            DEBUG(SSSDBG_MINOR_FAILURE, "Could not invalidate autofs maps, "
+-                  "backend might return stale entries\n");
+-        }
+-    }
++    sdap_autofs_invalidate_maps(id_ctx, data->mapname);
+ 
+     subreq = sdap_autofs_enumerate_send(mem_ctx, params->ev,
+                                         id_ctx, data->mapname);
+@@ -298,6 +307,90 @@ sdap_autofs_enumerate_handler_recv(TALLOC_CTX *mem_ctx,
+     return EOK;
+ }
+ 
++struct sdap_autofs_get_map_handler_state {
++    struct dp_reply_std reply;
++};
++
++static void sdap_autofs_get_map_handler_done(struct tevent_req *subreq);
++
++struct tevent_req *
++sdap_autofs_get_map_handler_send(TALLOC_CTX *mem_ctx,
++                                 struct sdap_id_ctx *id_ctx,
++                                 struct dp_autofs_data *data,
++                                 struct dp_req_params *params)
++{
++    struct sdap_autofs_get_map_handler_state *state;
++    struct tevent_req *subreq;
++    struct tevent_req *req;
++    errno_t ret;
++
++    req = tevent_req_create(mem_ctx, &state,
++                            struct sdap_autofs_get_map_handler_state);
++    if (req == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
++        return NULL;
++    }
++
++    DEBUG(SSSDBG_FUNC_DATA, "Requested refresh for: %s\n", data->mapname);
++
++    sdap_autofs_invalidate_maps(id_ctx, data->mapname);
++
++    subreq = sdap_autofs_get_map_send(mem_ctx, id_ctx, data->mapname);
++    if (subreq == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send request for %s.\n",
++              data->mapname);
++        ret = ENOMEM;
++        goto immediately;
++    }
++
++    tevent_req_set_callback(subreq, sdap_autofs_get_map_handler_done, req);
++
++    return req;
++
++immediately:
++    dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL);
++
++    /* TODO For backward compatibility we always return EOK to DP now. */
++    tevent_req_done(req);
++    tevent_req_post(req, params->ev);
++
++    return req;
++}
++
++static void sdap_autofs_get_map_handler_done(struct tevent_req *subreq)
++{
++    struct sdap_autofs_get_map_handler_state *state;
++    struct tevent_req *req;
++    int dp_error;
++    errno_t ret;
++
++    req = tevent_req_callback_data(subreq, struct tevent_req);
++    state = tevent_req_data(req, struct sdap_autofs_get_map_handler_state);
++
++    ret = sdap_autofs_get_map_recv(subreq, &dp_error);
++    talloc_zfree(subreq);
++
++    /* TODO For backward compatibility we always return EOK to DP now. */
++    dp_reply_std_set(&state->reply, dp_error, ret, NULL);
++    tevent_req_done(req);
++}
++
++errno_t
++sdap_autofs_get_map_handler_recv(TALLOC_CTX *mem_ctx,
++                                 struct tevent_req *req,
++                                 struct dp_reply_std *data)
++{
++    struct sdap_autofs_get_map_handler_state *state = NULL;
++
++    state = tevent_req_data(req, struct sdap_autofs_get_map_handler_state);
++
++    TEVENT_REQ_RETURN_ON_ERROR(req);
++
++    *data = state->reply;
++
++    return EOK;
++}
++
+ errno_t sdap_autofs_init(TALLOC_CTX *mem_ctx,
+                          struct be_ctx *be_ctx,
+                          struct sdap_id_ctx *id_ctx,
+@@ -317,5 +410,9 @@ errno_t sdap_autofs_init(TALLOC_CTX *mem_ctx,
+                   sdap_autofs_enumerate_handler_send, sdap_autofs_enumerate_handler_recv, id_ctx,
+                   struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
+ 
++    dp_set_method(dp_methods, DPM_AUTOFS_GET_MAP,
++                  sdap_autofs_get_map_handler_send, sdap_autofs_get_map_handler_recv, id_ctx,
++                  struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
++
+     return EOK;
+ }
+diff --git a/src/providers/ldap/sdap_autofs.h b/src/providers/ldap/sdap_autofs.h
+index 593d8c94f..34b9ca953 100644
+--- a/src/providers/ldap/sdap_autofs.h
++++ b/src/providers/ldap/sdap_autofs.h
+@@ -43,5 +43,12 @@ sdap_autofs_setautomntent_send(TALLOC_CTX *memctx,
+ errno_t
+ sdap_autofs_setautomntent_recv(struct tevent_req *req);
+ 
++struct tevent_req *sdap_autofs_get_map_send(TALLOC_CTX *mem_ctx,
++                                            struct sdap_id_ctx *id_ctx,
++                                            const char *mapname);
++
++errno_t sdap_autofs_get_map_recv(struct tevent_req *req,
++                                 int *dp_error);
++
+ #endif /* _SDAP_AUTOFS_H_ */
+ 
+diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+index 268711678..4c1685728 100644
+--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+@@ -69,7 +69,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx,
+                                      struct ldb_result *result)
+ {
+     return sss_dp_get_autofs_send(mem_ctx, cr->rctx, domain, true,
+-                                  SSS_DP_AUTOFS_ENUMERATE,
++                                  SSS_DP_AUTOFS_GET_MAP,
+                                   data->name.name, NULL);
+ }
+ 
+-- 
+2.20.1
+
diff --git a/SOURCES/0086-ldap-implement-autofs-get-entry.patch b/SOURCES/0086-ldap-implement-autofs-get-entry.patch
new file mode 100644
index 0000000..ba12606
--- /dev/null
+++ b/SOURCES/0086-ldap-implement-autofs-get-entry.patch
@@ -0,0 +1,448 @@
+From 2e452583728b2596aba65a96d25f7f8312765538 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 15 Aug 2019 14:07:01 +0200
+Subject: [PATCH 86/90] ldap: implement autofs get entry
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/providers/ipa/ipa_autofs.c                |   4 +
+ src/providers/ldap/ldap_common.h              |  11 +
+ src/providers/ldap/sdap_async_autofs.c        | 235 +++++++++++++++++-
+ src/providers/ldap/sdap_autofs.c              |  88 +++++++
+ src/providers/ldap/sdap_autofs.h              |   8 +
+ .../plugins/cache_req_autofs_entry_by_name.c  |   4 +-
+ 6 files changed, 347 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_autofs.c b/src/providers/ipa/ipa_autofs.c
+index 19d74071f..5f72d60cd 100644
+--- a/src/providers/ipa/ipa_autofs.c
++++ b/src/providers/ipa/ipa_autofs.c
+@@ -55,5 +55,9 @@ errno_t ipa_autofs_init(TALLOC_CTX *mem_ctx,
+                   sdap_autofs_get_map_handler_send, sdap_autofs_get_map_handler_recv, id_ctx,
+                   struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
+ 
++    dp_set_method(dp_methods, DPM_AUTOFS_GET_ENTRY,
++                  sdap_autofs_get_entry_handler_send, sdap_autofs_get_entry_handler_recv, id_ctx,
++                  struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
++
+     return ret;
+ }
+diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
+index 36623aca8..893f29a38 100644
+--- a/src/providers/ldap/ldap_common.h
++++ b/src/providers/ldap/ldap_common.h
+@@ -177,6 +177,17 @@ sdap_autofs_get_map_handler_recv(TALLOC_CTX *mem_ctx,
+                                  struct tevent_req *req,
+                                  struct dp_reply_std *data);
+ 
++struct tevent_req *
++sdap_autofs_get_entry_handler_send(TALLOC_CTX *mem_ctx,
++                                 struct sdap_id_ctx *id_ctx,
++                                 struct dp_autofs_data *data,
++                                 struct dp_req_params *params);
++
++errno_t
++sdap_autofs_get_entry_handler_recv(TALLOC_CTX *mem_ctx,
++                                   struct tevent_req *req,
++                                   struct dp_reply_std *data);
++
+ int sdap_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
+                       const char *service_name, const char *dns_service_name,
+                       const char *urls, const char *backup_urls,
+diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c
+index 52ceb84ac..c31df2f59 100644
+--- a/src/providers/ldap/sdap_async_autofs.c
++++ b/src/providers/ldap/sdap_async_autofs.c
+@@ -1100,7 +1100,7 @@ static void sdap_autofs_get_map_connect_done(struct tevent_req *subreq)
+                     state->opts->sdom->autofs_search_bases,
+                     state->opts->autofs_mobject_map, false,
+                     dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT),
+-                    filter, attrs);
++                    filter, attrs, NULL);
+     if (subreq == NULL) {
+         state->dp_error = DP_ERR_FATAL;
+         tevent_req_error(req, ENOMEM);
+@@ -1177,3 +1177,236 @@ errno_t sdap_autofs_get_map_recv(struct tevent_req *req,
+ 
+     return EOK;
+ }
++
++struct sdap_autofs_get_entry_state {
++    struct sdap_id_ctx *id_ctx;
++    struct sdap_options *opts;
++    struct sdap_id_op *sdap_op;
++    const char *mapname;
++    const char *entryname;
++    int dp_error;
++};
++
++static errno_t sdap_autofs_get_entry_retry(struct tevent_req *req);
++static void sdap_autofs_get_entry_connect_done(struct tevent_req *subreq);
++static void sdap_autofs_get_entry_done(struct tevent_req *subreq);
++
++struct tevent_req *sdap_autofs_get_entry_send(TALLOC_CTX *mem_ctx,
++                                              struct sdap_id_ctx *id_ctx,
++                                              const char *mapname,
++                                              const char *entryname)
++{
++    struct tevent_req *req;
++    struct sdap_autofs_get_entry_state *state;
++    int ret;
++
++    req = tevent_req_create(mem_ctx, &state, struct sdap_autofs_get_entry_state);
++    if (!req) {
++        return NULL;
++    }
++
++    state->id_ctx = id_ctx;
++    state->opts = id_ctx->opts;
++    state->mapname = mapname;
++    state->entryname = entryname;
++    state->dp_error = DP_ERR_FATAL;
++
++    state->sdap_op = sdap_id_op_create(state, id_ctx->conn->conn_cache);
++    if (!state->sdap_op) {
++        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n");
++        ret = ENOMEM;
++        goto done;
++    }
++
++    ret = sdap_autofs_get_entry_retry(req);
++    if (ret == EAGAIN) {
++        /* asynchronous processing */
++        return req;
++    }
++
++done:
++    if (ret == EOK) {
++        tevent_req_done(req);
++    } else {
++        tevent_req_error(req, ret);
++    }
++    tevent_req_post(req, id_ctx->be->ev);
++
++    return req;
++}
++
++static errno_t sdap_autofs_get_entry_retry(struct tevent_req *req)
++{
++    struct sdap_autofs_get_entry_state *state;
++    struct tevent_req *subreq;
++    int ret;
++
++    state = tevent_req_data(req, struct sdap_autofs_get_entry_state);
++
++    subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
++    if (subreq == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send() failed: "
++                                   "%d(%s)\n", ret, strerror(ret));
++        return ret;
++    }
++
++    tevent_req_set_callback(subreq, sdap_autofs_get_entry_connect_done, req);
++
++    return EAGAIN;
++}
++
++static void sdap_autofs_get_entry_connect_done(struct tevent_req *subreq)
++{
++    struct tevent_req *req;
++    struct sdap_autofs_get_entry_state *state;
++    struct ldb_message *map;
++    char *filter;
++    char *safe_entryname;
++    const char **attrs;
++    const char *base_dn;
++    int dp_error;
++    int ret;
++
++    req = tevent_req_callback_data(subreq, struct tevent_req);
++    state = tevent_req_data(req, struct sdap_autofs_get_entry_state);
++
++    ret = sdap_id_op_connect_recv(subreq, &dp_error);
++    talloc_zfree(subreq);
++
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "LDAP connection failed "
++                                   "[%d]: %s\n", ret, strerror(ret));
++        state->dp_error = dp_error;
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    DEBUG(SSSDBG_TRACE_FUNC, "LDAP connection successful\n");
++
++    ret = sysdb_get_map_byname(state, state->id_ctx->be->domain,
++                               state->mapname, &map);
++    if (ret == ENOENT) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Map %s does not exist!\n", state->mapname);
++        tevent_req_error(req, ret);
++        return;
++    } else if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get map %s [%d]: %s\n",
++              state->mapname, ret, sss_strerror(ret));
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    base_dn = ldb_msg_find_attr_as_string(map, SYSDB_ORIG_DN, NULL);
++    if (base_dn == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get originalDN\n");
++        tevent_req_error(req, ERR_INTERNAL);
++        return;
++    }
++
++    ret = sss_filter_sanitize(state, state->entryname, &safe_entryname);
++    if (ret != EOK) {
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
++                 state->opts->autofs_entry_map[SDAP_AT_AUTOFS_ENTRY_KEY].name,
++                 safe_entryname,
++                 state->opts->autofs_entry_map[SDAP_OC_AUTOFS_ENTRY].name);
++    if (filter == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build filter\n");
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    ret = build_attrs_from_map(state, state->opts->autofs_entry_map,
++                               SDAP_OPTS_AUTOFS_ENTRY, NULL, &attrs, NULL);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build attributes from map\n");
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    subreq = sdap_search_bases_return_first_send(state, state->id_ctx->be->ev,
++                    state->opts, sdap_id_op_handle(state->sdap_op),
++                    state->opts->sdom->autofs_search_bases,
++                    state->opts->autofs_entry_map, false,
++                    dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT),
++                    filter, attrs, base_dn);
++    if (subreq == NULL) {
++        state->dp_error = DP_ERR_FATAL;
++        tevent_req_error(req, ENOMEM);
++        return;
++    }
++
++    tevent_req_set_callback(subreq, sdap_autofs_get_entry_done, req);
++}
++
++static void sdap_autofs_get_entry_done(struct tevent_req *subreq)
++{
++    struct tevent_req *req;
++    struct sdap_autofs_get_entry_state *state;
++    struct sysdb_attrs **reply;
++    size_t reply_count;
++    errno_t ret;
++
++    req = tevent_req_callback_data(subreq, struct tevent_req);
++    state = tevent_req_data(req, struct sdap_autofs_get_entry_state);
++
++    ret = sdap_search_bases_return_first_recv(subreq, state, &reply_count,
++                                              &reply);
++    talloc_zfree(subreq);
++
++    ret = sdap_id_op_done(state->sdap_op, ret, &state->dp_error);
++    if (state->dp_error == DP_ERR_OK && ret != EOK) {
++        /* retry */
++        ret = sdap_autofs_get_entry_retry(req);
++        if (ret != EOK) {
++            tevent_req_error(req, ret);
++        }
++        return;
++    } else if (ret != EOK) {
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    if (reply_count == 0) {
++        ret = sysdb_del_autofsentry_by_key(state->id_ctx->be->domain,
++                                           state->mapname, state->entryname);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_MINOR_FAILURE, "Cannot delete entry %s:%s\n",
++                  state->mapname, state->entryname);
++            tevent_req_error(req, ret);
++            return;
++        }
++
++        tevent_req_done(req);
++        return;
++    }
++
++    ret = add_autofs_entry(state->id_ctx->be->domain, state->mapname,
++                           state->opts, reply[0], time(NULL));
++    if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE,
++             "Cannot save autofs entry %s:%s [%d]: %s\n",
++              state->mapname, state->entryname, ret, strerror(ret));
++        tevent_req_error(req, ret);
++        return;
++    }
++
++    tevent_req_done(req);
++}
++
++errno_t sdap_autofs_get_entry_recv(struct tevent_req *req,
++                                   int *dp_error)
++{
++    struct sdap_autofs_get_entry_state *state;
++
++    state = tevent_req_data(req, struct sdap_autofs_get_entry_state);
++
++    TEVENT_REQ_RETURN_ON_ERROR(req);
++
++    *dp_error = state->dp_error;
++
++    return EOK;
++}
+diff --git a/src/providers/ldap/sdap_autofs.c b/src/providers/ldap/sdap_autofs.c
+index 9a5ed11e8..b1e4b5aef 100644
+--- a/src/providers/ldap/sdap_autofs.c
++++ b/src/providers/ldap/sdap_autofs.c
+@@ -391,6 +391,90 @@ sdap_autofs_get_map_handler_recv(TALLOC_CTX *mem_ctx,
+     return EOK;
+ }
+ 
++struct sdap_autofs_get_entry_handler_state {
++    struct dp_reply_std reply;
++};
++
++static void sdap_autofs_get_entry_handler_done(struct tevent_req *subreq);
++
++struct tevent_req *
++sdap_autofs_get_entry_handler_send(TALLOC_CTX *mem_ctx,
++                                 struct sdap_id_ctx *id_ctx,
++                                 struct dp_autofs_data *data,
++                                 struct dp_req_params *params)
++{
++    struct sdap_autofs_get_entry_handler_state *state;
++    struct tevent_req *subreq;
++    struct tevent_req *req;
++    errno_t ret;
++
++    req = tevent_req_create(mem_ctx, &state,
++                            struct sdap_autofs_get_entry_handler_state);
++    if (req == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
++        return NULL;
++    }
++
++    DEBUG(SSSDBG_FUNC_DATA, "Requested refresh for: %s:%s\n",
++          data->mapname, data->entryname);
++
++    subreq = sdap_autofs_get_entry_send(mem_ctx, id_ctx,
++                                        data->mapname, data->entryname);
++    if (subreq == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send request for %s:%s.\n",
++              data->mapname, data->entryname);
++        ret = ENOMEM;
++        goto immediately;
++    }
++
++    tevent_req_set_callback(subreq, sdap_autofs_get_entry_handler_done, req);
++
++    return req;
++
++immediately:
++    dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL);
++
++    /* TODO For backward compatibility we always return EOK to DP now. */
++    tevent_req_done(req);
++    tevent_req_post(req, params->ev);
++
++    return req;
++}
++
++static void sdap_autofs_get_entry_handler_done(struct tevent_req *subreq)
++{
++    struct sdap_autofs_get_entry_handler_state *state;
++    struct tevent_req *req;
++    int dp_error;
++    errno_t ret;
++
++    req = tevent_req_callback_data(subreq, struct tevent_req);
++    state = tevent_req_data(req, struct sdap_autofs_get_entry_handler_state);
++
++    ret = sdap_autofs_get_entry_recv(subreq, &dp_error);
++    talloc_zfree(subreq);
++
++    /* TODO For backward compatibility we always return EOK to DP now. */
++    dp_reply_std_set(&state->reply, dp_error, ret, NULL);
++    tevent_req_done(req);
++}
++
++errno_t
++sdap_autofs_get_entry_handler_recv(TALLOC_CTX *mem_ctx,
++                                   struct tevent_req *req,
++                                   struct dp_reply_std *data)
++{
++    struct sdap_autofs_get_entry_handler_state *state = NULL;
++
++    state = tevent_req_data(req, struct sdap_autofs_get_entry_handler_state);
++
++    TEVENT_REQ_RETURN_ON_ERROR(req);
++
++    *data = state->reply;
++
++    return EOK;
++}
++
+ errno_t sdap_autofs_init(TALLOC_CTX *mem_ctx,
+                          struct be_ctx *be_ctx,
+                          struct sdap_id_ctx *id_ctx,
+@@ -414,5 +498,9 @@ errno_t sdap_autofs_init(TALLOC_CTX *mem_ctx,
+                   sdap_autofs_get_map_handler_send, sdap_autofs_get_map_handler_recv, id_ctx,
+                   struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
+ 
++    dp_set_method(dp_methods, DPM_AUTOFS_GET_ENTRY,
++                  sdap_autofs_get_entry_handler_send, sdap_autofs_get_entry_handler_recv, id_ctx,
++                  struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
++
+     return EOK;
+ }
+diff --git a/src/providers/ldap/sdap_autofs.h b/src/providers/ldap/sdap_autofs.h
+index 34b9ca953..210393746 100644
+--- a/src/providers/ldap/sdap_autofs.h
++++ b/src/providers/ldap/sdap_autofs.h
+@@ -50,5 +50,13 @@ struct tevent_req *sdap_autofs_get_map_send(TALLOC_CTX *mem_ctx,
+ errno_t sdap_autofs_get_map_recv(struct tevent_req *req,
+                                  int *dp_error);
+ 
++struct tevent_req *sdap_autofs_get_entry_send(TALLOC_CTX *mem_ctx,
++                                              struct sdap_id_ctx *id_ctx,
++                                              const char *mapname,
++                                              const char *entryname);
++
++errno_t sdap_autofs_get_entry_recv(struct tevent_req *req,
++                                   int *dp_error);
++
+ #endif /* _SDAP_AUTOFS_H_ */
+ 
+diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+index f4d0cb140..422fe90c4 100644
+--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+@@ -72,8 +72,8 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx,
+                                        struct ldb_result *result)
+ {
+     return sss_dp_get_autofs_send(mem_ctx, cr->rctx, domain, true,
+-                                  SSS_DP_AUTOFS_ENUMERATE,
+-                                  data->name.name, NULL);
++                                  SSS_DP_AUTOFS_GET_ENTRY,
++                                  data->name.name, data->autofs_entry_name);
+ }
+ 
+ const struct cache_req_plugin cache_req_autofs_entry_by_name = {
+-- 
+2.20.1
+
diff --git a/SOURCES/0087-autofs-allow-to-run-only-setent-without-enumeration-.patch b/SOURCES/0087-autofs-allow-to-run-only-setent-without-enumeration-.patch
new file mode 100644
index 0000000..c6c2c24
--- /dev/null
+++ b/SOURCES/0087-autofs-allow-to-run-only-setent-without-enumeration-.patch
@@ -0,0 +1,49 @@
+From 3e04a812772191e2c0e4f4be70584990a7235cbe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 15 Aug 2019 12:52:04 +0200
+Subject: [PATCH 87/90] autofs: allow to run only setent without enumeration in
+ test tool
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+So we can test that setent stores only the map object.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/sss_client/autofs/autofs_test_client.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/sss_client/autofs/autofs_test_client.c b/src/sss_client/autofs/autofs_test_client.c
+index 6bbd2a0e8..18d666895 100644
+--- a/src/sss_client/autofs/autofs_test_client.c
++++ b/src/sss_client/autofs/autofs_test_client.c
+@@ -44,9 +44,11 @@ int main(int argc, const char *argv[])
+     char *key = NULL;
+     char *value = NULL;
+     char *pc_key = NULL;
++    int pc_setent = 0;
+     struct poptOption long_options[] = {
+         POPT_AUTOHELP
+         { "by-name",  'n', POPT_ARG_STRING, &pc_key, 0, "Request map by name", NULL },
++        { "only-setent",  's', POPT_ARG_VAL, &pc_setent, 1, "Run only setent, do not enumerate", NULL },
+         POPT_TABLEEND
+     };
+     poptContext pc = NULL;
+@@ -75,6 +77,10 @@ int main(int argc, const char *argv[])
+     }
+     printf("setautomntent done for %s\n", mapname);
+ 
++    if (pc_setent) {
++        goto end;
++    }
++
+     if (!pc_key) {
+         do {
+             ret = _sss_getautomntent_r(&key, &value, ctx);
+-- 
+2.20.1
+
diff --git a/SOURCES/0088-autofs-always-refresh-auto.master.patch b/SOURCES/0088-autofs-always-refresh-auto.master.patch
new file mode 100644
index 0000000..a3db06c
--- /dev/null
+++ b/SOURCES/0088-autofs-always-refresh-auto.master.patch
@@ -0,0 +1,218 @@
+From ac712654f07be9e9c05156c89af54eac483d75d6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Mon, 2 Sep 2019 13:05:14 +0200
+Subject: [PATCH 88/90] autofs: always refresh auto.master
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/responder/autofs/autofs_private.h | 10 ++++-
+ src/responder/autofs/autofssrv.c      | 25 ++++++++----
+ src/responder/autofs/autofssrv_cmd.c  | 56 ++++++++++++++++++++++-----
+ 3 files changed, 74 insertions(+), 17 deletions(-)
+
+diff --git a/src/responder/autofs/autofs_private.h b/src/responder/autofs/autofs_private.h
+index 3be25d4d9..175a7768f 100644
+--- a/src/responder/autofs/autofs_private.h
++++ b/src/responder/autofs/autofs_private.h
+@@ -21,6 +21,8 @@
+ #ifndef _AUTOFSSRV_PRIVATE_H_
+ #define _AUTOFSSRV_PRIVATE_H_
+ 
++#include <dhash.h>
++
+ #include "responder/common/responder.h"
+ #include "responder/common/responder_sbus.h"
+ #include "responder/common/cache_req/cache_req.h"
+@@ -55,6 +57,12 @@ struct autofs_enum_ctx {
+     /* False if the result is being created. */
+     bool ready;
+ 
++    /* Enumeration context key. */
++    const char *key;
++
++    /* Hash table that contains this enumeration context. */
++    hash_table_t *table;
++
+     /* Requests that awaits the data. */
+     struct setent_req_list *notify_list;
+ };
+@@ -62,6 +70,6 @@ struct autofs_enum_ctx {
+ struct sss_cmd_table *get_autofs_cmds(void);
+ int autofs_connection_setup(struct cli_ctx *cctx);
+ 
+-errno_t autofs_orphan_maps(struct autofs_ctx *actx);
++void autofs_orphan_maps(struct autofs_ctx *actx);
+ 
+ #endif /* _AUTOFSSRV_PRIVATE_H_ */
+diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c
+index 309ed76b1..922da5fd4 100644
+--- a/src/responder/autofs/autofssrv.c
++++ b/src/responder/autofs/autofssrv.c
+@@ -85,17 +85,26 @@ static int autofs_clean_hash_table(struct sbus_request *dbus_req, void *data)
+     struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
+     struct autofs_ctx *actx =
+             talloc_get_type(rctx->pvt_ctx, struct autofs_ctx);
+-    errno_t ret;
+ 
+-    ret = autofs_orphan_maps(actx);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_OP_FAILURE, "Could not invalidate maps\n");
+-        return ret;
+-    }
++    autofs_orphan_maps(actx);
+ 
+     return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID);
+ }
+ 
++static void
++autofs_maps_delete_cb(hash_entry_t *item,
++                      hash_destroy_enum deltype,
++                      void *pvt)
++{
++    struct autofs_ctx *autofs_ctx;
++    struct autofs_enum_ctx *enum_ctx;
++
++    autofs_ctx = talloc_get_type(pvt, struct autofs_ctx);
++
++    enum_ctx = sss_ptr_get_value(&item->value, struct autofs_enum_ctx);
++    talloc_unlink(autofs_ctx->maps, enum_ctx);
++}
++
+ static int
+ autofs_process_init(TALLOC_CTX *mem_ctx,
+                     struct tevent_context *ev,
+@@ -158,7 +167,9 @@ autofs_process_init(TALLOC_CTX *mem_ctx,
+     }
+ 
+     /* Create the lookup table for setautomntent results */
+-    autofs_ctx->maps = sss_ptr_hash_create(autofs_ctx, NULL, NULL);
++    autofs_ctx->maps = sss_ptr_hash_create(autofs_ctx,
++                                           autofs_maps_delete_cb,
++                                           autofs_ctx);
+     if (autofs_ctx->maps == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE,
+               "Unable to initialize automount maps hash table\n");
+diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
+index d413f8570..71938399e 100644
+--- a/src/responder/autofs/autofssrv_cmd.c
++++ b/src/responder/autofs/autofssrv_cmd.c
+@@ -131,12 +131,12 @@ autofs_fill_entry(struct ldb_message *entry, struct sss_packet *packet, size_t *
+     return EOK;
+ }
+ 
+-errno_t
++void
+ autofs_orphan_maps(struct autofs_ctx *autofs_ctx)
+ {
+-    sss_ptr_hash_delete_all(autofs_ctx->maps, true);
+-
+-    return EOK;
++    /* It will automatically decrease the refcount of enum_ctx through
++     * delete callback. */
++    sss_ptr_hash_delete_all(autofs_ctx->maps, false);
+ }
+ 
+ static void
+@@ -149,8 +149,8 @@ autofs_enumctx_lifetime_timeout(struct tevent_context *ev,
+ 
+     enum_ctx = talloc_get_type(pvt, struct autofs_enum_ctx);
+ 
+-    /* Free the context. It will be automatically removed from the hash table. */
+-    talloc_free(enum_ctx);
++    /* Remove it from the table. It will automatically decrease the refcount. */
++    sss_ptr_hash_delete(enum_ctx->table, enum_ctx->key, false);
+ }
+ 
+ static void
+@@ -185,6 +185,13 @@ autofs_create_enumeration_context(TALLOC_CTX *mem_ctx,
+     }
+ 
+     enum_ctx->ready = false;
++    enum_ctx->table = autofs_ctx->maps;
++
++    enum_ctx->key = talloc_strdup(enum_ctx, mapname);
++    if (enum_ctx->key == NULL) {
++        talloc_free(enum_ctx);
++        return NULL;
++    }
+ 
+     ret = sss_ptr_hash_add(autofs_ctx->maps, mapname,
+                            enum_ctx, struct autofs_enum_ctx);
+@@ -196,6 +203,34 @@ autofs_create_enumeration_context(TALLOC_CTX *mem_ctx,
+     return enum_ctx;
+ }
+ 
++static void
++autofs_orphan_master_map(struct autofs_ctx *autofs_ctx,
++                         const char *mapname)
++{
++    struct sss_domain_info *dom;
++    errno_t ret;
++
++    if (strcmp(mapname, "auto.master") != 0) {
++        return;
++    }
++
++    DEBUG(SSSDBG_TRACE_FUNC, "Invalidating master map\n");
++
++    /* Remove and invalidate all maps. */
++    autofs_orphan_maps(autofs_ctx);
++
++    DEBUG(SSSDBG_TRACE_FUNC, "Invalidating autofs maps\n");
++    for (dom = autofs_ctx->rctx->domains;
++         dom != NULL;
++         dom = get_next_domain(dom, SSS_GND_DESCEND)) {
++        ret = sysdb_invalidate_autofs_maps(dom);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_MINOR_FAILURE, "Unable to invalidate maps in "
++                  "%s [%d]: %s\n", dom->name, ret, sss_strerror(ret));
++        }
++    }
++}
++
+ struct autofs_setent_state {
+     struct autofs_ctx *autofs_ctx;
+     struct autofs_enum_ctx *enum_ctx;
+@@ -323,7 +358,8 @@ static void autofs_setent_done(struct tevent_req *subreq)
+ }
+ 
+ static errno_t
+-autofs_setent_recv(struct tevent_req *req,
++autofs_setent_recv(TALLOC_CTX *mem_ctx,
++                   struct tevent_req *req,
+                    struct autofs_enum_ctx **_enum_ctx)
+ {
+     struct autofs_setent_state *state;
+@@ -331,7 +367,7 @@ autofs_setent_recv(struct tevent_req *req,
+ 
+     TEVENT_REQ_RETURN_ON_ERROR(req);
+ 
+-    *_enum_ctx = state->enum_ctx;
++    *_enum_ctx = talloc_reference(mem_ctx, state->enum_ctx);
+ 
+     return EOK;
+ }
+@@ -430,6 +466,8 @@ sss_autofs_cmd_setautomntent(struct cli_ctx *cli_ctx)
+         goto done;
+     }
+ 
++    autofs_orphan_master_map(autofs_ctx, cmd_ctx->mapname);
++
+     DEBUG(SSSDBG_TRACE_FUNC, "Obtaining autofs map %s\n",
+           cmd_ctx->mapname);
+ 
+@@ -668,7 +706,7 @@ sss_autofs_cmd_getautomntent_done(struct tevent_req *req)
+ 
+     cmd_ctx = tevent_req_callback_data(req, struct autofs_cmd_ctx);
+ 
+-    ret = autofs_setent_recv(req, &enum_ctx);
++    ret = autofs_setent_recv(cmd_ctx, req, &enum_ctx);
+     talloc_zfree(req);
+     if (ret != EOK) {
+         autofs_cmd_done(cmd_ctx, ret);
+-- 
+2.20.1
+
diff --git a/SOURCES/0089-sysdb-invalidate-also-autofs-entries.patch b/SOURCES/0089-sysdb-invalidate-also-autofs-entries.patch
new file mode 100644
index 0000000..03a174d
--- /dev/null
+++ b/SOURCES/0089-sysdb-invalidate-also-autofs-entries.patch
@@ -0,0 +1,194 @@
+From 58f3d546954d7c2298a0b57865f7d5ad51f69aec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 5 Sep 2019 11:32:11 +0200
+Subject: [PATCH 89/90] sysdb: invalidate also autofs entries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Autofs entries got data expiration attribute so we must
+make sure it is invalidated as well.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/db/sysdb_autofs.c | 131 ++++++++++++++++++++++++++++++++++++++++++
+ src/db/sysdb_autofs.h |   4 ++
+ 2 files changed, 135 insertions(+)
+
+diff --git a/src/db/sysdb_autofs.c b/src/db/sysdb_autofs.c
+index 11841d50d..413b00722 100644
+--- a/src/db/sysdb_autofs.c
++++ b/src/db/sysdb_autofs.c
+@@ -530,6 +530,37 @@ done:
+     return ret;
+ }
+ 
++errno_t
++sysdb_set_autofsentry_attr(struct sss_domain_info *domain,
++                           const char *mapname,
++                           const char *key,
++                           const char *value,
++                           struct sysdb_attrs *attrs,
++                           int mod_op)
++{
++    TALLOC_CTX *tmp_ctx;
++    struct ldb_dn *dn;
++    errno_t ret;
++
++    tmp_ctx = talloc_new(NULL);
++    if (tmp_ctx == NULL) {
++        DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!\n");
++        return ENOMEM;
++    }
++
++    dn = sysdb_autofsentry_dn(tmp_ctx, domain, mapname, key, value);
++    if (dn == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    ret = sysdb_set_entry_attr(domain->sysdb, dn, attrs, mod_op);
++
++done:
++    talloc_free(tmp_ctx);
++    return ret;
++}
++
+ errno_t
+ sysdb_set_autofsmap_attr(struct sss_domain_info *domain,
+                          const char *name,
+@@ -558,6 +589,99 @@ done:
+     return ret;
+ }
+ 
++errno_t
++sysdb_invalidate_autofs_entries(struct sss_domain_info *domain,
++                                const char *mapname)
++{
++    TALLOC_CTX *tmp_ctx;
++    bool in_transaction = false;
++    struct ldb_message **entries;
++    struct sysdb_attrs *attrs;
++    const char *value;
++    const char *key;
++    size_t count;
++    errno_t ret;
++    size_t i;
++    int sret;
++
++    tmp_ctx = talloc_new(NULL);
++    if (tmp_ctx == NULL) {
++        DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!\n");
++        return ENOMEM;
++    }
++
++    ret = sysdb_autofs_entries_by_map(tmp_ctx, domain, mapname,
++                                      &count, &entries);
++    if (ret == ENOENT) {
++        ret = EOK;
++        goto done;
++    } else if (ret != EOK) {
++        goto done;
++    }
++
++    attrs = sysdb_new_attrs(tmp_ctx);
++    if (attrs == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, 1);
++    if (ret != EOK) {
++        goto done;
++    }
++
++    ret = sysdb_transaction_start(domain->sysdb);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
++        goto done;
++    }
++    in_transaction = true;
++
++    for (i = 0; i < count; i++) {
++        key = ldb_msg_find_attr_as_string(entries[i], SYSDB_AUTOFS_ENTRY_KEY,
++                                          NULL);
++        if (key == NULL) {
++            DEBUG(SSSDBG_MINOR_FAILURE, "An entry with no key?\n");
++            continue;
++        }
++
++        value = ldb_msg_find_attr_as_string(entries[i],
++                                            SYSDB_AUTOFS_ENTRY_VALUE,
++                                            NULL);
++        if (value == NULL) {
++            DEBUG(SSSDBG_MINOR_FAILURE, "An entry with no value?\n");
++            continue;
++        }
++
++        ret = sysdb_set_autofsentry_attr(domain, mapname, key, value,
++                                         attrs, SYSDB_MOD_REP);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_MINOR_FAILURE, "Could not expire entry %s\n", key);
++            continue;
++        }
++    }
++
++    ret = sysdb_transaction_commit(domain->sysdb);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE, "Could not commit transaction\n");
++        goto done;
++    }
++    in_transaction = false;
++
++    ret = EOK;
++
++done:
++    if (in_transaction) {
++        sret = sysdb_transaction_cancel(domain->sysdb);
++        if (sret != EOK) {
++            DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n");
++        }
++    }
++
++    talloc_free(tmp_ctx);
++    return ret;
++}
++
+ errno_t
+ sysdb_invalidate_autofs_maps(struct sss_domain_info *domain)
+ {
+@@ -634,6 +758,13 @@ sysdb_invalidate_autofs_maps(struct sss_domain_info *domain)
+             DEBUG(SSSDBG_MINOR_FAILURE, "Could not expire map %s\n", name);
+             continue;
+         }
++
++        ret =  sysdb_invalidate_autofs_entries(domain, name);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_MINOR_FAILURE, "Could not expire map entries %s\n",
++                  name);
++            continue;
++        }
+     }
+ 
+     ret = sysdb_transaction_commit(domain->sysdb);
+diff --git a/src/db/sysdb_autofs.h b/src/db/sysdb_autofs.h
+index 3775e2a17..37489f2e8 100644
+--- a/src/db/sysdb_autofs.h
++++ b/src/db/sysdb_autofs.h
+@@ -93,6 +93,10 @@ sysdb_set_autofsmap_attr(struct sss_domain_info *domain,
+                          struct sysdb_attrs *attrs,
+                          int mod_op);
+ 
++errno_t
++sysdb_invalidate_autofs_entries(struct sss_domain_info *domain,
++                                const char *mapname);
++
+ errno_t
+ sysdb_invalidate_autofs_maps(struct sss_domain_info *domain);
+ 
+-- 
+2.20.1
+
diff --git a/SOURCES/0090-sss_cache-invalidate-also-autofs-entries.patch b/SOURCES/0090-sss_cache-invalidate-also-autofs-entries.patch
new file mode 100644
index 0000000..6e076a2
--- /dev/null
+++ b/SOURCES/0090-sss_cache-invalidate-also-autofs-entries.patch
@@ -0,0 +1,49 @@
+From 9131b90f08e69a4d71c6d1524e3b8929d947b7c7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 5 Sep 2019 11:32:53 +0200
+Subject: [PATCH 90/90] sss_cache: invalidate also autofs entries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Invalidating map will also invalidate all its child entries.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2607
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/tools/sss_cache.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c
+index 6bdcf610c..34bfa76bc 100644
+--- a/src/tools/sss_cache.c
++++ b/src/tools/sss_cache.c
+@@ -576,8 +576,23 @@ static errno_t invalidate_entry(TALLOC_CTX *ctx,
+                                                  sys_attrs, SYSDB_MOD_REP);
+                     break;
+                 case TYPE_AUTOFSMAP:
++                    /* For users, we also need to reset the enumeration
++                     * expiration time. */
++                    ret = sysdb_attrs_add_time_t(sys_attrs,
++                                                 SYSDB_ENUM_EXPIRE, 1);
++                    if (ret != EOK) {
++                        return ret;
++                    }
++
+                     ret = sysdb_set_autofsmap_attr(domain, name,
+                                                    sys_attrs, SYSDB_MOD_REP);
++                    if (ret != EOK) {
++                        DEBUG(SSSDBG_MINOR_FAILURE, "Could not invalidate "
++                              "autofs map %s\n", name);
++                        break;
++                    }
++
++                    ret = sysdb_invalidate_autofs_entries(domain, name);
+                     break;
+                 case TYPE_SSH_HOST:
+ #ifdef BUILD_SSH
+-- 
+2.20.1
+
diff --git a/SOURCES/0091-CONFDB-Files-domain-if-activated-without-.conf.patch b/SOURCES/0091-CONFDB-Files-domain-if-activated-without-.conf.patch
new file mode 100644
index 0000000..6ee7bb0
--- /dev/null
+++ b/SOURCES/0091-CONFDB-Files-domain-if-activated-without-.conf.patch
@@ -0,0 +1,35 @@
+From 5b571efa60f8ce86089772fdd43555174692d0d2 Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Thu, 5 Sep 2019 09:28:55 +0200
+Subject: [PATCH 91/92] CONFDB: Files domain if activated without .conf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Implicit files domain gets activated when no sssd.conf present
+and sssd is started. This does not respect --disable-files-domain
+configure option
+
+Resolves:
+https://bugzilla.redhat.com/show_bug.cgi?id=1713352
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+---
+ src/confdb/confdb_setup.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
+index 5e3558965..e9944957d 100644
+--- a/src/confdb/confdb_setup.c
++++ b/src/confdb/confdb_setup.c
+@@ -34,7 +34,6 @@
+ "version: 2\n\n" \
+ "dn: cn=sssd,cn=config\n" \
+ "cn: sssd\n" \
+-"enable_files_domain: true\n" \
+ "services: nss\n\n"
+ #endif /* SSSD_FALLBACK_CONFIG_LDIF */
+ 
+-- 
+2.20.1
+
diff --git a/SOURCES/0092-TESTS-adapt-tests-to-enabled-default-files-domain.patch b/SOURCES/0092-TESTS-adapt-tests-to-enabled-default-files-domain.patch
new file mode 100644
index 0000000..6f14e43
--- /dev/null
+++ b/SOURCES/0092-TESTS-adapt-tests-to-enabled-default-files-domain.patch
@@ -0,0 +1,65 @@
+From e48cdfb69b43964d5472bdf011af59343c719a06 Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Thu, 5 Sep 2019 09:30:04 +0200
+Subject: [PATCH 92/92] TESTS: adapt tests to enabled default files domain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some tests expect that SSSD is compiled with --enable-files-domain
+option (test_no_sssd_conf). But having this enabled by default
+breaks some other tests.
+
+This patch adds --enable-files-domain to test build and explicitly
+disables the domain in configuration of some tests (ldap, enumeration).
+
+Resolves:
+https://bugzilla.redhat.com/show_bug.cgi?id=1713352
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+---
+ Makefile.am                        | 2 ++
+ src/tests/intg/test_enumeration.py | 1 +
+ src/tests/intg/test_ldap.py        | 1 +
+ 3 files changed, 4 insertions(+)
+
+diff --git a/Makefile.am b/Makefile.am
+index bc74906a7..45a042624 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -3766,6 +3766,8 @@ intgcheck-prepare:
+ 	    --enable-intgcheck-reqs \
+ 	    --without-semanage \
+ 	    --with-session-recording-shell=/bin/false \
++	    --enable-local-provider \
++	    --enable-files-domain \
+ 	    $(INTGCHECK_CONFIGURE_FLAGS) \
+ 	    CFLAGS="-O2 -g $$CFLAGS -DKCM_PEER_UID=$$(id -u)"; \
+ 	$(MAKE) $(AM_MAKEFLAGS) ; \
+diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py
+index 669fd86c7..c105c6df0 100644
+--- a/src/tests/intg/test_enumeration.py
++++ b/src/tests/intg/test_enumeration.py
+@@ -113,6 +113,7 @@ def format_basic_conf(ldap_conn, schema):
+         debug_level         = 0xffff
+         domains             = LDAP
+         services            = nss, pam
++        enable_files_domain = false
+ 
+         [nss]
+         debug_level         = 0xffff
+diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
+index 787255f92..c432068f9 100644
+--- a/src/tests/intg/test_ldap.py
++++ b/src/tests/intg/test_ldap.py
+@@ -117,6 +117,7 @@ def format_basic_conf(ldap_conn, schema):
+         debug_level         = 0xffff
+         domains             = LDAP
+         services            = nss, pam
++        enable_files_domain = false
+ 
+         [nss]
+         debug_level         = 0xffff
+-- 
+2.20.1
+
diff --git a/SOURCES/0093-utils-extend-some-find_domain_-calls-to-search-disab.patch b/SOURCES/0093-utils-extend-some-find_domain_-calls-to-search-disab.patch
new file mode 100644
index 0000000..31c7070
--- /dev/null
+++ b/SOURCES/0093-utils-extend-some-find_domain_-calls-to-search-disab.patch
@@ -0,0 +1,272 @@
+From 2ea937af47c529ca827bcdd307a47e2b96690d38 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 12 Sep 2019 14:49:30 +0200
+Subject: [PATCH 93/97] utils: extend some find_domain_* calls to search
+ disabled domain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This extension is needed to support disabled domains since it is
+now important to know if a domain is really unknown or only disabled.
+While an unknown domain might typically lead to an error, a caller might
+just ignore requests for disabled domains or objects from disabled
+domains.
+
+Related to https://pagure.io/SSSD/sssd/issue/4078
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ipa/ipa_id.c                 |  3 +-
+ src/responder/sudo/sudosrv_get_sudorules.c |  3 +-
+ src/tests/cmocka/test_utils.c              | 90 ++++++++++++++++++++++
+ src/util/domain_info_utils.c               | 31 +++++---
+ src/util/util.h                            |  7 +-
+ 5 files changed, 122 insertions(+), 12 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
+index 9abee34cb..f34692aa2 100644
+--- a/src/providers/ipa/ipa_id.c
++++ b/src/providers/ipa/ipa_id.c
+@@ -138,7 +138,8 @@ static errno_t ipa_resolve_user_list_get_user_step(struct tevent_req *req)
+ 
+     state->user_domain = find_domain_by_object_name_ex(
+                                         state->ipa_ctx->sdap_id_ctx->be->domain,
+-                                        ar->filter_value, true);
++                                        ar->filter_value, true,
++                                        SSS_GND_DESCEND);
+     /* Use provided domain as fallback because no known domain was found in the
+      * user name. */
+     if (state->user_domain == NULL) {
+diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
+index d928a5ead..c9c11bfde 100644
+--- a/src/responder/sudo/sudosrv_get_sudorules.c
++++ b/src/responder/sudo/sudosrv_get_sudorules.c
+@@ -147,7 +147,8 @@ static errno_t sudosrv_format_runas(struct resp_ctx *rctx,
+             continue;
+         }
+ 
+-        dom = find_domain_by_object_name_ex(rctx->domains, value, true);
++        dom = find_domain_by_object_name_ex(rctx->domains, value, true,
++                                            SSS_GND_DESCEND);
+         if (dom == NULL) {
+             continue;
+         }
+diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
+index 1a8699a2a..d49eb9fbc 100644
+--- a/src/tests/cmocka/test_utils.c
++++ b/src/tests/cmocka/test_utils.c
+@@ -400,6 +400,92 @@ void test_find_domain_by_name_disabled(void **state)
+     }
+ }
+ 
++void test_find_domain_by_name_ex_disabled(void **state)
++{
++    struct dom_list_test_ctx *test_ctx = talloc_get_type(*state,
++                                                      struct dom_list_test_ctx);
++    struct sss_domain_info *dom;
++    struct sss_domain_info *disabled_dom;
++    size_t c;
++    size_t mis;
++
++    mis = test_ctx->dom_count/2;
++    assert_true((mis >= 1 && mis < test_ctx->dom_count));
++
++    dom = test_ctx->dom_list;
++    for (c = 0; c < mis; c++) {
++        assert_non_null(dom);
++        dom = dom->next;
++    }
++    assert_non_null(dom);
++    sss_domain_set_state(dom, DOM_DISABLED);
++    disabled_dom = dom;
++
++    dom = find_domain_by_name(test_ctx->dom_list, disabled_dom->name, true);
++    assert_null(dom);
++
++    dom = find_domain_by_name_ex(test_ctx->dom_list, disabled_dom->name, true,
++                                 SSS_GND_DESCEND);
++    assert_null(dom);
++
++    dom = find_domain_by_name_ex(test_ctx->dom_list, disabled_dom->name, true,
++                                 SSS_GND_DESCEND | SSS_GND_INCLUDE_DISABLED);
++    assert_non_null(dom);
++    assert_ptr_equal(disabled_dom, dom);
++
++    dom = find_domain_by_name_ex(test_ctx->dom_list, disabled_dom->name, true,
++                                 SSS_GND_ALL_DOMAINS);
++    assert_non_null(dom);
++    assert_ptr_equal(disabled_dom, dom);
++}
++
++void test_find_domain_by_object_name_ex(void **state)
++{
++    struct dom_list_test_ctx *test_ctx = talloc_get_type(*state,
++                                                      struct dom_list_test_ctx);
++    struct sss_domain_info *dom;
++    struct sss_domain_info *disabled_dom;
++    size_t c;
++    size_t mis;
++    char *obj_name;
++
++    mis = test_ctx->dom_count/2;
++    assert_true((mis >= 1 && mis < test_ctx->dom_count));
++
++    dom = test_ctx->dom_list;
++    for (c = 0; c < mis; c++) {
++        assert_non_null(dom);
++        dom = dom->next;
++    }
++    assert_non_null(dom);
++    sss_domain_set_state(dom, DOM_DISABLED);
++    disabled_dom = dom;
++
++    obj_name = talloc_asprintf(global_talloc_context, "myname@%s",
++                               disabled_dom->name);
++    assert_non_null(obj_name);
++
++
++    dom = find_domain_by_object_name(test_ctx->dom_list, obj_name);
++    assert_null(dom);
++
++    dom = find_domain_by_object_name_ex(test_ctx->dom_list, obj_name, true,
++                                        SSS_GND_DESCEND);
++    assert_null(dom);
++
++    dom = find_domain_by_object_name_ex(test_ctx->dom_list, obj_name, true,
++                                    SSS_GND_DESCEND | SSS_GND_INCLUDE_DISABLED);
++    assert_non_null(dom);
++    assert_ptr_equal(disabled_dom, dom);
++
++    dom = find_domain_by_object_name_ex(test_ctx->dom_list, obj_name, true,
++                                        SSS_GND_ALL_DOMAINS);
++    assert_non_null(dom);
++    assert_ptr_equal(disabled_dom, dom);
++
++    talloc_free(obj_name);
++}
++
+ void test_find_domain_by_sid_null(void **state)
+ {
+     struct dom_list_test_ctx *test_ctx = talloc_get_type(*state,
+@@ -1877,6 +1963,10 @@ int main(int argc, const char *argv[])
+                                         setup_dom_list, teardown_dom_list),
+         cmocka_unit_test_setup_teardown(test_find_domain_by_name_disabled,
+                                         setup_dom_list, teardown_dom_list),
++        cmocka_unit_test_setup_teardown(test_find_domain_by_name_ex_disabled,
++                                        setup_dom_list, teardown_dom_list),
++        cmocka_unit_test_setup_teardown(test_find_domain_by_object_name_ex,
++                                        setup_dom_list, teardown_dom_list),
+ 
+         cmocka_unit_test_setup_teardown(test_sss_names_init,
+                                         confdb_test_setup,
+diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
+index 4b1c9df39..c56a0611e 100644
+--- a/src/util/domain_info_utils.c
++++ b/src/util/domain_info_utils.c
+@@ -93,9 +93,10 @@ bool subdomain_enumerates(struct sss_domain_info *parent,
+     return false;
+ }
+ 
+-struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain,
+-                                            const char *name,
+-                                            bool match_any)
++struct sss_domain_info *find_domain_by_name_ex(struct sss_domain_info *domain,
++                                                const char *name,
++                                                bool match_any,
++                                                uint32_t gnd_flags)
+ {
+     struct sss_domain_info *dom = domain;
+ 
+@@ -103,21 +104,31 @@ struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain,
+         return NULL;
+     }
+ 
+-    while (dom && sss_domain_get_state(dom) == DOM_DISABLED) {
+-        dom = get_next_domain(dom, SSS_GND_DESCEND);
++    if (!(gnd_flags & SSS_GND_INCLUDE_DISABLED)) {
++        while (dom && sss_domain_get_state(dom) == DOM_DISABLED) {
++            dom = get_next_domain(dom, gnd_flags);
++        }
+     }
++
+     while (dom) {
+         if (strcasecmp(dom->name, name) == 0 ||
+             ((match_any == true) && (dom->flat_name != NULL) &&
+              (strcasecmp(dom->flat_name, name) == 0))) {
+             return dom;
+         }
+-        dom = get_next_domain(dom, SSS_GND_DESCEND);
++        dom = get_next_domain(dom, gnd_flags);
+     }
+ 
+     return NULL;
+ }
+ 
++struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain,
++                                            const char *name,
++                                            bool match_any)
++{
++    return find_domain_by_name_ex(domain, name, match_any, SSS_GND_DESCEND);
++}
++
+ struct sss_domain_info *find_domain_by_sid(struct sss_domain_info *domain,
+                                               const char *sid)
+ {
+@@ -175,7 +186,8 @@ sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain,
+ 
+ struct sss_domain_info *
+ find_domain_by_object_name_ex(struct sss_domain_info *domain,
+-                              const char *object_name, bool strict)
++                              const char *object_name, bool strict,
++                              uint32_t gnd_flags)
+ {
+     TALLOC_CTX *tmp_ctx;
+     struct sss_domain_info *dom = NULL;
+@@ -203,7 +215,7 @@ find_domain_by_object_name_ex(struct sss_domain_info *domain,
+             dom = domain;
+         }
+     } else {
+-        dom = find_domain_by_name(domain, domainname, true);
++        dom = find_domain_by_name_ex(domain, domainname, true, gnd_flags);
+     }
+ 
+ done:
+@@ -215,7 +227,8 @@ struct sss_domain_info *
+ find_domain_by_object_name(struct sss_domain_info *domain,
+                            const char *object_name)
+ {
+-    return find_domain_by_object_name_ex(domain, object_name, false);
++    return find_domain_by_object_name_ex(domain, object_name, false,
++                                         SSS_GND_DESCEND);
+ }
+ 
+ errno_t sssd_domain_init(TALLOC_CTX *mem_ctx,
+diff --git a/src/util/util.h b/src/util/util.h
+index fce7e42c3..8a754dbfd 100644
+--- a/src/util/util.h
++++ b/src/util/util.h
+@@ -542,6 +542,10 @@ struct sss_domain_info *get_next_domain(struct sss_domain_info *domain,
+ struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain,
+                                             const char *name,
+                                             bool match_any);
++struct sss_domain_info *find_domain_by_name_ex(struct sss_domain_info *domain,
++                                               const char *name,
++                                               bool match_any,
++                                               uint32_t gnd_flags);
+ struct sss_domain_info *find_domain_by_sid(struct sss_domain_info *domain,
+                                            const char *sid);
+ enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom);
+@@ -560,7 +564,8 @@ find_domain_by_object_name(struct sss_domain_info *domain,
+ 
+ struct sss_domain_info *
+ find_domain_by_object_name_ex(struct sss_domain_info *domain,
+-                              const char *object_name, bool strict);
++                              const char *object_name, bool strict,
++                              uint32_t gnd_flags);
+ 
+ bool subdomain_enumerates(struct sss_domain_info *parent,
+                           const char *sd_name);
+-- 
+2.20.1
+
diff --git a/SOURCES/0094-ipa-support-disabled-domains.patch b/SOURCES/0094-ipa-support-disabled-domains.patch
new file mode 100644
index 0000000..4aabefd
--- /dev/null
+++ b/SOURCES/0094-ipa-support-disabled-domains.patch
@@ -0,0 +1,208 @@
+From 698e27d8b465d1a507554532938058e053569b1b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 7 Aug 2019 18:14:15 +0200
+Subject: [PATCH 94/97] ipa: support disabled domains
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+IPA does not disable domains with the help of a flag in the domain
+objects but more general with the help of the SID blacklist. With this
+patch the blacklist is read with other data about trusted domains and if
+the domain SID of a trusted domain is found the domain is disabled. As a
+result uses and groups from this domain cannot be looked up anymore.
+
+Related to https://pagure.io/SSSD/sssd/issue/4078
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ipa/ipa_subdomains.c | 149 +++++++++++++++++++++++++++--
+ 1 file changed, 139 insertions(+), 10 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
+index 322420264..2ffc6bf7a 100644
+--- a/src/providers/ipa/ipa_subdomains.c
++++ b/src/providers/ipa/ipa_subdomains.c
+@@ -43,6 +43,7 @@
+ #define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID"
+ #define IPA_RANGE_TYPE "ipaRangeType"
+ #define IPA_ADDITIONAL_SUFFIXES "ipaNTAdditionalSuffixes"
++#define IPA_SID_BLACKLIST_INCOMING "ipaNTSIDBlacklistIncoming"
+ 
+ #define IPA_BASE_ID "ipaBaseID"
+ #define IPA_ID_RANGE_SIZE "ipaIDRangeSize"
+@@ -745,6 +746,129 @@ static void ipa_subdom_store_step(struct sss_domain_info *parent,
+     }
+ }
+ 
++static errno_t add_dom_sids_to_list(TALLOC_CTX *mem_ctx, const char **sids,
++                                    char ***list)
++{
++    size_t c;
++    errno_t ret;
++
++    for (c = 0; sids != NULL && sids[c] != NULL; c++) {
++        if (is_domain_sid(sids[c])) {
++            ret = add_string_to_list(mem_ctx, sids[c], list);
++            if (ret != EOK) {
++                DEBUG(SSSDBG_OP_FAILURE, "add_string_to_list failed.\n");
++                return ret;
++            }
++        }
++    }
++
++    return EOK;
++}
++
++static errno_t ipa_get_disabled_domain_sids(TALLOC_CTX *mem_ctx, size_t count,
++                                            struct sysdb_attrs **reply,
++                                            char ***disabled_domain_sids)
++{
++    size_t c;
++    char **dom_sid_list = NULL;
++    const char **tmp_list;
++    int ret;
++
++    for (c = 0; c < count; c++) {
++        ret = sysdb_attrs_get_string_array(reply[c], IPA_SID_BLACKLIST_INCOMING,
++                                           mem_ctx, &tmp_list);
++        if (ret != EOK) {
++            if (ret != ENOENT) {
++                DEBUG(SSSDBG_OP_FAILURE,
++                      "sysdb_attrs_get_string_array failed, list of disabled "
++                      "domains might be incomplete.\n");
++            }
++            continue;
++        }
++
++        ret = add_dom_sids_to_list(mem_ctx, tmp_list, &dom_sid_list);
++        talloc_free(tmp_list);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_OP_FAILURE, "add_dom_sids_to_list failed.\n");
++            talloc_free(dom_sid_list);
++            return ret;
++        }
++    }
++
++    *disabled_domain_sids = dom_sid_list;
++
++    return EOK;
++}
++
++static errno_t ipa_subdomains_check_domain_state(struct sss_domain_info *dom,
++                                                 char **disabled_domain_sids)
++{
++    int ret;
++
++    if (dom->domain_id == NULL) {
++        return EINVAL;
++    }
++
++    if (disabled_domain_sids != NULL
++            && string_in_list(dom->domain_id, disabled_domain_sids, true)) {
++        DEBUG(SSSDBG_TRACE_ALL, "Domain [%s] is disabled on the server.\n",
++                                dom->name);
++        /* disable domain if not already disabled */
++        if (sss_domain_get_state(dom) != DOM_DISABLED) {
++            sss_domain_set_state(dom, DOM_DISABLED);
++            ret = sysdb_domain_set_enabled(dom->sysdb, dom->name, false);
++            if (ret != EOK) {
++                DEBUG(SSSDBG_OP_FAILURE, "sysdb_domain_set_enabled failed.\n");
++                return ret;
++            }
++        }
++    } else {
++        /* enabled domain if it was disabled */
++        DEBUG(SSSDBG_TRACE_ALL, "Domain [%s] is enabled on the server.\n",
++                                dom->name);
++        if (sss_domain_get_state(dom) == DOM_DISABLED) {
++            sss_domain_set_state(dom, DOM_ACTIVE);
++            ret = sysdb_domain_set_enabled(dom->sysdb, dom->name, true);
++            if (ret != EOK) {
++                DEBUG(SSSDBG_OP_FAILURE, "sysdb_domain_set_enabled failed.\n");
++                return ret;
++            }
++        }
++    }
++
++    return EOK;
++}
++
++
++static void ipa_subdomains_update_dom_state(struct sss_domain_info *parent,
++                                               int count,
++                                               struct sysdb_attrs **reply)
++{
++    int ret;
++    struct sss_domain_info *dom;
++    char **disabled_domain_sids = NULL;
++
++    ret = ipa_get_disabled_domain_sids(reply, count, reply,
++                                       &disabled_domain_sids);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE, "ipa_get_disabled_domain_sids failed, "
++                                 "assuming no domain is disabled.\n");
++        disabled_domain_sids = NULL;
++    }
++
++    for (dom = get_next_domain(parent, SSS_GND_DESCEND|SSS_GND_INCLUDE_DISABLED);
++         dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
++         dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) {
++
++        /* check if domain should be disabled/enabled */
++        ret = ipa_subdomains_check_domain_state(dom, disabled_domain_sids);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to check domain state, "
++                  "state of domain [%s] might be wrong.\n", dom->name);
++        }
++    }
++}
++
+ static errno_t ipa_subdomains_refresh(struct ipa_subdomains_ctx *ctx,
+                                       int count, struct sysdb_attrs **reply,
+                                       bool *changes)
+@@ -1376,7 +1500,7 @@ ipa_subdomains_slave_send(TALLOC_CTX *mem_ctx,
+     errno_t ret;
+     const char *attrs[] = { IPA_CN, IPA_FLATNAME, IPA_TRUSTED_DOMAIN_SID,
+                             IPA_TRUST_DIRECTION, IPA_ADDITIONAL_SUFFIXES,
+-                            NULL };
++                            IPA_SID_BLACKLIST_INCOMING, NULL };
+ 
+     req = tevent_req_create(mem_ctx, &state,
+                             struct ipa_subdomains_slave_state);
+@@ -1530,18 +1654,23 @@ static void ipa_subdomains_slave_search_done(struct tevent_req *subreq)
+                                  "expected.\n");
+     }
+ 
+-    if (!has_changes) {
+-        ret = EOK;
+-        goto done;
++    /* If there are no changes this step can be skipped, but
++     * ipa_subdomains_update_dom_state() must be called after that in all case
++     * to cover existing an newly added domains. Since the domain state is not
++     * handled by a domain flag but by the blacklist has_changes does not
++     * cover the state. */
++    if (has_changes) {
++        ret = ipa_subdom_reinit(state->sd_ctx);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n");
++            goto done;
++        }
+     }
+ 
+-    ret = ipa_subdom_reinit(state->sd_ctx);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n");
+-        goto done;
+-    }
++    ipa_subdomains_update_dom_state(state->sd_ctx->be_ctx->domain,
++                                    reply_count, reply);
+ 
+-    if (state->sd_ctx->ipa_id_ctx->server_mode == NULL) {
++    if (!has_changes || state->sd_ctx->ipa_id_ctx->server_mode == NULL) {
+         ret = EOK;
+         goto done;
+     }
+-- 
+2.20.1
+
diff --git a/SOURCES/0095-ipa-ignore-objects-from-disabled-domains-on-the-clie.patch b/SOURCES/0095-ipa-ignore-objects-from-disabled-domains-on-the-clie.patch
new file mode 100644
index 0000000..c5abc27
--- /dev/null
+++ b/SOURCES/0095-ipa-ignore-objects-from-disabled-domains-on-the-clie.patch
@@ -0,0 +1,75 @@
+From cc42fe7daece23c639ba8d147808f1c699d8b6ad Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 12 Sep 2019 14:45:08 +0200
+Subject: [PATCH 95/97] ipa: ignore objects from disabled domains on the client
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It is possible that a domain is already disabled on an IPA client but
+still  active on the server. This might happen e.g. if the version of
+SSSD running on the IPA server does not support disabled domains or if
+SSSD on the IPA client updates the domain data before the IPA server and
+sees a freshly disabled domain more early.
+
+As a result the server is still sending objects from disabled domains in
+the lists of group members or group memberships of a user. The client
+should just ignore those objects.
+
+Related to https://pagure.io/SSSD/sssd/issue/4078
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ipa/ipa_s2n_exop.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index b6efbcd34..f1d5768ae 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -637,10 +637,16 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom,
+             }
+ 
+             if (domain != NULL) {
+-                obj_domain = find_domain_by_name(parent_domain, domain, true);
++                obj_domain = find_domain_by_name_ex(parent_domain, domain, true, SSS_GND_ALL_DOMAINS);
+                 if (obj_domain == NULL) {
+                     DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n");
+                     return ENOMEM;
++                } else if (sss_domain_get_state(obj_domain) == DOM_DISABLED) {
++                    /* skipping objects from disabled domains */
++                    DEBUG(SSSDBG_TRACE_ALL,
++                          "Skipping object [%s] from disabled domain.\n",
++                          list[c]);
++                    continue;
+                 }
+             } else {
+                 obj_domain = parent_domain;
+@@ -656,6 +662,7 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom,
+             gc++;
+         }
+     }
++    attrs->ngroups = gc;
+ 
+     tag = ber_peek_tag(ber, &ber_len);
+     DEBUG(SSSDBG_TRACE_ALL, "BER tag is [%d]\n", (int) tag);
+@@ -1567,11 +1574,15 @@ static errno_t process_members(struct sss_domain_info *domain,
+     parent_domain = get_domains_head(domain);
+ 
+     for (c = 0; members[c] != NULL; c++) {
+-        obj_domain = find_domain_by_object_name(parent_domain, members[c]);
++        obj_domain = find_domain_by_object_name_ex(parent_domain, members[c],
++                                                   false, SSS_GND_ALL_DOMAINS);
+         if (obj_domain == NULL) {
+             DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_object_name failed.\n");
+             ret = ENOMEM;
+             goto done;
++        } else if (sss_domain_get_state(obj_domain) == DOM_DISABLED) {
++            /* skip members from disabled domains */
++            continue;
+         }
+ 
+         ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], attrs,
+-- 
+2.20.1
+
diff --git a/SOURCES/0096-sysdb-add-sysdb_subdomain_content_delete.patch b/SOURCES/0096-sysdb-add-sysdb_subdomain_content_delete.patch
new file mode 100644
index 0000000..13916e5
--- /dev/null
+++ b/SOURCES/0096-sysdb-add-sysdb_subdomain_content_delete.patch
@@ -0,0 +1,244 @@
+From a9f03f01b95031f748fdb968ae9c16b9c3d6ed21 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 18 Sep 2019 17:33:55 +0200
+Subject: [PATCH 96/97] sysdb: add sysdb_subdomain_content_delete()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+sysdb_subdomain_content_delete() will remove all user and group objects
+from a sub-domain container but not the sub-domain object and the user
+and group container itself.
+
+Related to https://pagure.io/SSSD/sssd/issue/4078
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/db/sysdb.h            |  8 ++++
+ src/db/sysdb_ops.c        | 17 ++++++--
+ src/db/sysdb_subdomains.c | 20 ++++++++-
+ src/tests/sysdb-tests.c   | 88 +++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 127 insertions(+), 6 deletions(-)
+
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index 0a7e7c4f8..f8a2c87ae 100644
+--- a/src/db/sysdb.h
++++ b/src/db/sysdb.h
+@@ -557,6 +557,9 @@ errno_t sysdb_master_domain_add_info(struct sss_domain_info *domain,
+ 
+ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name);
+ 
++errno_t sysdb_subdomain_content_delete(struct sysdb_ctx *sysdb,
++                                       const char *name);
++
+ errno_t sysdb_get_ranges(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
+                              size_t *range_count,
+                              struct range_info ***range_list);
+@@ -892,6 +895,11 @@ int sysdb_delete_recursive(struct sysdb_ctx *sysdb,
+                            struct ldb_dn *dn,
+                            bool ignore_not_found);
+ 
++int sysdb_delete_recursive_with_filter(struct sysdb_ctx *sysdb,
++                                       struct ldb_dn *dn,
++                                       bool ignore_not_found,
++                                       const char *filter);
++
+ /* Mark entry as expired */
+ errno_t sysdb_mark_entry_as_expired_ldb_dn(struct sss_domain_info *dom,
+                                            struct ldb_dn *ldbdn);
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index fa3842d8f..262e12380 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -196,9 +196,10 @@ int sysdb_delete_entry(struct sysdb_ctx *sysdb,
+ 
+ /* =Remove-Subentries-From-Sysdb=========================================== */
+ 
+-int sysdb_delete_recursive(struct sysdb_ctx *sysdb,
+-                           struct ldb_dn *dn,
+-                           bool ignore_not_found)
++int sysdb_delete_recursive_with_filter(struct sysdb_ctx *sysdb,
++                                       struct ldb_dn *dn,
++                                       bool ignore_not_found,
++                                       const char *filter)
+ {
+     const char *no_attrs[] = { NULL };
+     struct ldb_message **msgs;
+@@ -219,7 +220,7 @@ int sysdb_delete_recursive(struct sysdb_ctx *sysdb,
+     }
+ 
+     ret = sysdb_search_entry(tmp_ctx, sysdb, dn,
+-                             LDB_SCOPE_SUBTREE, "(distinguishedName=*)",
++                             LDB_SCOPE_SUBTREE, filter,
+                              no_attrs, &msgs_count, &msgs);
+     if (ret) {
+         if (ignore_not_found && ret == ENOENT) {
+@@ -258,6 +259,14 @@ done:
+     return ret;
+ }
+ 
++int sysdb_delete_recursive(struct sysdb_ctx *sysdb,
++                           struct ldb_dn *dn,
++                           bool ignore_not_found)
++{
++    return sysdb_delete_recursive_with_filter(sysdb, dn, ignore_not_found,
++                                              "(distinguishedName=*)");
++}
++
+ 
+ /* =Search-Entry========================================================== */
+ 
+diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
+index af838b44c..0ca6a611f 100644
+--- a/src/db/sysdb_subdomains.c
++++ b/src/db/sysdb_subdomains.c
+@@ -1250,7 +1250,9 @@ done:
+     return ret;
+ }
+ 
+-errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name)
++static errno_t sysdb_subdomain_delete_with_filter(struct sysdb_ctx *sysdb,
++                                                  const char *name,
++                                                  const char *filter)
+ {
+     TALLOC_CTX *tmp_ctx = NULL;
+     struct ldb_dn *dn;
+@@ -1269,7 +1271,7 @@ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name)
+         goto done;
+     }
+ 
+-    ret = sysdb_delete_recursive(sysdb, dn, true);
++    ret = sysdb_delete_recursive_with_filter(sysdb, dn, true, filter);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE, "sysdb_delete_recursive failed.\n");
+         goto done;
+@@ -1280,6 +1282,20 @@ done:
+     return ret;
+ }
+ 
++errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name)
++{
++    return sysdb_subdomain_delete_with_filter(sysdb, name,
++                                              "(distinguishedName=*)");
++}
++
++errno_t sysdb_subdomain_content_delete(struct sysdb_ctx *sysdb,
++                                       const char *name)
++{
++    const char *filter = "(|("SYSDB_UC")("SYSDB_GC"))";
++
++    return sysdb_subdomain_delete_with_filter(sysdb, name, filter);
++}
++
+ errno_t
+ sysdb_domain_get_domain_resolution_order(TALLOC_CTX *mem_ctx,
+                                          struct sysdb_ctx *sysdb,
+diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
+index 22460d9db..45a278e2a 100644
+--- a/src/tests/sysdb-tests.c
++++ b/src/tests/sysdb-tests.c
+@@ -6204,6 +6204,93 @@ START_TEST(test_sysdb_subdomain_store_user)
+ }
+ END_TEST
+ 
++START_TEST(test_sysdb_subdomain_content_delete)
++{
++    struct sysdb_test_ctx *test_ctx;
++    errno_t ret;
++    struct sss_domain_info *subdomain = NULL;
++    struct ldb_result *results = NULL;
++    struct ldb_dn *base_dn = NULL;
++    struct ldb_dn *check_dn = NULL;
++    struct ldb_dn *check_dom_dn = NULL;
++    struct test_data *data;
++    char *alias;
++
++    ret = setup_sysdb_tests(&test_ctx);
++    fail_if(ret != EOK, "Could not set up the test");
++
++    subdomain = new_subdomain(test_ctx, test_ctx->domain,
++                              testdom[0], testdom[1], testdom[2], testdom[3],
++                              MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
++    fail_unless(subdomain != NULL, "Failed to create new subdomain.");
++    ret = sysdb_subdomain_store(test_ctx->sysdb,
++                                testdom[0], testdom[1], testdom[2], testdom[3],
++                                false, false, NULL, 0, NULL);
++    fail_if(ret != EOK, "Could not set up the test (test subdom)");
++
++    ret = sysdb_update_subdomains(test_ctx->domain, NULL);
++    fail_unless(ret == EOK, "sysdb_update_subdomains failed with [%d][%s]",
++                            ret, strerror(ret));
++
++    data = test_data_new_user(test_ctx, 12345);
++    fail_if(data == NULL);
++    data->username = test_asprintf_fqname(data, subdomain, "SubDomUser");
++
++    alias = test_asprintf_fqname(data, subdomain, "subdomuser");
++    fail_if(alias == NULL);
++
++    ret = sysdb_attrs_add_string(data->attrs, SYSDB_NAME_ALIAS, alias);
++    fail_unless(ret == EOK, "sysdb_store_user failed.");
++
++    ret = sysdb_store_user(subdomain, data->username,
++                           NULL, data->uid, 0, "Sub Domain User",
++                           "/home/subdomuser", "/bin/bash",
++                           NULL, data->attrs, NULL, -1, 0);
++    fail_unless(ret == EOK, "sysdb_store_user failed.");
++
++    base_dn =ldb_dn_new(test_ctx, test_ctx->sysdb->ldb, "cn=sysdb");
++    fail_unless(base_dn != NULL);
++
++    check_dn = sysdb_user_dn(data, subdomain, data->username);
++    fail_unless(check_dn != NULL);
++
++    ret = ldb_search(test_ctx->sysdb->ldb, test_ctx, &results, base_dn,
++                     LDB_SCOPE_SUBTREE, NULL, "name=%s", data->username);
++    fail_unless(ret == EOK, "ldb_search failed.");
++    fail_unless(results->count == 1, "Unexpected number of results, "
++                                     "expected [%d], got [%d]",
++                                     1, results->count);
++    fail_unless(ldb_dn_compare(results->msgs[0]->dn, check_dn) == 0,
++                "Unexpected DN returned");
++
++    ret = sysdb_subdomain_content_delete(test_ctx->sysdb, testdom[0]);
++    fail_unless(ret == EOK, "sysdb_subdomain_content_delete failed.");
++
++    /* Check if user is removed */
++    ret = ldb_search(test_ctx->sysdb->ldb, test_ctx, &results, base_dn,
++                     LDB_SCOPE_SUBTREE, NULL, "name=%s", alias);
++    fail_unless(ret == EOK, "ldb_search failed.");
++    fail_unless(results->count == 0, "Unexpected number of results, "
++                                     "expected [%d], got [%d]",
++                                     0, results->count);
++
++    check_dom_dn = ldb_dn_new_fmt(test_ctx, test_ctx->sysdb->ldb,
++                                  SYSDB_DOM_BASE, testdom[0]);
++    fail_unless(check_dom_dn != NULL, "ldb_dn_new_fmt failed.");
++
++    /* Check if domain object is still present */
++    ret = ldb_search(test_ctx->sysdb->ldb, test_ctx, &results, base_dn,
++                     LDB_SCOPE_SUBTREE, NULL, "cn=%s", testdom[0]);
++    fail_unless(ret == EOK, "ldb_search failed.");
++    fail_unless(results->count == 1, "Unexpected number of results, "
++                                     "expected [%d], got [%d]",
++                                     1, results->count);
++    fail_unless(ldb_dn_compare(results->msgs[0]->dn, check_dom_dn) == 0,
++                "Unexpected DN returned");
++
++}
++END_TEST
++
+ START_TEST(test_sysdb_subdomain_user_ops)
+ {
+     struct sysdb_test_ctx *test_ctx;
+@@ -7574,6 +7661,7 @@ Suite *create_sysdb_suite(void)
+     TCase *tc_subdomain = tcase_create("SYSDB sub-domain Tests");
+ 
+     tcase_add_test(tc_subdomain, test_sysdb_subdomain_store_user);
++    tcase_add_test(tc_subdomain, test_sysdb_subdomain_content_delete);
+     tcase_add_test(tc_subdomain, test_sysdb_subdomain_user_ops);
+     tcase_add_test(tc_subdomain, test_sysdb_subdomain_group_ops);
+ 
+-- 
+2.20.1
+
diff --git a/SOURCES/0097-ipa-delete-content-of-disabled-domains.patch b/SOURCES/0097-ipa-delete-content-of-disabled-domains.patch
new file mode 100644
index 0000000..9d55de0
--- /dev/null
+++ b/SOURCES/0097-ipa-delete-content-of-disabled-domains.patch
@@ -0,0 +1,36 @@
+From 124957a91db25736ce8ea82852db65d8fa243e58 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 18 Sep 2019 18:09:23 +0200
+Subject: [PATCH 97/97] ipa: delete content of disabled domains
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Related to https://pagure.io/SSSD/sssd/issue/4078
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ipa/ipa_subdomains.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
+index 2ffc6bf7a..b9ce25063 100644
+--- a/src/providers/ipa/ipa_subdomains.c
++++ b/src/providers/ipa/ipa_subdomains.c
+@@ -821,6 +821,13 @@ static errno_t ipa_subdomains_check_domain_state(struct sss_domain_info *dom,
+                 DEBUG(SSSDBG_OP_FAILURE, "sysdb_domain_set_enabled failed.\n");
+                 return ret;
+             }
++
++            ret = sysdb_subdomain_content_delete(dom->sysdb, dom->name);
++            if (ret != EOK) {
++                DEBUG(SSSDBG_OP_FAILURE,
++                      "sysdb_subdomain_content_delete failed.\n");
++                return ret;
++            }
+         }
+     } else {
+         /* enabled domain if it was disabled */
+-- 
+2.20.1
+
diff --git a/SOURCES/0098-ipa-use-LDAP-not-extdom-to-lookup-IPA-users-and-grou.patch b/SOURCES/0098-ipa-use-LDAP-not-extdom-to-lookup-IPA-users-and-grou.patch
new file mode 100644
index 0000000..82785bf
--- /dev/null
+++ b/SOURCES/0098-ipa-use-LDAP-not-extdom-to-lookup-IPA-users-and-grou.patch
@@ -0,0 +1,179 @@
+From fbd38903a3c4985e560e6c670ead84597982242e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 19 Jun 2019 11:40:56 +0200
+Subject: [PATCH] ipa: use LDAP not extdom to lookup IPA users and groups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently when an IPA client is resolving trusted users and groups with
+the help of the extdom plugin it uses the extdom plugin as well to
+lookup IPA objects. This might cause issues if e.g. there is a user in
+IPA with the same name as a group in AD or the other way round.
+
+To solve this and to lower the load on the extdom plugin on the IPA
+server side this patch will lookup IPA object directly from LDAP on the
+IPA server.
+
+Related to https://pagure.io/SSSD/sssd/issue/4073
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 27b141f38dd04d4b69e609a4cc64676a0716226e)
+---
+ src/providers/ipa/ipa_id.c       | 11 +-----
+ src/providers/ipa/ipa_id.h       |  5 +++
+ src/providers/ipa/ipa_s2n_exop.c | 67 ++++++++++++++++++++++++++++++++
+ 3 files changed, 74 insertions(+), 9 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
+index f34692aa2..94d5f9d90 100644
+--- a/src/providers/ipa/ipa_id.c
++++ b/src/providers/ipa/ipa_id.c
+@@ -30,13 +30,6 @@
+ #include "providers/ldap/sdap_async.h"
+ #include "providers/ipa/ipa_id.h"
+ 
+-static struct tevent_req *
+-ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,
+-                             struct ipa_id_ctx *ipa_ctx,
+-                             struct dp_id_data *ar);
+-
+-static int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error);
+-
+ static bool is_object_overridable(struct dp_id_data *ar)
+ {
+     bool ret = false;
+@@ -516,7 +509,7 @@ static void ipa_id_get_account_info_orig_done(struct tevent_req *subreq);
+ static void ipa_id_get_account_info_done(struct tevent_req *subreq);
+ static void ipa_id_get_user_list_done(struct tevent_req *subreq);
+ 
+-static struct tevent_req *
++struct tevent_req *
+ ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,
+                              struct ipa_id_ctx *ipa_ctx,
+                              struct dp_id_data *ar)
+@@ -1120,7 +1113,7 @@ fail:
+     return;
+ }
+ 
+-static int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error)
++int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error)
+ {
+     struct ipa_id_get_account_info_state *state = tevent_req_data(req,
+                                           struct ipa_id_get_account_info_state);
+diff --git a/src/providers/ipa/ipa_id.h b/src/providers/ipa/ipa_id.h
+index fe9acfeef..c18e709b8 100644
+--- a/src/providers/ipa/ipa_id.h
++++ b/src/providers/ipa/ipa_id.h
+@@ -151,4 +151,9 @@ ipa_resolve_user_list_send(TALLOC_CTX *memctx, struct tevent_context *ev,
+                            struct ldb_message_element *users);
+ int ipa_resolve_user_list_recv(struct tevent_req *req, int *dp_error);
+ 
++struct tevent_req *
++ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,
++                             struct ipa_id_ctx *ipa_ctx,
++                             struct dp_id_data *ar);
++int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error);
+ #endif
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index a07f73200..598b1568e 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -1121,6 +1121,7 @@ struct ipa_s2n_get_list_state {
+ static errno_t ipa_s2n_get_list_step(struct tevent_req *req);
+ static void ipa_s2n_get_list_get_override_done(struct tevent_req *subreq);
+ static void ipa_s2n_get_list_next(struct tevent_req *subreq);
++static void ipa_s2n_get_list_ipa_next(struct tevent_req *subreq);
+ static errno_t ipa_s2n_get_list_save_step(struct tevent_req *req);
+ 
+ static struct tevent_req *ipa_s2n_get_list_send(TALLOC_CTX *mem_ctx,
+@@ -1195,6 +1196,7 @@ static errno_t ipa_s2n_get_list_step(struct tevent_req *req)
+     uint32_t id;
+     char *endptr;
+     bool need_v1 = false;
++    struct dp_id_data *ar;
+ 
+     parent_domain = get_domains_head(state->dom);
+     switch (state->req_input.type) {
+@@ -1222,6 +1224,35 @@ static errno_t ipa_s2n_get_list_step(struct tevent_req *req)
+ 
+         state->req_input.inp.name = short_name;
+ 
++        if (strcmp(state->obj_domain->name,
++            state->ipa_ctx->sdap_id_ctx->be->domain->name) == 0) {
++            DEBUG(SSSDBG_TRACE_INTERNAL,
++                  "Looking up IPA object [%s] from LDAP.\n",
++                  state->list[state->list_idx]);
++            ret = get_dp_id_data_for_user_name(state,
++                                               state->list[state->list_idx],
++                                               state->obj_domain->name,
++                                               &ar);
++            if (ret != EOK) {
++                DEBUG(SSSDBG_OP_FAILURE,
++                      "Failed to create lookup date for IPA object [%s].\n",
++                      state->list[state->list_idx]);
++                return ret;
++            }
++            ar->entry_type = state->entry_type;
++
++            subreq = ipa_id_get_account_info_send(state, state->ev,
++                                                  state->ipa_ctx, ar);
++            if (subreq == NULL) {
++                DEBUG(SSSDBG_OP_FAILURE,
++                      "ipa_id_get_account_info_send failed.\n");
++                return ENOMEM;
++            }
++            tevent_req_set_callback(subreq, ipa_s2n_get_list_ipa_next, req);
++
++            return EOK;
++        }
++
+         break;
+     case REQ_INP_ID:
+         errno = 0;
+@@ -1363,6 +1394,42 @@ fail:
+     return;
+ }
+ 
++static void ipa_s2n_get_list_ipa_next(struct tevent_req *subreq)
++{
++    int ret;
++    int dp_error;
++    struct tevent_req *req = tevent_req_callback_data(subreq,
++                                                      struct tevent_req);
++    struct ipa_s2n_get_list_state *state = tevent_req_data(req,
++                                               struct ipa_s2n_get_list_state);
++
++    ret = ipa_id_get_account_info_recv(subreq, &dp_error);
++    talloc_zfree(subreq);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE, "ipa_id_get_account_info failed: %d %d\n", ret,
++                                 dp_error);
++        goto done;
++    }
++
++    state->list_idx++;
++    if (state->list[state->list_idx] == NULL) {
++        tevent_req_done(req);
++        return;
++    }
++
++    ret = ipa_s2n_get_list_step(req);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_get_list_step failed.\n");
++        goto done;
++    }
++
++    return;
++
++done:
++    tevent_req_error(req,ret);
++    return;
++}
++
+ static void ipa_s2n_get_list_get_override_done(struct tevent_req *subreq)
+ {
+     int ret;
+-- 
+2.20.1
+
diff --git a/SOURCES/0099-providers-ipa-add_v1_user_data-amended.patch b/SOURCES/0099-providers-ipa-add_v1_user_data-amended.patch
new file mode 100644
index 0000000..fca0517
--- /dev/null
+++ b/SOURCES/0099-providers-ipa-add_v1_user_data-amended.patch
@@ -0,0 +1,68 @@
+From e294f7351b810ea9180b2e9e0cab47beab18ae25 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 20 Sep 2019 15:51:38 +0200
+Subject: [PATCH] providers/ipa/: add_v1_user_data() amended
+
+Fixes few mistypes and compilation warning:
+```
+sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c:665:20: warning: 'gc' may be used uninitialized in this function [-Wmaybe-uninitialized]
+     attrs->ngroups = gc;
+     ~~~~~~~~~~~~~~~^~~~
+```
+
+Related to https://pagure.io/SSSD/sssd/issue/4078
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 39e16cca441d4a6b3affe8f27372c26ed11ac81f)
+---
+ src/providers/ipa/ipa_s2n_exop.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index f1d5768ae..a07f73200 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -620,7 +620,8 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom,
+     if (attrs->ngroups > 0) {
+         attrs->groups = talloc_zero_array(attrs, char *, attrs->ngroups + 1);
+         if (attrs->groups == NULL) {
+-            DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
++            DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
++            attrs->ngroups = 0;
+             ret = ENOMEM;
+             goto done;
+         }
+@@ -639,8 +640,10 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom,
+             if (domain != NULL) {
+                 obj_domain = find_domain_by_name_ex(parent_domain, domain, true, SSS_GND_ALL_DOMAINS);
+                 if (obj_domain == NULL) {
+-                    DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n");
+-                    return ENOMEM;
++                    DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name_ex failed.\n");
++                    attrs->ngroups = gc;
++                    ret = ENOMEM;
++                    goto done;
+                 } else if (sss_domain_get_state(obj_domain) == DOM_DISABLED) {
+                     /* skipping objects from disabled domains */
+                     DEBUG(SSSDBG_TRACE_ALL,
+@@ -655,14 +658,15 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom,
+             attrs->groups[gc] = sss_create_internal_fqname(attrs->groups,
+                                                            name, obj_domain->name);
+             if (attrs->groups[gc] == NULL) {
+-                DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
++                DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed.\n");
++                attrs->ngroups = gc;
+                 ret = ENOMEM;
+                 goto done;
+             }
+             gc++;
+         }
++        attrs->ngroups = gc;
+     }
+-    attrs->ngroups = gc;
+ 
+     tag = ber_peek_tag(ber, &ber_len);
+     DEBUG(SSSDBG_TRACE_ALL, "BER tag is [%d]\n", (int) tag);
+-- 
+2.20.1
+
diff --git a/SOURCES/0100-zanata-Initial-push-to-rhel-7-branch.patch b/SOURCES/0100-zanata-Initial-push-to-rhel-7-branch.patch
new file mode 100644
index 0000000..395f905
--- /dev/null
+++ b/SOURCES/0100-zanata-Initial-push-to-rhel-7-branch.patch
@@ -0,0 +1,98950 @@
+From e50bd551bbc42616f22269a7d8cb3a6fb9883e89 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
+Date: Mon, 7 Oct 2019 11:57:09 +0200
+Subject: [PATCH 100/101] zanata: Initial push to rhel-7 branch
+
+---
+ po/bg.po                 |  126 +--
+ po/ca.po                 |  126 +--
+ po/de.po                 |  126 +--
+ po/es.po                 |  126 +--
+ po/eu.po                 |  126 +--
+ po/fr.po                 |  126 +--
+ po/hu.po                 |  126 +--
+ po/id.po                 |  126 +--
+ po/it.po                 |  126 +--
+ po/ja.po                 | 1016 +++++++++++++-----------
+ po/nb.po                 |  126 +--
+ po/nl.po                 |  126 +--
+ po/pl.po                 |  126 +--
+ po/pt.po                 |  126 +--
+ po/pt_BR.po              |  126 +--
+ po/ru.po                 |  126 +--
+ po/sssd.pot              |  126 +--
+ po/sv.po                 |  126 +--
+ po/tg.po                 |  126 +--
+ po/tr.po                 |  126 +--
+ po/uk.po                 |  126 +--
+ po/zh_CN.po              |  126 +--
+ po/zh_TW.po              |  126 +--
+ src/man/po/br.po         | 1490 ++++++++++++++++++++---------------
+ src/man/po/ca.po         | 1543 +++++++++++++++++++++---------------
+ src/man/po/cs.po         | 1491 ++++++++++++++++++++---------------
+ src/man/po/de.po         | 1551 +++++++++++++++++++++---------------
+ src/man/po/es.po         | 1551 +++++++++++++++++++++---------------
+ src/man/po/eu.po         | 1488 ++++++++++++++++++++---------------
+ src/man/po/fi.po         | 1494 ++++++++++++++++++++---------------
+ src/man/po/fr.po         | 1553 +++++++++++++++++++++---------------
+ src/man/po/ja.po         | 1543 +++++++++++++++++++++---------------
+ src/man/po/lv.po         | 1494 ++++++++++++++++++++---------------
+ src/man/po/nl.po         | 1490 ++++++++++++++++++++---------------
+ src/man/po/pt.po         | 1498 ++++++++++++++++++++---------------
+ src/man/po/pt_BR.po      | 1488 ++++++++++++++++++++---------------
+ src/man/po/ru.po         | 1494 ++++++++++++++++++++---------------
+ src/man/po/sssd-docs.pot | 1449 +++++++++++++++++++---------------
+ src/man/po/sv.po         | 1571 +++++++++++++++++++++---------------
+ src/man/po/tg.po         | 1492 ++++++++++++++++++++---------------
+ src/man/po/uk.po         | 1619 +++++++++++++++++++++++---------------
+ src/man/po/zh_CN.po      | 1490 ++++++++++++++++++++---------------
+ 42 files changed, 18632 insertions(+), 13945 deletions(-)
+
+diff --git a/po/bg.po b/po/bg.po
+index b0d06a4f1..8c6f24937 100644
+--- a/po/bg.po
++++ b/po/bg.po
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:44+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Bulgarian (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1512,63 +1512,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Ниво на debug"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr ""
+ 
+@@ -1600,88 +1600,88 @@ msgstr "Неочаквана грешка при търсене на описа
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Съобщение от сървъра:"
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Паролите не съвпадат"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr "Промяна на паролата от root не се поддържа."
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr "Удостоверен с кеширани идентификационни данни"
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", кешираната парола ще изтече на: "
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr "Удостоверяването е забранено до: "
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "Системата е офлайн, промяна на паролата не е възможна"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Промяната на паролата не успя."
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Нова парола:"
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Отново новата парола:"
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Парола:"
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Текуща парола:"
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "Паролата Ви е остаряла. Сменете я сега."
+ 
+@@ -1690,7 +1690,7 @@ msgstr "Паролата Ви е остаряла. Сменете я сега."
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "Нивото на debug записи при работа"
+ 
+@@ -1703,7 +1703,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "Грешка при задаване локални настр.\n"
+ 
+@@ -2153,88 +2153,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2798,18 +2798,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/ca.po b/po/ca.po
+index b921ecbd5..b982b4c65 100644
+--- a/po/ca.po
++++ b/po/ca.po
+@@ -14,7 +14,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2017-10-15 03:02+0000\n"
+ "Last-Translator: Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>\n"
+ "Language-Team: Catalan (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1632,63 +1632,63 @@ msgstr "Imprimeix el número de versió i surt"
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Nivell de depuració"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Afegeix les marques temporals de depuració"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr "Mostra les marques temporals amb microsegons"
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr "Un descriptor de fitxer obert pels registres de depuració"
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr "Envia directament la sortida de depuració al stderr."
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr "L'usuari amb què es crea la ccache FAST"
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr "El grup amb què es crea la ccache FAST"
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr "Domini del proveïdor d'informació (obligatori)"
+ 
+@@ -1720,48 +1720,48 @@ msgstr "Error inesperat en cercar una descripció de l'error"
+ msgid "Permission denied. "
+ msgstr "Permís denegat."
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Missatge del servidor: "
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Les contrasenyes no coincideixen"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr "No s'admet el restabliment de la contrasenya pel root."
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr "S'ha autenticat amb credencials de la memòria cau"
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", la vostra contrasenya en memòria cau vencerà el: "
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ "La vostra contrasenya ha vençut. Teniu %1$d inicis de sessió restants de "
+ "cortesia."
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr "La vostra contrasenya vencerà en %1$d %2$s."
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr "S'ha denegat l'autenticació fins: "
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "El sistema està desconnectat, el canvi de contrasenya no és possible"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+@@ -1769,43 +1769,43 @@ msgstr ""
+ "Després de canviar la contrasenya OTP, heu de tancar la sessió i tornar-la a "
+ "iniciar per tal d'adquirir un tiquet"
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Ha fallat el canvi de contrasenya."
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Nova contrasenya: "
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Torneu a introduir la nova contrasenya: "
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr "Primer factor:"
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr "Segon factor:"
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Contrasenya: "
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Contrasenya actual: "
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "La contrasenya ha vençut. Canvieu ara la vostra contrasenya."
+ 
+@@ -1814,7 +1814,7 @@ msgstr "La contrasenya ha vençut. Canvieu ara la vostra contrasenya."
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "El nivell de depuració amb què s'executa"
+ 
+@@ -1827,7 +1827,7 @@ msgstr "El domini SSSD a utilitzar"
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "S'ha produït un error en establir la configuració regional\n"
+ 
+@@ -2313,81 +2313,81 @@ msgstr "No s'ha pogut invalidar %1$s\n"
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr "No s'ha pogut invalidar %1$s %2$s\n"
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr "Invalida un usuari determinat"
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr "Invalida tots els usuaris"
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr "Invalida un grup determinat"
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr "Invalida tots els grups"
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr "Invalida un grup de xarxa determinat"
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr "Invalida tots els grups de xarxa"
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr "Invalida un servei determinat"
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr "Invalida tots els serveis"
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr "Invalida una assignació autofs determinada"
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr "Invalida totes les assignacions autofs"
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr "Invalida un amfitrió SSH determinat"
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr "Invalida tots els amfitrions SSH"
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr "Invalida les entrades només d'un domini determinat"
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr "Si us plau, seleccioneu almenys un objecte a invalidar\n"
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+@@ -2396,7 +2396,7 @@ msgstr ""
+ "No es pot obrir el domini %1$s. Si el domini és un subdomini (domini de "
+ "confiança), utilitzeu el FQN en lloc del paràmetre --domain/-d.\n"
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr "No s'han pogut obrir els dominis disponibles\n"
+ 
+@@ -2960,18 +2960,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr "L'id. d'usuari amb què s'executa el servidor"
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr "L'id. de grup amb què s'executa el servidor"
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/de.po b/po/de.po
+index 1c444a001..3768e164c 100644
+--- a/po/de.po
++++ b/po/de.po
+@@ -10,7 +10,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:45+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: German (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1596,63 +1596,63 @@ msgstr "Versionsnummer ausgeben und das Programm beenden"
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Fehlerdiagnosestufe"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Debug-Zeitstempel hinzufügen"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr "Zeitstempel mit Mikrosekunden anzeigen"
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr "Offener Dateideskriptor für die Debug-Protokolle"
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr "Domain des Informationsanbieters (obligatorisch)"
+ 
+@@ -1685,47 +1685,47 @@ msgstr "Unerwarteter Fehler beim Suchen nach einer Fehlerbeschreibung"
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Server-Meldung: "
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Passwörter stimmen nicht überein"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr "Das Zurücksetzen des Passworts durch Root wird nicht unterstützt."
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr "Authentifiziert mit zwischengespeicherten Anmeldedaten"
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", Ihr zwischengespeichertes Passwort läuft ab am: "
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ "Ihr Passwort ist abgelaufen. Ihnen verbleiben nur noch %1$d Anmeldungen."
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr "Ihr Passwort wird in %1$d %2$s ablaufen."
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr "Authentifizierung wird verweigert bis: "
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "System ist offline, Änderung des Passworts ist nicht möglich"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+@@ -1733,43 +1733,43 @@ msgstr ""
+ "Nach dem Ändern des OTP-Passworts müssen Sie sich ab- und wieder anmelden, "
+ "um ein Ticket erhalten zu können"
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Änderung des Passworts fehlgeschlagen. "
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Neues Passwort: "
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Neues Passwort wiederholen: "
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Passwort: "
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Aktuelles Passwort: "
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "Passwort ist abgelaufen. Ändern Sie Ihr Passwort jetzt."
+ 
+@@ -1778,7 +1778,7 @@ msgstr "Passwort ist abgelaufen. Ändern Sie Ihr Passwort jetzt."
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "Stufe, mit der die Fehlerdiagnose ausgeführt werden soll"
+ 
+@@ -1791,7 +1791,7 @@ msgstr "Die zu verwendende SSSD-Domain"
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "Fehler beim Setzen der Locale-Einstellung\n"
+ 
+@@ -2279,81 +2279,81 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr "Bestimmten Benutzer annullieren"
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr "Alle Benutzer annullieren"
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr "Bestimmte Gruppe annullieren"
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr "Alle Gruppen annullieren"
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr "Bestimmte Netzgruppe annullieren"
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr "Alle Netzgruppen annullieren"
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr "Bestimmten Dienst annullieren"
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr "Alle Dienste annullieren"
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr "Bestimmte autofs-Zuweisung annullieren"
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr "Alle autofs-Zuweisungen annullieren"
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr "Nur Einträge einer bestimmten Domain annullieren"
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr "Bitte wählen Sie mindestens ein Objekt für die Annullierung\n"
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+@@ -2363,7 +2363,7 @@ msgstr ""
+ "(trusted domain) handelt, verwenden Sie den voll ausgeschriebenen Namen "
+ "anstelle des Parameters --domain/-d.\n"
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr "Verfügbare Domains konnten nicht geöffnet werden\n"
+ 
+@@ -2927,18 +2927,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/es.po b/po/es.po
+index 05b716fab..6171a51fb 100644
+--- a/po/es.po
++++ b/po/es.po
+@@ -17,7 +17,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2018-09-10 10:06+0000\n"
+ "Last-Translator: Emilio Herrera <ehespinosa57@gmail.com>\n"
+ "Language-Team: Spanish (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1647,63 +1647,63 @@ msgstr "Muestra el número de versión y finaliza"
+ msgid "SSSD is already running\n"
+ msgstr "SSSD ya está corriendo\n"
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Nive de depuración"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Agregar marcas de tiempo de depuración"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr "Mostrar marcas de tiempo con microsegundos"
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr "Un arhivo abierto de descriptor para los registros de depuración"
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr "Enviar la salida de depuración a stderr directamente."
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr "El usuario para crear FAST ccache como"
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr "El grupo para crear FAST ccache como"
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr "Reino Kerberos a usar"
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr "Tiempo de vida pedido del ticket"
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr "Teimpo de vida renovable pedido del ticket"
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr "Opciones FAST ('never', 'try', 'demand')"
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr "Especifica el servidor principal a usar por FAST"
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr "Solicita la canonización del nombre principal"
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr "Usar versión personal de krb5_get_init_creds_password"
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr "Dominio del proveedor de información (obligatorio)"
+ 
+@@ -1736,46 +1736,46 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr "Permiso denegado."
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Mensaje del servidor:"
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Las contraseñas no coinciden"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr "No existe soporte para reseteado de la contraseña por el usuario root."
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr "Autenticado mediante credenciales cacheada"
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", su contraseña cacheada vencerá el:"
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr "Su contraseña ha expirado. Usted tiene %1$d accesos restantes."
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr "Su contraseña expirará en %1$d %2$s."
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr "La autenticación ha sido denegada hasta:"
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "El sistema está fuera de línea, no se puede cambiar la contraseña"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+@@ -1783,43 +1783,43 @@ msgstr ""
+ "Después de cambiar la contraseña OTP, usted debe salir y volver a entrar con "
+ "el objetivo de fijarla"
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Falló el cambio de contraseña."
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Nueva contraseña: "
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Reingrese la contraseña nueva:"
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr "Primer Factor: "
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr "Segundo Factor (opcional): "
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr "Segundo Factor:"
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Contraseña: "
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr "Primer Factor (Contraseña Actual): "
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Contraseña actual: "
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "La contraseña ha expirado. Modifíquela en este preciso momento."
+ 
+@@ -1828,7 +1828,7 @@ msgstr "La contraseña ha expirado. Modifíquela en este preciso momento."
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "Nivel de depuración en que se debe ejecutar"
+ 
+@@ -1841,7 +1841,7 @@ msgstr "El dominio SSSD a usar"
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "Error al poner la región\n"
+ 
+@@ -2323,71 +2323,71 @@ msgstr "No podría invalidar %1$s\n"
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr "No podría invalidar %1$s %2$s\n"
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr "Invalidar todas las entradas en el cache"
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr "Usuario particular invalidado"
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr "Todos los usuarios invalidados"
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr "Invalidar grupo concreto"
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr "Invalidar todos los grupos"
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr "Invalidar un grupo de red concreto"
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr "Invalidar todos los grupos de red"
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr "Invalidar un servicio concreto"
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr "Invalidar todos los servicios"
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr "Invalidar mapa autofs concreto"
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr "Invalidar todos los mapas autofs"
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr "Invalidar SSH host concreto"
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr "Invalidar todos los hosts SSH"
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr "Invalidar una regla sudo concreta"
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr "Invalidar todas las reglas sudo cacheadas"
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr "Solo invalidar las entradas de un dominio concreto"
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+@@ -2395,11 +2395,11 @@ msgstr ""
+ "Se han suministrado argumento(s) no esperado, opciones que invalidan un "
+ "único objeto solo aceptan que se les suministre un único argumento.\n"
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr "Por favor seleccione al menos un objeto par invalidar\n"
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+@@ -2409,7 +2409,7 @@ msgstr ""
+ "confiable), use el nombre totalmente cualificado en lugar de --domain/-d "
+ "parametro.\n"
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr "No podría abrir los dominios disponibles\n"
+ 
+@@ -3011,18 +3011,18 @@ msgstr "Entorno PAM:\n"
+ msgid " - no env -\n"
+ msgstr " - no env -\n"
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr "La ID de usuario para ejecutar el servidor como"
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr "La ID de grupo para ejecutar el servidor como"
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr "Informa que el contestador ha sido socket-activated"
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr "Informa que el contestador ha sido dbus-activated"
+diff --git a/po/eu.po b/po/eu.po
+index 69af71f4d..0d2fea3e2 100644
+--- a/po/eu.po
++++ b/po/eu.po
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:45+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Basque (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1508,63 +1508,63 @@ msgstr "Inprimatu bertsio zenbakia eta irten"
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Arazketa maila"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Gehitu arazketako data-zigiluak"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr ""
+ 
+@@ -1596,88 +1596,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Huts egin du pasahitza aldatzeak. "
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Pasahitz berria: "
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Berriz sartu pasahitz berria: "
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Pasahitza: "
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Uneko pasahitza: "
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "Pasahitza iraungita. Aldatu zure pasahitza orain."
+ 
+@@ -1686,7 +1686,7 @@ msgstr "Pasahitza iraungita. Aldatu zure pasahitza orain."
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr ""
+ 
+@@ -1699,7 +1699,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr ""
+ 
+@@ -2147,88 +2147,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr "Baliogabetu erabiltzaile bat"
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr "Baliogabetu erabiltzaile guztiak"
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr "Baliogabetu talde bat"
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr "Baliogabetu talde guztiak"
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr "Baliogabetu zerbitzu bat"
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr "Baliogabetu zerbitzu guztiak"
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2792,18 +2792,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/fr.po b/po/fr.po
+index 137927ffc..607e1f99b 100644
+--- a/po/fr.po
++++ b/po/fr.po
+@@ -13,7 +13,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2016-02-24 03:43+0000\n"
+ "Last-Translator: Jérôme Fenal <jfenal@gmail.com>\n"
+ "Language-Team: French (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1614,63 +1614,63 @@ msgstr "Afficher le numéro de version et quitte"
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Niveau de débogage"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Ajouter l'horodatage au débogage"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr "Afficher l'horodatage en microsecondes"
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr "Un descripteur de fichier ouvert pour les journaux de débogage"
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr "Envoyer la sortie de débogage directement vers l'erreur standard."
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr "L'utilisateur à utiliser pour la création du ccache FAST"
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr "Le groupe à utiliser pour la création du ccache FAST"
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr "Domaine du fournisseur d'informations (obligatoire)"
+ 
+@@ -1704,49 +1704,49 @@ msgstr "Erreur inattendue lors de la recherche de la description de l'erreur"
+ msgid "Permission denied. "
+ msgstr "Accès refusé."
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Message du serveur : "
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Les mots de passe ne correspondent pas"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ "La réinitialisation du mot de passe par root n'est pas prise en charge."
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr "Authentifié avec les crédits mis en cache"
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", votre mot de passe en cache expirera à :"
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ "Votre mot de passe a expiré. Il vous reste %1$d connexion(s) autorisée(s)."
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr "Votre mot de passe expirera dans %1$d %2$s."
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr "L'authentification est refusée jusque :"
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr ""
+ "Le système est hors-ligne, les modifications du mot de passe sont impossibles"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+@@ -1754,43 +1754,43 @@ msgstr ""
+ "Après avoir modifié le mot de passe OTP, vous devez vous déconnecter et vous "
+ "reconnecter afin d'acquérir un ticket"
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Échec du changement de mot de passe."
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Nouveau mot de passe : "
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Retaper le nouveau mot de passe : "
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr "Premier facteur :"
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr "Second facteur :"
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Mot de passe : "
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Mot de passe actuel : "
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "Mot de passe expiré. Changez votre mot de passe maintenant."
+ 
+@@ -1799,7 +1799,7 @@ msgstr "Mot de passe expiré. Changez votre mot de passe maintenant."
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "Le niveau de débogage utilisé avec"
+ 
+@@ -1812,7 +1812,7 @@ msgstr "Le domaine SSSD à utiliser"
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "Erreur lors du paramétrage de la locale\n"
+ 
+@@ -2305,81 +2305,81 @@ msgstr "Impossible d'invalider %1$s\n"
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr "Impossible d'invalider %1$s %2$s\n"
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr "Invalider un utilisateur spécifique"
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr "Invalider tous les utilisateurs"
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr "Invalider un groupe particulier"
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr "Invalider tous les groupes"
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr "Invalider un groupe réseau particulier"
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr "Invalider tous les groupes réseau"
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr "Invalidation d'un service particulier"
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr "Invalidation de tous les services"
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr "Invalidation d'une carte autofs particulière"
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr "Invalidation de toutes les cartes autofs"
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr "Invalider un hôte SSH particulier"
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr "Invalider tous les hôtes SSH"
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr "N'invalider des entrées que d'un domaine spécifique"
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr "Merci de sélectionner au moins un objet à invalider\n"
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+@@ -2389,7 +2389,7 @@ msgstr ""
+ "(domaine approuvé), utiliser le nom pleinement qualifié au lieu du paramètre "
+ "--domain/-d.\n"
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr "Impossible d'ouvrir aucun des domaines disponibles\n"
+ 
+@@ -2954,18 +2954,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr "L'identifiant utilisateur sous lequel faire tourner le serveur"
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr "L'identifiant de groupe sous lequel faire tourner le serveur"
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/hu.po b/po/hu.po
+index a9e6d8a0e..abe75d005 100644
+--- a/po/hu.po
++++ b/po/hu.po
+@@ -10,7 +10,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:45+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Hungarian (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1510,63 +1510,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Időbélyegek a hibakeresési kimenetben"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr "Mikroszekundum pontosságú időbélyegek"
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr ""
+ 
+@@ -1598,88 +1598,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Szerver üzenete:"
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "A jelszavak nem egyeznek"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr "A jelszó root általi visszaállítása nem támogatott."
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr "Azonosítva gyorsítótárazott adatbázisból"
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", a gyorsítótárazott jelszó lejár ekkor: "
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr "A bejelentkezés tiltott eddig:"
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "A rendszer nem érhető el, a jelszó megváltoztatása nem lehetséges"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "A jelszó megváltoztatása nem sikerült."
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Új jelszó:"
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Jelszó mégegyszer: "
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Jelszó: "
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Jelenlegi jelszó:"
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "A jelszava lejárt, változtass meg most."
+ 
+@@ -1688,7 +1688,7 @@ msgstr "A jelszava lejárt, változtass meg most."
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr ""
+ 
+@@ -1701,7 +1701,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr ""
+ 
+@@ -2151,88 +2151,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2796,18 +2796,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/id.po b/po/id.po
+index 335153af8..7cf668c9d 100644
+--- a/po/id.po
++++ b/po/id.po
+@@ -7,7 +7,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:46+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Indonesian (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1506,63 +1506,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr ""
+ 
+@@ -1594,88 +1594,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Pesan server:"
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Kata sandi tidak cocok"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "Sistem sedang luring, perubahan kata sandi tidak dimungkinkan"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Perubahan kata sandi gagal."
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Kata Sandi Baru: "
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Masukkan lagi kata sandi baru:"
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Kata sandi:"
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Kata sandi saat ini:"
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr ""
+ 
+@@ -1684,7 +1684,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr ""
+ 
+@@ -1697,7 +1697,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr ""
+ 
+@@ -2159,88 +2159,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2804,18 +2804,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/it.po b/po/it.po
+index cb41d93c3..8f14e0df2 100644
+--- a/po/it.po
++++ b/po/it.po
+@@ -9,7 +9,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2019-03-06 08:57+0000\n"
+ "Last-Translator: Milo Casagrande <milo@milo.name>\n"
+ "Language-Team: Italian (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1523,63 +1523,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Livello debug"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Includi timestamp di debug"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr "Un descrittore di file aperto per l'output di debug"
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr "Dominio del provider di informazioni (obbligatorio)"
+ 
+@@ -1611,88 +1611,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Messaggio del server:"
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Le password non coincidono"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr "Autenticato con le credenziali nella cache"
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", la password in cache scadrà il: "
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr "L'autenticazione verrà negata fino al: "
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "Il sistema è offline, non è possibile richiedere un cambio password"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Cambio password fallito."
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Nuova password: "
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Conferma nuova password: "
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Password: "
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Password corrente: "
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "Password scaduta. Cambiare la password ora."
+ 
+@@ -1701,7 +1701,7 @@ msgstr "Password scaduta. Cambiare la password ora."
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "Il livello di debug da utilizzare"
+ 
+@@ -1714,7 +1714,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "Errore di impostazione del locale\n"
+ 
+@@ -2181,88 +2181,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2826,18 +2826,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/ja.po b/po/ja.po
+index f6ed9834b..03e16c787 100644
+--- a/po/ja.po
++++ b/po/ja.po
+@@ -1,7 +1,7 @@
+ # SOME DESCRIPTIVE TITLE.
+ # Copyright (C) YEAR Red Hat, Inc.
+ # This file is distributed under the same license as the PACKAGE package.
+-# 
++#
+ # Translators:
+ # Tomoyuki KATO <tomo@dream.daynight.jp>, 2012-2013
+ # Noriko Mizumoto <noriko.mizumoto@gmail.com>, 2016. #zanata
+@@ -10,15 +10,15 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-02-27 19:55+0100\n"
+-"MIME-Version: 1.0\n"
+-"Content-Type: text/plain; charset=UTF-8\n"
+-"Content-Transfer-Encoding: 8bit\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2019-05-28 11:45+0000\n"
+ "Last-Translator: Keiko Moriguchi <kemorigu@redhat.com>\n"
+ "Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/"
+ "ja/)\n"
+ "Language: ja\n"
++"MIME-Version: 1.0\n"
++"Content-Type: text/plain; charset=UTF-8\n"
++"Content-Transfer-Encoding: 8bit\n"
+ "Plural-Forms: nplurals=1; plural=0;\n"
+ "X-Generator: Zanata 4.6.2\n"
+ 
+@@ -65,7 +65,8 @@ msgstr "レスポンダーの自動シャットダウンまでのアイドル時
+ 
+ #: src/config/SSSDConfig/__init__.py.in:54
+ msgid "Always query all the caches before querying the Data Providers"
+-msgstr "データプロバイダーをクエリーする前に、常にすべてのキャッシュをクエリーします"
++msgstr ""
++"データプロバイダーをクエリーする前に、常にすべてのキャッシュをクエリーします"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:57
+ msgid "SSSD Services to start"
+@@ -80,12 +81,12 @@ msgid "Timeout for messages sent over the SBUS"
+ msgstr "SBUS 経由のメッセージ送信のタイムアウト"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:60
+-#: src/config/SSSDConfig/__init__.py.in:199
++#: src/config/SSSDConfig/__init__.py.in:198
+ msgid "Regex to parse username and domain"
+ msgstr "ユーザー名とドメインを構文解析する正規表現"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:61
+-#: src/config/SSSDConfig/__init__.py.in:198
++#: src/config/SSSDConfig/__init__.py.in:197
+ msgid "Printf-compatible format for displaying fully-qualified names"
+ msgstr "完全修飾名を表示するための printf 互換の形式"
+ 
+@@ -93,7 +94,9 @@ msgstr "完全修飾名を表示するための printf 互換の形式"
+ msgid ""
+ "Directory on the filesystem where SSSD should store Kerberos replay cache "
+ "files."
+-msgstr "SSSD が Kerberos リプレイキャッシュファイルを保存するファイルシステムのディレクトリです。"
++msgstr ""
++"SSSD が Kerberos リプレイキャッシュファイルを保存するファイルシステムのディレ"
++"クトリです。"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:63
+ msgid "Domain to add to names without a domain component."
+@@ -109,7 +112,8 @@ msgstr "証明書検証の調整"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:66
+ msgid "All spaces in group or user names will be replaced with this character"
+-msgstr "グループ名またはユーザー名のすべてのスペースは、この文字に置き換えられます"
++msgstr ""
++"グループ名またはユーザー名のすべてのスペースは、この文字に置き換えられます"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:67
+ msgid "Tune sssd to honor or ignore netlink state changes"
+@@ -132,7 +136,7 @@ msgid "Entry cache background update timeout length (seconds)"
+ msgstr "エントリーキャッシュのバックグラウンド更新のタイムアウト時間(秒)"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:74
+-#: src/config/SSSDConfig/__init__.py.in:116
++#: src/config/SSSDConfig/__init__.py.in:114
+ msgid "Negative cache timeout length (seconds)"
+ msgstr "ネガティブキャッシュのタイムアウト(秒)"
+ 
+@@ -163,7 +167,9 @@ msgstr "識別プロバイダーからのホームディレクトリーの値を
+ #: src/config/SSSDConfig/__init__.py.in:81
+ msgid ""
+ "Substitute empty homedir value from the identity provider with this value"
+-msgstr "アイデンティティプロバイダーからの空のホームディレクトリーをこの値で置き換えます"
++msgstr ""
++"アイデンティティプロバイダーからの空のホームディレクトリーをこの値で置き換え"
++"ます"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:82
+ msgid "Override shell value from the identity provider with this value"
+@@ -182,7 +188,9 @@ msgstr "拒否されてフォールバックシェルで置き換えられるシ
+ msgid ""
+ "If a shell stored in central directory is allowed but not available, use "
+ "this fallback"
+-msgstr "中央ディレクトリーに保存されたシェルが許可されるが、利用できない場合、このフォールバックを使用する"
++msgstr ""
++"中央ディレクトリーに保存されたシェルが許可されるが、利用できない場合、この"
++"フォールバックを使用する"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:86
+ msgid "Shell to use if the provider does not list one"
+@@ -262,596 +270,610 @@ msgstr "アプリケーションドメインへの接続を許可される PAM 
+ msgid "Allowed services for using smartcards"
+ msgstr "スマートカードの使用が許可されたサービス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:107
+-msgid "Additional timeout to wait for a card if requested"
+-msgstr "要求された場合に、カードが待つ追加のタイムアウト"
+-
+-#: src/config/SSSDConfig/__init__.py.in:108
+-msgid ""
+-"PKCS#11 URI to restrict the selection of devices for Smartcard "
+-"authentication"
+-msgstr "スマートカード認証向けのデバイスの選択を PKCS#11 URI が制限"
+-
+-#: src/config/SSSDConfig/__init__.py.in:111
++#: src/config/SSSDConfig/__init__.py.in:109
+ msgid "Whether to evaluate the time-based attributes in sudo rules"
+ msgstr "sudo ルールにおいて時間による属性を評価するかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:112
++#: src/config/SSSDConfig/__init__.py.in:110
+ msgid "If true, SSSD will switch back to lower-wins ordering logic"
+ msgstr "正しい場合、SSSD は小さい番号が優先される順位付けのロジックへ戻ります"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:113
++#: src/config/SSSDConfig/__init__.py.in:111
+ msgid ""
+ "Maximum number of rules that can be refreshed at once. If this is exceeded, "
+ "full refresh is performed."
+-msgstr "一度にリフレッシュ可能なルールの最大数。最大数を超えると、フルリフレッシュが実行されます。"
++msgstr ""
++"一度にリフレッシュ可能なルールの最大数。最大数を超えると、フルリフレッシュが"
++"実行されます。"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:119
++#: src/config/SSSDConfig/__init__.py.in:117
+ msgid "Whether to hash host names and addresses in the known_hosts file"
+ msgstr "known_hosts ファイルにおいてホスト名とアドレスをハッシュ化するかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:120
++#: src/config/SSSDConfig/__init__.py.in:118
+ msgid ""
+ "How many seconds to keep a host in the known_hosts file after its host keys "
+ "were requested"
+ msgstr "ホスト鍵が要求された後 known_hosts ファイルにホストを保持する秒数"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:121
++#: src/config/SSSDConfig/__init__.py.in:119
+ msgid "Path to storage of trusted CA certificates"
+ msgstr "信頼された CA 証明書のストレージへのパス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:124
++#: src/config/SSSDConfig/__init__.py.in:122
+ msgid "List of UIDs or user names allowed to access the PAC responder"
+ msgstr "PAC レスポンダーへのアクセスが許可された UID またはユーザー名の一覧"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:125
++#: src/config/SSSDConfig/__init__.py.in:123
+ msgid "How long the PAC data is considered valid"
+ msgstr "PAC データが有効とされる期間"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:128
++#: src/config/SSSDConfig/__init__.py.in:126
+ msgid "List of UIDs or user names allowed to access the InfoPipe responder"
+-msgstr "InfoPipe レスポンダーへのアクセスが許可された UID またはユーザー名の一覧"
++msgstr ""
++"InfoPipe レスポンダーへのアクセスが許可された UID またはユーザー名の一覧"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:129
++#: src/config/SSSDConfig/__init__.py.in:127
+ msgid "List of user attributes the InfoPipe is allowed to publish"
+ msgstr "InfoPipe がパブリッシュを許可されたユーザー属性の一覧"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:132
++#: src/config/SSSDConfig/__init__.py.in:130
+ msgid "The provider where the secrets will be stored in"
+ msgstr "シークレットが保存されるプロバイダー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:133
++#: src/config/SSSDConfig/__init__.py.in:131
+ msgid "The maximum allowed number of nested containers"
+ msgstr "ネストされたコンテナーの最大許可数"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:134
++#: src/config/SSSDConfig/__init__.py.in:132
+ msgid "The maximum number of secrets that can be stored"
+ msgstr "保存可能なシークレットの最大数"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:135
++#: src/config/SSSDConfig/__init__.py.in:133
+ msgid "The maximum number of secrets that can be stored per UID"
+ msgstr "UID ごとに保存可能なシークレットの最大数"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:136
++#: src/config/SSSDConfig/__init__.py.in:134
+ msgid "The maximum payload size of a secret in kilobytes"
+ msgstr "キロバイトでのシークレットの最大ペイロードサイズ"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:138
++#: src/config/SSSDConfig/__init__.py.in:136
+ msgid "The URL Custodia server is listening on"
+ msgstr "URL Custodia サーバーはリッスンしています"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:139
++#: src/config/SSSDConfig/__init__.py.in:137
+ msgid "The method to use when authenticating to a Custodia server"
+ msgstr "Custodia サーバーへの認証時に使用する方法"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:140
++#: src/config/SSSDConfig/__init__.py.in:138
+ msgid ""
+ "The name of the headers that will be added into a HTTP request with the "
+ "value defined in auth_header_value"
+-msgstr "auth_header_value で値が定義され、HTTP リクエストに追加されるヘッダーの名前"
++msgstr ""
++"auth_header_value で値が定義され、HTTP リクエストに追加されるヘッダーの名前"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:141
++#: src/config/SSSDConfig/__init__.py.in:139
+ msgid "The value sssd-secrets would use for auth_header_name"
+ msgstr "sssd-secrets の値は、auth_header_name で使用します"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:142
++#: src/config/SSSDConfig/__init__.py.in:140
+ msgid ""
+ "The list of the headers to forward to the Custodia server together with the "
+ "request"
+ msgstr "要求と共に Custodia サーバーへ転送するヘッダーの一覧"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:143
++#: src/config/SSSDConfig/__init__.py.in:141
+ msgid ""
+-"The username to use when authenticating to a Custodia server using "
+-"basic_auth"
++"The username to use when authenticating to a Custodia server using basic_auth"
+ msgstr "basic_auth を使った Custodia サーバーへの認証時に使用するユーザー名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:144
++#: src/config/SSSDConfig/__init__.py.in:142
+ msgid ""
+-"The password to use when authenticating to a Custodia server using "
+-"basic_auth"
++"The password to use when authenticating to a Custodia server using basic_auth"
+ msgstr "basic_auth を使った Custodia サーバーへの認証時に使用するパスワード"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:145
+-msgid ""
+-"If true peer's certificate is verified if proxy_url uses https protocol"
+-msgstr "proxy_url が https protocol を使用する場合に、正しいピアの証明書が検証されるかどうか"
++#: src/config/SSSDConfig/__init__.py.in:143
++msgid "If true peer's certificate is verified if proxy_url uses https protocol"
++msgstr ""
++"proxy_url が https protocol を使用する場合に、正しいピアの証明書が検証される"
++"かどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:146
++#: src/config/SSSDConfig/__init__.py.in:144
+ msgid ""
+ "If false peer's certificate may contain different hostname than proxy_url "
+ "when https protocol is used"
+-msgstr "https プロトコルが使用される場合に、間違ったピアの証明書が proxy_url 以外の異なるホスト名を含むかどうか"
++msgstr ""
++"https プロトコルが使用される場合に、間違ったピアの証明書が proxy_url 以外の異"
++"なるホスト名を含むかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:147
++#: src/config/SSSDConfig/__init__.py.in:145
+ msgid "Path to directory where certificate authority certificates are stored"
+ msgstr "CA 証明書が保存されているディレクトリーへのパス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:148
++#: src/config/SSSDConfig/__init__.py.in:146
+ msgid "Path to file containing server's CA certificate"
+ msgstr "サーバーの CA 証明書を含むファイルへのパス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:149
++#: src/config/SSSDConfig/__init__.py.in:147
+ msgid "Path to file containing client's certificate"
+ msgstr "クライアントの証明書を含むファイルへのパス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:150
++#: src/config/SSSDConfig/__init__.py.in:148
+ msgid "Path to file containing client's private key"
+ msgstr "クライアントのプライベートキーを含むファイルへのパス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:153
++#: src/config/SSSDConfig/__init__.py.in:151
+ msgid "Identity provider"
+ msgstr "アイデンティティプロバイダー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:154
++#: src/config/SSSDConfig/__init__.py.in:152
+ msgid "Authentication provider"
+ msgstr "認証プロバイダー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:155
++#: src/config/SSSDConfig/__init__.py.in:153
+ msgid "Access control provider"
+ msgstr "アクセス制御プロバイダー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:156
++#: src/config/SSSDConfig/__init__.py.in:154
+ msgid "Password change provider"
+ msgstr "パスワード変更プロバイダー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:157
++#: src/config/SSSDConfig/__init__.py.in:155
+ msgid "SUDO provider"
+ msgstr "SUDO プロバイダー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:158
++#: src/config/SSSDConfig/__init__.py.in:156
+ msgid "Autofs provider"
+ msgstr "Autofs プロバイダー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:159
++#: src/config/SSSDConfig/__init__.py.in:157
+ msgid "Host identity provider"
+ msgstr "ホスト識別プロバイダー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:160
++#: src/config/SSSDConfig/__init__.py.in:158
+ msgid "SELinux provider"
+ msgstr "SELinux プロバイダー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:161
++#: src/config/SSSDConfig/__init__.py.in:159
+ msgid "Session management provider"
+ msgstr "セッションマネージャーのプロバイダー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:164
++#: src/config/SSSDConfig/__init__.py.in:162
+ msgid "Whether the domain is usable by the OS or by applications"
+ msgstr "OS またはアプリケーションがドメインを使用できるかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:165
++#: src/config/SSSDConfig/__init__.py.in:163
+ msgid "Minimum user ID"
+ msgstr "最小ユーザー ID"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:166
++#: src/config/SSSDConfig/__init__.py.in:164
+ msgid "Maximum user ID"
+ msgstr "最大ユーザー ID"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:167
++#: src/config/SSSDConfig/__init__.py.in:165
+ msgid "Enable enumerating all users/groups"
+ msgstr "すべてのユーザー・グループの列挙を有効にする"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:168
++#: src/config/SSSDConfig/__init__.py.in:166
+ msgid "Cache credentials for offline login"
+ msgstr "オフラインログインのためにクレディンシャルをキャッシュする"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:169
++#: src/config/SSSDConfig/__init__.py.in:167
++msgid "Store password hashes"
++msgstr ""
++
++#: src/config/SSSDConfig/__init__.py.in:168
+ msgid "Display users/groups in fully-qualified form"
+ msgstr "ユーザー・グループを完全修飾形式で表示する"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:170
++#: src/config/SSSDConfig/__init__.py.in:169
+ msgid "Don't include group members in group lookups"
+ msgstr "グループ検索にグループメンバーを含めない"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:171
++#: src/config/SSSDConfig/__init__.py.in:170
++#: src/config/SSSDConfig/__init__.py.in:177
+ #: src/config/SSSDConfig/__init__.py.in:178
+ #: src/config/SSSDConfig/__init__.py.in:179
+ #: src/config/SSSDConfig/__init__.py.in:180
+ #: src/config/SSSDConfig/__init__.py.in:181
+ #: src/config/SSSDConfig/__init__.py.in:182
+-#: src/config/SSSDConfig/__init__.py.in:183
+ msgid "Entry cache timeout length (seconds)"
+ msgstr "エントリーキャッシュのタイムアウト長(秒)"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:172
++#: src/config/SSSDConfig/__init__.py.in:171
+ msgid ""
+ "Restrict or prefer a specific address family when performing DNS lookups"
+ msgstr "DNS 検索を実行するときに特定のアドレスファミリーを制限または優先します"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:173
++#: src/config/SSSDConfig/__init__.py.in:172
+ msgid "How long to keep cached entries after last successful login (days)"
+ msgstr "最終ログイン成功時からキャッシュエントリーを保持する日数"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:174
++#: src/config/SSSDConfig/__init__.py.in:173
+ msgid "How long to wait for replies from DNS when resolving servers (seconds)"
+ msgstr "サーバーを名前解決するときに DNS から応答を待つ時間(秒)"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:175
++#: src/config/SSSDConfig/__init__.py.in:174
+ msgid "The domain part of service discovery DNS query"
+ msgstr "サービス検索 DNS クエリーのドメイン部分"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:176
++#: src/config/SSSDConfig/__init__.py.in:175
+ msgid "Override GID value from the identity provider with this value"
+ msgstr "識別プロバイダーからの GID 値をこの値で上書きする"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:177
++#: src/config/SSSDConfig/__init__.py.in:176
+ msgid "Treat usernames as case sensitive"
+ msgstr "ユーザー名が大文字小文字を区別するよう取り扱う"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:184
++#: src/config/SSSDConfig/__init__.py.in:183
+ msgid "How often should expired entries be refreshed in background"
+ msgstr "期限切れのエントリーがバックグラウンドで更新される頻度"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:185
++#: src/config/SSSDConfig/__init__.py.in:184
+ msgid "Whether to automatically update the client's DNS entry"
+ msgstr "自動的にクライアントの DNS エントリーを更新するかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:186
+-#: src/config/SSSDConfig/__init__.py.in:208
++#: src/config/SSSDConfig/__init__.py.in:185
++#: src/config/SSSDConfig/__init__.py.in:207
+ msgid "The TTL to apply to the client's DNS entry after updating it"
+ msgstr "クライアントの DNS 項目を更新後、適用する TTL"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:187
+-#: src/config/SSSDConfig/__init__.py.in:209
++#: src/config/SSSDConfig/__init__.py.in:186
++#: src/config/SSSDConfig/__init__.py.in:208
+ msgid "The interface whose IP should be used for dynamic DNS updates"
+ msgstr "動的 DNS 更新のために使用される IP のインターフェース"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:188
++#: src/config/SSSDConfig/__init__.py.in:187
+ msgid "How often to periodically update the client's DNS entry"
+ msgstr "どのくらい定期的にクライアントの DNS エントリーを更新するか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:189
++#: src/config/SSSDConfig/__init__.py.in:188
+ msgid "Whether the provider should explicitly update the PTR record as well"
+-msgstr "プロバイダーが同じように PTR レコードを明示的に更新する必要があるかどうか"
++msgstr ""
++"プロバイダーが同じように PTR レコードを明示的に更新する必要があるかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:190
++#: src/config/SSSDConfig/__init__.py.in:189
+ msgid "Whether the nsupdate utility should default to using TCP"
+ msgstr "nsupdate ユーティリティが標準で TCP を使用するかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:191
++#: src/config/SSSDConfig/__init__.py.in:190
+ msgid "What kind of authentication should be used to perform the DNS update"
+ msgstr "DNS 更新を実行するために使用すべき認証の種類"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:192
++#: src/config/SSSDConfig/__init__.py.in:191
+ msgid "Override the DNS server used to perform the DNS update"
+ msgstr "DNS の更新を実行する際に使用する DNS サーバーを上書き"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:193
++#: src/config/SSSDConfig/__init__.py.in:192
+ msgid "Control enumeration of trusted domains"
+ msgstr "信頼されたドメインの列挙を制御"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:194
++#: src/config/SSSDConfig/__init__.py.in:193
+ msgid "How often should subdomains list be refreshed"
+ msgstr "サブドメインの一覧のリフレッシュ回数"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:195
++#: src/config/SSSDConfig/__init__.py.in:194
+ msgid "List of options that should be inherited into a subdomain"
+ msgstr "サブドメインに継承すべきオプションの一覧"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:196
++#: src/config/SSSDConfig/__init__.py.in:195
+ msgid "Default subdomain homedir value"
+ msgstr "デフォルトのサブドメインホームディレクトリーの値"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:197
++#: src/config/SSSDConfig/__init__.py.in:196
+ msgid "How long can cached credentials be used for cached authentication"
+ msgstr "証明書キャッシュを認証キャッシュに使用できる期間"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:200
++#: src/config/SSSDConfig/__init__.py.in:199
+ msgid "Whether to automatically create private groups for users"
+ msgstr "ユーザーにプライベートグループを自動的に作成するかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:203
++#: src/config/SSSDConfig/__init__.py.in:202
+ msgid "IPA domain"
+ msgstr "IPA ドメイン"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:204
++#: src/config/SSSDConfig/__init__.py.in:203
+ msgid "IPA server address"
+ msgstr "IPA サーバーのアドレス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:205
++#: src/config/SSSDConfig/__init__.py.in:204
+ msgid "Address of backup IPA server"
+ msgstr "バックアップ IPA サーバーのアドレス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:206
++#: src/config/SSSDConfig/__init__.py.in:205
+ msgid "IPA client hostname"
+ msgstr "IPA クライアントのホスト名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:207
++#: src/config/SSSDConfig/__init__.py.in:206
+ msgid "Whether to automatically update the client's DNS entry in FreeIPA"
+ msgstr "FreeIPA にあるクライアントの DNS エントリーを自動的に更新するかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:210
++#: src/config/SSSDConfig/__init__.py.in:209
+ msgid "Search base for HBAC related objects"
+ msgstr "HBAC 関連オブジェクトの検索ベース"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:211
++#: src/config/SSSDConfig/__init__.py.in:210
+ msgid ""
+ "The amount of time between lookups of the HBAC rules against the IPA server"
+ msgstr "IPA サーバーに対する HBAC ルールを検索している間の合計時間"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:212
++#: src/config/SSSDConfig/__init__.py.in:211
+ msgid ""
+ "The amount of time in seconds between lookups of the SELinux maps against "
+ "the IPA server"
+ msgstr "IPA サーバーに対する SELinux マップの検索の間の秒単位の合計時間"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:213
++#: src/config/SSSDConfig/__init__.py.in:212
+ msgid "If set to false, host argument given by PAM will be ignored"
+ msgstr "もし偽に設定されていると、 PAM により渡されたホスト引数は無視されます"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:214
++#: src/config/SSSDConfig/__init__.py.in:213
+ msgid "The automounter location this IPA client is using"
+ msgstr "この IPA クライアントが使用している automounter の場所"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:215
++#: src/config/SSSDConfig/__init__.py.in:214
+ msgid "Search base for object containing info about IPA domain"
+ msgstr "IPA ドメインに関する情報を含むオブジェクトに対する検索ベース"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:216
++#: src/config/SSSDConfig/__init__.py.in:215
+ msgid "Search base for objects containing info about ID ranges"
+ msgstr "ID 範囲に関する情報を含むオブジェクトに対する検索ベース"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:217
+-#: src/config/SSSDConfig/__init__.py.in:235
++#: src/config/SSSDConfig/__init__.py.in:216
++#: src/config/SSSDConfig/__init__.py.in:234
+ msgid "Enable DNS sites - location based service discovery"
+ msgstr "DNS サイトの有効化 - 位置にサービス探索"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:218
++#: src/config/SSSDConfig/__init__.py.in:217
+ msgid "Search base for view containers"
+ msgstr "ビューコンテナーの検索ベース"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:219
++#: src/config/SSSDConfig/__init__.py.in:218
+ msgid "Objectclass for view containers"
+ msgstr "ビューコンテナーのオブジェクトクラス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:220
++#: src/config/SSSDConfig/__init__.py.in:219
+ msgid "Attribute with the name of the view"
+ msgstr "ビューの名前の属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:221
++#: src/config/SSSDConfig/__init__.py.in:220
+ msgid "Objectclass for override objects"
+ msgstr "上書きされたオブジェクトのオブジェクトクラス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:222
++#: src/config/SSSDConfig/__init__.py.in:221
+ msgid "Attribute with the reference to the original object"
+ msgstr "オリジナルオブジェクトを参照する属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:223
++#: src/config/SSSDConfig/__init__.py.in:222
+ msgid "Objectclass for user override objects"
+ msgstr "ユーザーが上書きするオブジェクトのオブジェクトクラス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:224
++#: src/config/SSSDConfig/__init__.py.in:223
+ msgid "Objectclass for group override objects"
+ msgstr "グループが上書きするオブジェクトのオブジェクトクラス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:225
++#: src/config/SSSDConfig/__init__.py.in:224
+ msgid "Search base for Desktop Profile related objects"
+ msgstr "デスクトッププロファイルに関連するオブジェクトの検索ベース"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:226
++#: src/config/SSSDConfig/__init__.py.in:225
+ msgid ""
+ "The amount of time in seconds between lookups of the Desktop Profile rules "
+ "against the IPA server"
+-msgstr "IPA サーバーに対するデスクトッププロファイルルールを検索している間の秒単位の合計時間"
++msgstr ""
++"IPA サーバーに対するデスクトッププロファイルルールを検索している間の秒単位の"
++"合計時間"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:227
++#: src/config/SSSDConfig/__init__.py.in:226
+ msgid ""
+ "The amount of time in minutes between lookups of Desktop Profiles rules "
+ "against the IPA server when the last request did not find any rule"
+-msgstr "最後の要求がルールを何も見つけなかった場合の IPA サーバーに対するデスクトッププロファイルル ールを検索している間の分単位の合計時間"
++msgstr ""
++"最後の要求がルールを何も見つけなかった場合の IPA サーバーに対するデスクトップ"
++"プロファイルル ールを検索している間の分単位の合計時間"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:230
++#: src/config/SSSDConfig/__init__.py.in:229
+ msgid "Active Directory domain"
+ msgstr "Active Directory ドメイン"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:231
++#: src/config/SSSDConfig/__init__.py.in:230
+ msgid "Enabled Active Directory domains"
+ msgstr "有効化された Active Directory ドメイン"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:232
++#: src/config/SSSDConfig/__init__.py.in:231
+ msgid "Active Directory server address"
+ msgstr "Active Directory サーバーアドレス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:233
++#: src/config/SSSDConfig/__init__.py.in:232
+ msgid "Active Directory backup server address"
+ msgstr "Active Directory バックアップサーバーのアドレス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:234
++#: src/config/SSSDConfig/__init__.py.in:233
+ msgid "Active Directory client hostname"
+ msgstr "Active Directory クライアントホスト名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:236
+-#: src/config/SSSDConfig/__init__.py.in:420
++#: src/config/SSSDConfig/__init__.py.in:235
++#: src/config/SSSDConfig/__init__.py.in:422
+ msgid "LDAP filter to determine access privileges"
+ msgstr "アクセス権限を決めるための LDAP フィルター"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:237
++#: src/config/SSSDConfig/__init__.py.in:236
+ msgid "Whether to use the Global Catalog for lookups"
+ msgstr "検索にグローバルカタログを使用するかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:238
++#: src/config/SSSDConfig/__init__.py.in:237
+ msgid "Operation mode for GPO-based access control"
+ msgstr "グローバルカタログベースのアクセス制御に対するオペレーションモード"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:239
++#: src/config/SSSDConfig/__init__.py.in:238
+ msgid ""
+ "The amount of time between lookups of the GPO policy files against the AD "
+ "server"
+ msgstr "AD サーバーに対する GPO ポリシーファイルを検索している間の合計時間"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:240
++#: src/config/SSSDConfig/__init__.py.in:239
+ msgid ""
+ "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy "
+ "settings"
+-msgstr "GPO (Deny)InteractiveLogonRight のポリシー設定にマッピングした PAM サービス名"
++msgstr ""
++"GPO (Deny)InteractiveLogonRight のポリシー設定にマッピングした PAM サービス名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:241
++#: src/config/SSSDConfig/__init__.py.in:240
+ msgid ""
+ "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight "
+ "policy settings"
+-msgstr "GPO (Deny)RemoteInteractiveLogonRight のポリシー設定にマッピングした PAM サービス名"
++msgstr ""
++"GPO (Deny)RemoteInteractiveLogonRight のポリシー設定にマッピングした PAM サー"
++"ビス名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:242
++#: src/config/SSSDConfig/__init__.py.in:241
+ msgid ""
+-"PAM service names that map to the GPO (Deny)NetworkLogonRight policy "
+-"settings"
+-msgstr "GPO (Deny)NetworkLogonRight のポリシー設定にマッピングした PAM サービス名"
++"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings"
++msgstr ""
++"GPO (Deny)NetworkLogonRight のポリシー設定にマッピングした PAM サービス名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:243
++#: src/config/SSSDConfig/__init__.py.in:242
+ msgid ""
+ "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings"
+-msgstr "GPO (Deny)BatchLogonRight のポリシー設定にマッピングした PAM サービス名"
++msgstr ""
++"GPO (Deny)BatchLogonRight のポリシー設定にマッピングした PAM サービス名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:244
++#: src/config/SSSDConfig/__init__.py.in:243
+ msgid ""
+-"PAM service names that map to the GPO (Deny)ServiceLogonRight policy "
+-"settings"
++"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings"
+ msgstr "(Deny)ServiceLogonRight のポリシー設定にマッピングした PAM サービス名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:245
++#: src/config/SSSDConfig/__init__.py.in:244
+ msgid "PAM service names for which GPO-based access is always granted"
+ msgstr "GPO ベースのアクセスが常に許可される PAM サービス名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:246
++#: src/config/SSSDConfig/__init__.py.in:245
+ msgid "PAM service names for which GPO-based access is always denied"
+ msgstr "GPO ベースのアクセスが常に拒否される PAM サービス名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:247
++#: src/config/SSSDConfig/__init__.py.in:246
+ msgid ""
+ "Default logon right (or permit/deny) to use for unmapped PAM service names"
+-msgstr "マッピングされていない PAM サービス名に使用するデフォルトのログオン権利 (または許可/拒否)"
++msgstr ""
++"マッピングされていない PAM サービス名に使用するデフォルトのログオン権利 (また"
++"は許可/拒否)"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:248
++#: src/config/SSSDConfig/__init__.py.in:247
+ msgid "a particular site to be used by the client"
+ msgstr "クライアントが使用する特定のサイト"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:249
++#: src/config/SSSDConfig/__init__.py.in:248
+ msgid ""
+ "Maximum age in days before the machine account password should be renewed"
+ msgstr "マシンアカウントのパスワードの更新が必要となるまでの最大日数"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:250
++#: src/config/SSSDConfig/__init__.py.in:249
+ msgid "Option for tuning the machine account renewal task"
+ msgstr "マシンアカウントの更新タスクをチューニングするオプション"
+ 
++#: src/config/SSSDConfig/__init__.py.in:252
+ #: src/config/SSSDConfig/__init__.py.in:253
+-#: src/config/SSSDConfig/__init__.py.in:254
+ msgid "Kerberos server address"
+ msgstr "Kerberos サーバーのアドレス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:255
++#: src/config/SSSDConfig/__init__.py.in:254
+ msgid "Kerberos backup server address"
+ msgstr "Kerberos バックアップサーバーのアドレス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:256
++#: src/config/SSSDConfig/__init__.py.in:255
+ msgid "Kerberos realm"
+ msgstr "Kerberos レルム"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:257
++#: src/config/SSSDConfig/__init__.py.in:256
+ msgid "Authentication timeout"
+ msgstr "認証のタイムアウト"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:258
++#: src/config/SSSDConfig/__init__.py.in:257
+ msgid "Whether to create kdcinfo files"
+ msgstr "kdcinfo ファイルを作成するかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:259
++#: src/config/SSSDConfig/__init__.py.in:258
+ msgid "Where to drop krb5 config snippets"
+ msgstr "krb5 設定スニペットを削除する場所"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:262
++#: src/config/SSSDConfig/__init__.py.in:261
+ msgid "Directory to store credential caches"
+ msgstr "クレディンシャルのキャッシュを保存するディレクトリー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:263
++#: src/config/SSSDConfig/__init__.py.in:262
+ msgid "Location of the user's credential cache"
+ msgstr "ユーザーのクレディンシャルキャッシュの位置"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:264
++#: src/config/SSSDConfig/__init__.py.in:263
+ msgid "Location of the keytab to validate credentials"
+ msgstr "クレディンシャルを検証するキーテーブルの場所"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:265
++#: src/config/SSSDConfig/__init__.py.in:264
+ msgid "Enable credential validation"
+ msgstr "クレディンシャルの検証を有効にする"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:266
++#: src/config/SSSDConfig/__init__.py.in:265
+ msgid "Store password if offline for later online authentication"
+ msgstr "後からオンライン認証するためにオフラインの場合にパスワードを保存します"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:267
++#: src/config/SSSDConfig/__init__.py.in:266
+ msgid "Renewable lifetime of the TGT"
+ msgstr "更新可能な TGT の有効期間"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:268
++#: src/config/SSSDConfig/__init__.py.in:267
+ msgid "Lifetime of the TGT"
+ msgstr "TGT の有効期間"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:269
++#: src/config/SSSDConfig/__init__.py.in:268
+ msgid "Time between two checks for renewal"
+ msgstr "更新を確認する間隔"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:270
++#: src/config/SSSDConfig/__init__.py.in:269
+ msgid "Enables FAST"
+ msgstr "FAST を有効にする"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:271
++#: src/config/SSSDConfig/__init__.py.in:270
+ msgid "Selects the principal to use for FAST"
+ msgstr "FAST に使用するプリンシパルを選択する"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:272
++#: src/config/SSSDConfig/__init__.py.in:271
+ msgid "Enables principal canonicalization"
+ msgstr "プリンシパル正規化を有効にする"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:273
++#: src/config/SSSDConfig/__init__.py.in:272
+ msgid "Enables enterprise principals"
+ msgstr "エンタープライズ・プリンシパルの有効化"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:274
++#: src/config/SSSDConfig/__init__.py.in:273
+ msgid "A mapping from user names to Kerberos principal names"
+ msgstr "ユーザー名から Kerberos プリンシパル名までのマッピング"
+ 
++#: src/config/SSSDConfig/__init__.py.in:276
+ #: src/config/SSSDConfig/__init__.py.in:277
+-#: src/config/SSSDConfig/__init__.py.in:278
+ msgid "Server where the change password service is running if not on the KDC"
+ msgstr "KDC になければ、パスワード変更サービスが実行されているサーバー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:281
++#: src/config/SSSDConfig/__init__.py.in:280
+ msgid "ldap_uri, The URI of the LDAP server"
+ msgstr "ldap_uri, LDAP サーバーの URI"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:282
++#: src/config/SSSDConfig/__init__.py.in:281
+ msgid "ldap_backup_uri, The URI of the LDAP server"
+ msgstr "ldap_backup_uri, LDAP サーバーの URI"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:283
++#: src/config/SSSDConfig/__init__.py.in:282
+ msgid "The default base DN"
+ msgstr "デフォルトのベース DN"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:284
++#: src/config/SSSDConfig/__init__.py.in:283
+ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "LDAP サーバーにおいて使用中のスキーマ形式, rfc2307"
+ 
++#: src/config/SSSDConfig/__init__.py.in:284
++#, fuzzy
++msgid "Mode used to change user password"
++msgstr "パスワードの期限が切れました。いますぐパスワードを変更してください。"
++
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+ msgstr "デフォルトのバインド DN"
+@@ -956,7 +978,9 @@ msgstr "完全な参照解決を引き起こすために欠けている必要が
+ msgid ""
+ "Whether the LDAP library should perform a reverse lookup to canonicalize the "
+ "host name during a SASL bind"
+-msgstr "LDAP ライブラリーが SASL バインド中にホスト名を正規化するために逆引きを実行するかどうか"
++msgstr ""
++"LDAP ライブラリーが SASL バインド中にホスト名を正規化するために逆引きを実行す"
++"るかどうか"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:312
+ msgid "entryUSN attribute"
+@@ -967,8 +991,7 @@ msgid "lastUSN attribute"
+ msgstr "lastUSN 属性"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:315
+-msgid ""
+-"How long to retain a connection to the LDAP server before disconnecting"
++msgid "How long to retain a connection to the LDAP server before disconnecting"
+ msgstr "LDAP サーバーを切断する前に接続を保持する時間"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:317
+@@ -1285,404 +1308,418 @@ msgid "Number of secondary slices"
+ msgstr "セカンダリースライスの数"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:410
++#, fuzzy
++msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups"
++msgstr "グループ検索のベース DN"
++
++#: src/config/SSSDConfig/__init__.py.in:411
++#, fuzzy
++msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups"
++msgstr "ネットグループ検索のベース DN"
++
++#: src/config/SSSDConfig/__init__.py.in:412
+ msgid "Whether to use Token-Groups"
+ msgstr "Token-Group を使うかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:411
++#: src/config/SSSDConfig/__init__.py.in:413
+ msgid "Set lower boundary for allowed IDs from the LDAP server"
+ msgstr "LDAP サーバーから許可される ID の下限の設定"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:412
++#: src/config/SSSDConfig/__init__.py.in:414
+ msgid "Set upper boundary for allowed IDs from the LDAP server"
+ msgstr "LDAP サーバーから許可される ID の上限の設定"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:413
++#: src/config/SSSDConfig/__init__.py.in:415
+ msgid "DN for ppolicy queries"
+ msgstr "ppolicy クエリーの DN"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:414
++#: src/config/SSSDConfig/__init__.py.in:416
+ msgid "How many maximum entries to fetch during a wildcard request"
+ msgstr "ワイルドカードの要求の間に取得する最大エントリーの数"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:417
++#: src/config/SSSDConfig/__init__.py.in:419
+ msgid "Policy to evaluate the password expiration"
+ msgstr "パスワード失効の評価のポリシー"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:421
++#: src/config/SSSDConfig/__init__.py.in:423
+ msgid "Which attributes shall be used to evaluate if an account is expired"
+ msgstr "どの属性がアカウントが失効しているかを評価するために使用されるか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:422
++#: src/config/SSSDConfig/__init__.py.in:424
+ msgid "Which rules should be used to evaluate access control"
+ msgstr "どのルールがアクセス制御を評価するために使用されるか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:425
++#: src/config/SSSDConfig/__init__.py.in:427
+ msgid "URI of an LDAP server where password changes are allowed"
+ msgstr "パスワードの変更が許可される LDAP サーバーの URI"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:426
++#: src/config/SSSDConfig/__init__.py.in:428
+ msgid "URI of a backup LDAP server where password changes are allowed"
+ msgstr "パスワードの変更が許可されるバックアップ LDAP サーバーの URI"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:427
++#: src/config/SSSDConfig/__init__.py.in:429
+ msgid "DNS service name for LDAP password change server"
+ msgstr "LDAP パスワードの変更サーバーの DNS サービス名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:428
++#: src/config/SSSDConfig/__init__.py.in:430
+ msgid ""
+ "Whether to update the ldap_user_shadow_last_change attribute after a "
+ "password change"
+ msgstr "パスワード変更後 ldap_user_shadow_last_change 属性を更新するかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:431
++#: src/config/SSSDConfig/__init__.py.in:433
+ msgid "Base DN for sudo rules lookups"
+ msgstr "sudo ルール検索のベース DN"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:432
++#: src/config/SSSDConfig/__init__.py.in:434
+ msgid "Automatic full refresh period"
+ msgstr "自動的な完全更新間隔"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:433
++#: src/config/SSSDConfig/__init__.py.in:435
+ msgid "Automatic smart refresh period"
+ msgstr "自動的なスマート更新間隔"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:434
++#: src/config/SSSDConfig/__init__.py.in:436
+ msgid "Whether to filter rules by hostname, IP addresses and network"
+-msgstr "ホスト名、IP アドレスおよびネットワークによるフィルタールールを使用するかどうか"
++msgstr ""
++"ホスト名、IP アドレスおよびネットワークによるフィルタールールを使用するかどう"
++"か"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:435
++#: src/config/SSSDConfig/__init__.py.in:437
+ msgid ""
+ "Hostnames and/or fully qualified domain names of this machine to filter sudo "
+ "rules"
+-msgstr "sudo ルールをフィルターするこのマシンのホスト名および/または完全修飾ドメイン名"
++msgstr ""
++"sudo ルールをフィルターするこのマシンのホスト名および/または完全修飾ドメイン"
++"名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:436
++#: src/config/SSSDConfig/__init__.py.in:438
+ msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules"
+-msgstr "sudo ルールをフィルターするこのマシンの IPv4 または IPv6 アドレスまたはネットワーク"
++msgstr ""
++"sudo ルールをフィルターするこのマシンの IPv4 または IPv6 アドレスまたはネット"
++"ワーク"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:437
++#: src/config/SSSDConfig/__init__.py.in:439
+ msgid "Whether to include rules that contains netgroup in host attribute"
+ msgstr "ホスト属性にネットワークグループを含むルールを含めるかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:438
++#: src/config/SSSDConfig/__init__.py.in:440
+ msgid ""
+ "Whether to include rules that contains regular expression in host attribute"
+ msgstr "ホスト属性に正規表現を含むルールを含めるかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:439
++#: src/config/SSSDConfig/__init__.py.in:441
+ msgid "Object class for sudo rules"
+ msgstr "sudo ルールのオブジェクトクラス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:440
++#: src/config/SSSDConfig/__init__.py.in:442
+ msgid "Sudo rule name"
+ msgstr "sudo ルール名"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:441
++#: src/config/SSSDConfig/__init__.py.in:443
+ msgid "Sudo rule command attribute"
+ msgstr "sudo ルールのコマンドの属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:442
++#: src/config/SSSDConfig/__init__.py.in:444
+ msgid "Sudo rule host attribute"
+ msgstr "sudo ルールのホストの属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:443
++#: src/config/SSSDConfig/__init__.py.in:445
+ msgid "Sudo rule user attribute"
+ msgstr "sudo ルールのユーザーの属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:444
++#: src/config/SSSDConfig/__init__.py.in:446
+ msgid "Sudo rule option attribute"
+ msgstr "sudo ルールのオプションの属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:445
++#: src/config/SSSDConfig/__init__.py.in:447
+ msgid "Sudo rule runas attribute"
+ msgstr "sudo ルールの runas の属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:446
++#: src/config/SSSDConfig/__init__.py.in:448
+ msgid "Sudo rule runasuser attribute"
+ msgstr "sudo ルールの runasuser の属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:447
++#: src/config/SSSDConfig/__init__.py.in:449
+ msgid "Sudo rule runasgroup attribute"
+ msgstr "sudo ルールの runasgroup の属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:448
++#: src/config/SSSDConfig/__init__.py.in:450
+ msgid "Sudo rule notbefore attribute"
+ msgstr "sudo ルールの notbefore の属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:449
++#: src/config/SSSDConfig/__init__.py.in:451
+ msgid "Sudo rule notafter attribute"
+ msgstr "sudo ルールの notafter の属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:450
++#: src/config/SSSDConfig/__init__.py.in:452
+ msgid "Sudo rule order attribute"
+ msgstr "sudo ルールの order の属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:453
++#: src/config/SSSDConfig/__init__.py.in:455
+ msgid "Object class for automounter maps"
+ msgstr "automounter マップのオブジェクトクラス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:454
++#: src/config/SSSDConfig/__init__.py.in:456
+ msgid "Automounter map name attribute"
+ msgstr "オートマウントのマップ名の属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:455
++#: src/config/SSSDConfig/__init__.py.in:457
+ msgid "Object class for automounter map entries"
+ msgstr "automounter マップエントリーのオブジェクトクラス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:456
++#: src/config/SSSDConfig/__init__.py.in:458
+ msgid "Automounter map entry key attribute"
+ msgstr "automounter マップエントリーのキー属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:457
++#: src/config/SSSDConfig/__init__.py.in:459
+ msgid "Automounter map entry value attribute"
+ msgstr "automounter マップエントリーの値属性"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:458
++#: src/config/SSSDConfig/__init__.py.in:460
+ msgid "Base DN for automounter map lookups"
+ msgstr "automonter のマップ検索のベース DN"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:461
++#: src/config/SSSDConfig/__init__.py.in:463
+ msgid "Comma separated list of allowed users"
+ msgstr "許可ユーザーのカンマ区切り一覧"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:462
++#: src/config/SSSDConfig/__init__.py.in:464
+ msgid "Comma separated list of prohibited users"
+ msgstr "禁止ユーザーのカンマ区切り一覧"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:465
++#: src/config/SSSDConfig/__init__.py.in:467
+ msgid "Default shell, /bin/bash"
+ msgstr "デフォルトのシェル, /bin/bash"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:466
++#: src/config/SSSDConfig/__init__.py.in:468
+ msgid "Base for home directories"
+ msgstr "ホームディレクトリーのベース"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:469
++#: src/config/SSSDConfig/__init__.py.in:471
+ msgid "The number of preforked proxy children."
+ msgstr "事前にフォークされた子プロキシの数"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:472
++#: src/config/SSSDConfig/__init__.py.in:474
+ msgid "The name of the NSS library to use"
+ msgstr "使用する NSS ライブラリーの名前"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:473
++#: src/config/SSSDConfig/__init__.py.in:475
+ msgid "Whether to look up canonical group name from cache if possible"
+ msgstr "可能ならばキャッシュから正規化されたグループ名を検索するかどうか"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:476
++#: src/config/SSSDConfig/__init__.py.in:478
+ msgid "PAM stack to use"
+ msgstr "使用する PAM スタック"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:479
++#: src/config/SSSDConfig/__init__.py.in:481
+ msgid "Path of passwd file sources."
+ msgstr "passwd ファイルソースへのパス"
+ 
+-#: src/config/SSSDConfig/__init__.py.in:480
++#: src/config/SSSDConfig/__init__.py.in:482
+ msgid "Path of group file sources."
+ msgstr "グループファイルソースへのパス"
+ 
+-#: src/monitor/monitor.c:2347
++#: src/monitor/monitor.c:2452
+ msgid "Become a daemon (default)"
+ msgstr "デーモンとして実行(デフォルト)"
+ 
+-#: src/monitor/monitor.c:2349
++#: src/monitor/monitor.c:2454
+ msgid "Run interactive (not a daemon)"
+ msgstr "対話的に実行(デーモンではない)"
+ 
+-#: src/monitor/monitor.c:2352
++#: src/monitor/monitor.c:2457
+ msgid "Disable netlink interface"
+ msgstr "netlink インターフェースを無効にする"
+ 
+-#: src/monitor/monitor.c:2354 src/tools/sssctl/sssctl_logs.c:311
++#: src/monitor/monitor.c:2459 src/tools/sssctl/sssctl_logs.c:311
+ msgid "Specify a non-default config file"
+ msgstr "非標準の設定ファイルの指定"
+ 
+-#: src/monitor/monitor.c:2356
++#: src/monitor/monitor.c:2461
+ msgid "Refresh the configuration database, then exit"
+ msgstr "設定データベースをリフレッシュし、その後終了します"
+ 
+-#: src/monitor/monitor.c:2359
+-msgid "Similar to --genconf, but only refreshes the given section"
+-msgstr "--genconf と似ていますが、任意のセクションのみをリフレッシュします"
+-
+-#: src/monitor/monitor.c:2362
++#: src/monitor/monitor.c:2464
+ msgid "Print version number and exit"
+ msgstr "バージョン番号を表示して終了する"
+ 
+-#: src/monitor/monitor.c:2538
++#: src/monitor/monitor.c:2630
+ msgid "SSSD is already running\n"
+ msgstr "SSSD はすでに実行中です\n"
+ 
+-#: src/providers/krb5/krb5_child.c:3219 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "デバッグレベル"
+ 
+-#: src/providers/krb5/krb5_child.c:3221 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "デバッグのタイムスタンプを追加する"
+ 
+-#: src/providers/krb5/krb5_child.c:3223 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr "タイムスタンプをミリ秒単位で表示する"
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr "デバッグログのオープンファイルディスクリプター"
+ 
+-#: src/providers/krb5/krb5_child.c:3228 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr "デバッグ出力を stderr に直接送信します。"
+ 
+-#: src/providers/krb5/krb5_child.c:3231
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr "次のように FAST ccache を作成するユーザー"
+ 
+-#: src/providers/krb5/krb5_child.c:3233
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr "次のように FAST ccache を作成するグループ"
+ 
+-#: src/providers/krb5/krb5_child.c:3235
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr "使用する Kerberos レルム"
+ 
+-#: src/providers/krb5/krb5_child.c:3237
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr "チケットの要求された有効期間"
+ 
+-#: src/providers/krb5/krb5_child.c:3239
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr "チケットの要求された更新可能な有効期間"
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr "FAST のオプション ('never'、'try'、'demand')"
+ 
+-#: src/providers/krb5/krb5_child.c:3244
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr "FAST で使用するサーバープリンシパルを指定します"
+ 
+-#: src/providers/krb5/krb5_child.c:3246
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr "プリンシパル名の正規化を要求します"
+ 
+-#: src/providers/krb5/krb5_child.c:3248
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr "krb5_get_init_creds_password のカスタムバージョンを使用します"
+ 
+-#: src/providers/data_provider_be.c:630
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr "情報プロバイダーのドメイン (必須)"
+ 
+-#: src/sss_client/common.c:1067
++#: src/sss_client/common.c:1066
+ msgid "Privileged socket has wrong ownership or permissions."
+ msgstr "特権ソケットの所有者またはパーミッションが誤っています。"
+ 
+-#: src/sss_client/common.c:1070
++#: src/sss_client/common.c:1069
+ msgid "Public socket has wrong ownership or permissions."
+ msgstr "公開ソケットの所有者またはパーミッションが誤っています。"
+ 
+-#: src/sss_client/common.c:1073
++#: src/sss_client/common.c:1072
+ msgid "Unexpected format of the server credential message."
+ msgstr "サーバーのクレディンシャルメッセージの予期しない形式です。"
+ 
+-#: src/sss_client/common.c:1076
++#: src/sss_client/common.c:1075
+ msgid "SSSD is not run by root."
+ msgstr "SSSD は root により実行されません。"
+ 
+-#: src/sss_client/common.c:1081
++#: src/sss_client/common.c:1080
+ msgid "An error occurred, but no description can be found."
+ msgstr "エラーが発生しましたが、説明がありませんでした。"
+ 
+-#: src/sss_client/common.c:1087
++#: src/sss_client/common.c:1086
+ msgid "Unexpected error while looking for an error description"
+ msgstr "エラーの説明を検索中に予期しないエラーが発生しました"
+ 
+-#: src/sss_client/pam_sss.c:67
++#: src/sss_client/pam_sss.c:76
+ msgid "Permission denied. "
+ msgstr "パーミッションが拒否されました。"
+ 
+-#: src/sss_client/pam_sss.c:68 src/sss_client/pam_sss.c:774
+-#: src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "サーバーのメッセージ: "
+ 
+-#: src/sss_client/pam_sss.c:292
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "パスワードが一致しません"
+ 
+-#: src/sss_client/pam_sss.c:480
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr "root によるパスワードのリセットはサポートされません。"
+ 
+-#: src/sss_client/pam_sss.c:521
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr "キャッシュされているクレディンシャルを用いて認証されました"
+ 
+-#: src/sss_client/pam_sss.c:522
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr "、キャッシュされたパスワードが失効します: "
+ 
+-#: src/sss_client/pam_sss.c:552
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr "パスワードの期限が切れています。あと %1$d 回ログインできます。"
+ 
+-#: src/sss_client/pam_sss.c:598
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr "あなたのパスワードは %1$d %2$s に期限切れになります。"
+ 
+-#: src/sss_client/pam_sss.c:647
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr "次まで認証が拒否されます: "
+ 
+-#: src/sss_client/pam_sss.c:668
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "システムがオフラインです、パスワード変更ができません"
+ 
+-#: src/sss_client/pam_sss.c:683
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+-msgstr "OTP パスワードの変更後、チケットを取得するためにログアウト後に再びログインする必要があります"
++msgstr ""
++"OTP パスワードの変更後、チケットを取得するためにログアウト後に再びログインす"
++"る必要があります"
+ 
+-#: src/sss_client/pam_sss.c:771 src/sss_client/pam_sss.c:784
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "パスワードの変更に失敗しました。 "
+ 
+-#: src/sss_client/pam_sss.c:1921
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "新しいパスワード: "
+ 
+-#: src/sss_client/pam_sss.c:1922
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "新しいパスワードの再入力: "
+ 
+-#: src/sss_client/pam_sss.c:2038 src/sss_client/pam_sss.c:2041
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr "1 番目の要素: "
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2201
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr "2 番目の要素 (オプション): "
+ 
+-#: src/sss_client/pam_sss.c:2042 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr "2 番目の要素:  "
+ 
+-#: src/sss_client/pam_sss.c:2057
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "パスワード: "
+ 
+-#: src/sss_client/pam_sss.c:2200 src/sss_client/pam_sss.c:2203
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr "1 番目の要素 (現在のパスワード): "
+ 
+-#: src/sss_client/pam_sss.c:2207
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "現在のパスワード: "
+ 
+-#: src/sss_client/pam_sss.c:2562
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "パスワードの期限が切れました。いますぐパスワードを変更してください。"
+ 
+@@ -1691,7 +1728,7 @@ msgstr "パスワードの期限が切れました。いますぐパスワード
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "実行するデバッグレベル"
+ 
+@@ -1704,7 +1741,7 @@ msgstr "使用する SSSD ドメイン"
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "ロケールの設定中にエラーが発生しました\n"
+ 
+@@ -1790,7 +1827,8 @@ msgstr "追加するユーザーを指定してください\n"
+ #: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198
+ #: src/tools/sss_usermod.c:162
+ msgid "Error initializing the tools - no local domain\n"
+-msgstr "ツールを初期化中にエラーが発生しました - ローカルドメインがありません\n"
++msgstr ""
++"ツールを初期化中にエラーが発生しました - ローカルドメインがありません\n"
+ 
+ #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88
+ #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115
+@@ -1840,7 +1878,9 @@ msgstr "ユーザーに関する情報を取得できません\n"
+ 
+ #: src/tools/sss_useradd.c:236
+ msgid "User's home directory already exists, not copying data from skeldir\n"
+-msgstr "ユーザーのホームディレクトリーがすでに存在します、スケルトンディレクトリーからデータをコピーしません\n"
++msgstr ""
++"ユーザーのホームディレクトリーがすでに存在します、スケルトンディレクトリーか"
++"らデータをコピーしません\n"
+ 
+ #: src/tools/sss_useradd.c:239
+ #, c-format
+@@ -1903,13 +1943,16 @@ msgstr "グループ %1$s はドメインに対して定義された ID の範
+ #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296
+ #, c-format
+ msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n"
+-msgstr "NSS リクエストに失敗しました (%1$d)。項目はメモリーキャッシュに残されます。\n"
++msgstr ""
++"NSS リクエストに失敗しました (%1$d)。項目はメモリーキャッシュに残されます。\n"
+ 
+ #: src/tools/sss_groupdel.c:132
+ msgid ""
+-"No such group in local domain. Removing groups only allowed in local domain."
+-"\n"
+-msgstr "そのようなグループはローカルドメインにありません。グループの削除はローカルドメインにおいてのみ許可されます。\n"
++"No such group in local domain. Removing groups only allowed in local "
++"domain.\n"
++msgstr ""
++"そのようなグループはローカルドメインにありません。グループの削除はローカルド"
++"メインにおいてのみ許可されます。\n"
+ 
+ #: src/tools/sss_groupdel.c:137
+ msgid "Internal error. Could not remove group.\n"
+@@ -1935,7 +1978,9 @@ msgstr "変更するグループを指定してください\n"
+ msgid ""
+ "Cannot find group in local domain, modifying groups is allowed only in local "
+ "domain\n"
+-msgstr "ローカルドメインにグループが見つかりませんでした。グループの変更はローカルドメインにおいてのみ許可されます\n"
++msgstr ""
++"ローカルドメインにグループが見つかりませんでした。グループの変更はローカルド"
++"メインにおいてのみ許可されます\n"
+ 
+ #: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182
+ msgid "Member groups must be in the same domain as parent group\n"
+@@ -1947,15 +1992,20 @@ msgstr "メンバーグループが親グループと同じドメインにある
+ msgid ""
+ "Cannot find group %1$s in local domain, only groups in local domain are "
+ "allowed\n"
+-msgstr "ローカルドメインにグループ %1$s が見つかりません。ローカルドメインにあるグループのみが許可されます\n"
++msgstr ""
++"ローカルドメインにグループ %1$s が見つかりません。ローカルドメインにあるグ"
++"ループのみが許可されます\n"
+ 
+ #: src/tools/sss_groupmod.c:257
+ msgid "Could not modify group - check if member group names are correct\n"
+-msgstr "グループを変更できませんでした - メンバーグループ名が正しいかを確認してください\n"
++msgstr ""
++"グループを変更できませんでした - メンバーグループ名が正しいかを確認してくださ"
++"い\n"
+ 
+ #: src/tools/sss_groupmod.c:261
+ msgid "Could not modify group - check if groupname is correct\n"
+-msgstr "グループを変更できませんでした - グループ名が正しいかを確認してください\n"
++msgstr ""
++"グループを変更できませんでした - グループ名が正しいかを確認してください\n"
+ 
+ #: src/tools/sss_groupmod.c:265
+ msgid "Transaction error. Could not modify group.\n"
+@@ -1982,16 +2032,20 @@ msgstr "%1$s メンバーユーザー: "
+ 
+ #: src/tools/sss_groupshow.c:627
+ #, c-format
+-msgid "\n"
++msgid ""
++"\n"
+ "%1$sIs a member of: "
+-msgstr "\n"
++msgstr ""
++"\n"
+ "%1$s は次のメンバー: "
+ 
+ #: src/tools/sss_groupshow.c:634
+ #, c-format
+-msgid "\n"
++msgid ""
++"\n"
+ "%1$sMember groups: "
+-msgstr "\n"
++msgstr ""
++"\n"
+ "%1$s メンバーグループ: "
+ 
+ #: src/tools/sss_groupshow.c:670
+@@ -2004,9 +2058,11 @@ msgstr "表示するグループを指定してください\n"
+ 
+ #: src/tools/sss_groupshow.c:744
+ msgid ""
+-"No such group in local domain. Printing groups only allowed in local domain."
+-"\n"
+-msgstr "そのようなグループはローカルドメインにありません。グループの表示はローカルドメインにおいてのみ許可されます。\n"
++"No such group in local domain. Printing groups only allowed in local "
++"domain.\n"
++msgstr ""
++"そのようなグループはローカルドメインにありません。グループの表示はローカルド"
++"メインにおいてのみ許可されます。\n"
+ 
+ #: src/tools/sss_groupshow.c:749
+ msgid "Internal error. Could not print group.\n"
+@@ -2044,11 +2100,13 @@ msgstr "SELinux ログインコンテキストをリセットできません\n"
+ #: src/tools/sss_userdel.c:271
+ #, c-format
+ msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n"
+-msgstr "警告: ユーザー (uid %1$lu) が削除されたときにまだログインしていました。\n"
++msgstr ""
++"警告: ユーザー (uid %1$lu) が削除されたときにまだログインしていました。\n"
+ 
+ #: src/tools/sss_userdel.c:276
+ msgid "Cannot determine if the user was logged in on this platform"
+-msgstr "ユーザーがこのプラットフォームにログインしていたかを確認できませんでした"
++msgstr ""
++"ユーザーがこのプラットフォームにログインしていたかを確認できませんでした"
+ 
+ #: src/tools/sss_userdel.c:281
+ msgid "Error while checking if the user was logged in\n"
+@@ -2061,7 +2119,8 @@ msgstr "削除後コマンドの実行に失敗しました: %1$s\n"
+ 
+ #: src/tools/sss_userdel.c:308
+ msgid "Not removing home dir - not owned by user\n"
+-msgstr "ホームディレクトリーを削除していません - ユーザーにより所有されていません\n"
++msgstr ""
++"ホームディレクトリーを削除していません - ユーザーにより所有されていません\n"
+ 
+ #: src/tools/sss_userdel.c:310
+ #, c-format
+@@ -2071,7 +2130,9 @@ msgstr "ホームディレクトリーを削除できません: %1$s\n"
+ #: src/tools/sss_userdel.c:324
+ msgid ""
+ "No such user in local domain. Removing users only allowed in local domain.\n"
+-msgstr "そのようなユーザーはローカルドメインにいません。ユーザーの削除はローカルドメインにおいてのみ許可されます。\n"
++msgstr ""
++"そのようなユーザーはローカルドメインにいません。ユーザーの削除はローカルドメ"
++"インにおいてのみ許可されます。\n"
+ 
+ #: src/tools/sss_userdel.c:329
+ msgid "Internal error. Could not remove user.\n"
+@@ -2110,7 +2171,8 @@ msgid ""
+ "Set an attribute to a name/value pair. The format is attrname=value. For "
+ "multi-valued attributes, the command replaces the values already present"
+ msgstr ""
+-"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属性の場合、コマンドがすでに存在する値に置き換えられます。"
++"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属"
++"性の場合、コマンドがすでに存在する値に置き換えられます。"
+ 
+ #: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126
+ #: src/tools/sss_usermod.c:135
+@@ -2125,15 +2187,19 @@ msgstr "変更するユーザーを指定してください\n"
+ msgid ""
+ "Cannot find user in local domain, modifying users is allowed only in local "
+ "domain\n"
+-msgstr "ローカルドメインにユーザーを見つけられません。ユーザーの変更はローカルドメインにおいてのみ許可されます。\n"
++msgstr ""
++"ローカルドメインにユーザーを見つけられません。ユーザーの変更はローカルドメイ"
++"ンにおいてのみ許可されます。\n"
+ 
+ #: src/tools/sss_usermod.c:322
+ msgid "Could not modify user - check if group names are correct\n"
+-msgstr "ユーザーを変更できませんでした - グループ名が正しいかを確認してください\n"
++msgstr ""
++"ユーザーを変更できませんでした - グループ名が正しいかを確認してください\n"
+ 
+ #: src/tools/sss_usermod.c:326
+ msgid "Could not modify user - user already member of groups?\n"
+-msgstr "ユーザーを変更できませんでした - ユーザーはすでにグループのメンバーですか?\n"
++msgstr ""
++"ユーザーを変更できませんでした - ユーザーはすでにグループのメンバーですか?\n"
+ 
+ #: src/tools/sss_usermod.c:330
+ msgid "Transaction error. Could not modify user.\n"
+@@ -2153,97 +2219,100 @@ msgstr "%1$s を無効化できませんでした\n"
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr "%1$s %2$s を無効化できませんでした\n"
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr "すべてのキャッシュエントリーを無効化します"
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr "特定のユーザーを無効にする"
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr "すべてのユーザーを無効にする"
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr "特定のグループを無効にする"
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr "すべてのグループを無効にする"
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr "特定のネットワークグループを無効にする"
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr "すべてのネットワークグループを無効にする"
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr "特定のサービスの無効化"
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr "すべてのサービスの無効化"
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr "特定の autofs マップの無効化"
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr "すべての autofs マップの無効化"
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr "特定の SSH ホストを無効化します"
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr "すべての SSH ホストを無効化します"
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr "特定の sudo ルールを無効化します"
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr "すべてのキャッシュ sudo ルールを無効化します"
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr "特定のドメインのみからエントリーを無効にする"
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+-msgstr "予期しない引数が提供される場合、1 つのオブジェクトを無効化するオプションは、提供された引数を 1 つだけ受け取ります。\n"
++msgstr ""
++"予期しない引数が提供される場合、1 つのオブジェクトを無効化するオプションは、"
++"提供された引数を 1 つだけ受け取ります。\n"
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr "無効化するオブジェクトを少なくとも一つ選択してください\n"
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+-"ドメイン %1$s を開けませんでした。ドメインがサブドメイン (信頼済みドメイン) であれば、--domain/-d "
+-"パラメーターの代わりに完全修飾名を使用してください。\n"
++"ドメイン %1$s を開けませんでした。ドメインがサブドメイン (信頼済みドメイン) "
++"であれば、--domain/-d パラメーターの代わりに完全修飾名を使用してください。\n"
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr "利用可能なドメインを開けませんでした\n"
+ 
+ #: src/tools/tools_util.c:202
+ #, c-format
+ msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n"
+-msgstr "名前 '%1$s' が FQDN であるように見えません ('%2$s = TRUE' が設定されます)\n"
++msgstr ""
++"名前 '%1$s' が FQDN であるように見えません ('%2$s = TRUE' が設定されます)\n"
+ 
+ #: src/tools/tools_util.c:309
+ msgid "Out of memory\n"
+@@ -2278,7 +2347,8 @@ msgstr "ユーザーインプットの読み込みができませんでした\n"
+ #: src/tools/sssctl/sssctl.c:91
+ #, c-format
+ msgid "Invalid input, please provide either '%s' or '%s'.\n"
+-msgstr "無効なインプットです。'%s' または '%s' のいずれかを提供してください。\n"
++msgstr ""
++"無効なインプットです。'%s' または '%s' のいずれかを提供してください。\n"
+ 
+ #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114
+ #, c-format
+@@ -2322,38 +2392,38 @@ msgstr "キャッシュエントリーの期限切れ時間"
+ msgid "Cached in InfoPipe"
+ msgstr "InfoPipe にキャッシュ"
+ 
+-#: src/tools/sssctl/sssctl_cache.c:522
++#: src/tools/sssctl/sssctl_cache.c:512
+ #, c-format
+ msgid "Error: Unable to get object [%d]: %s\n"
+ msgstr "エラー: オブジェクト [%d] を取得できません: %s\n"
+ 
+-#: src/tools/sssctl/sssctl_cache.c:538
++#: src/tools/sssctl/sssctl_cache.c:528
+ #, c-format
+ msgid "%s: Unable to read value [%d]: %s\n"
+ msgstr "%s: 値 [%d] の読み込みができません: %s\n"
+ 
+-#: src/tools/sssctl/sssctl_cache.c:566
++#: src/tools/sssctl/sssctl_cache.c:556
+ msgid "Specify name."
+ msgstr "名前を指定します。"
+ 
+-#: src/tools/sssctl/sssctl_cache.c:576
++#: src/tools/sssctl/sssctl_cache.c:566
+ #, c-format
+ msgid "Unable to parse name %s.\n"
+ msgstr "名前 %s を構文解析できません。\n"
+ 
+-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
++#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639
+ msgid "Search by SID"
+ msgstr "SID で検索"
+ 
+-#: src/tools/sssctl/sssctl_cache.c:603
++#: src/tools/sssctl/sssctl_cache.c:593
+ msgid "Search by user ID"
+ msgstr "ユーザーID で検索"
+ 
+-#: src/tools/sssctl/sssctl_cache.c:612
++#: src/tools/sssctl/sssctl_cache.c:602
+ msgid "Initgroups expiration time"
+ msgstr "Initgroups の期限切れ時間"
+ 
+-#: src/tools/sssctl/sssctl_cache.c:650
++#: src/tools/sssctl/sssctl_cache.c:640
+ msgid "Search by group ID"
+ msgstr "グループ ID で検索"
+ 
+@@ -2362,13 +2432,17 @@ msgstr "グループ ID で検索"
+ msgid ""
+ "File %1$s does not exist. SSSD will use default configuration with files "
+ "provider.\n"
+-msgstr "ファイル %1$s は存在しません。SSSD は、ファイルプロバイダーでデフォルトの設定を使用します。\n"
++msgstr ""
++"ファイル %1$s は存在しません。SSSD は、ファイルプロバイダーでデフォルトの設定"
++"を使用します。\n"
+ 
+ #: src/tools/sssctl/sssctl_config.c:81
+ #, c-format
+ msgid ""
+ "File ownership and permissions check failed. Expected root:root and 0600.\n"
+-msgstr "ファイルの所有権とパーミッションの確認に失敗しました。予期される root:root および 0600。\n"
++msgstr ""
++"ファイルの所有権とパーミッションの確認に失敗しました。予期される root:root お"
++"よび 0600。\n"
+ 
+ #: src/tools/sssctl/sssctl_config.c:104
+ #, c-format
+@@ -2392,7 +2466,8 @@ msgstr "バックアップディレクトリー [%d] の作成に失敗: %s"
+ 
+ #: src/tools/sssctl/sssctl_data.c:95
+ msgid "SSSD backup of local data already exists, override?"
+-msgstr "ローカルデータの SSSD バックアップはすでに存在しますが、上書きしますか?"
++msgstr ""
++"ローカルデータの SSSD バックアップはすでに存在しますが、上書きしますか?"
+ 
+ #: src/tools/sssctl/sssctl_data.c:111
+ #, c-format
+@@ -2418,8 +2493,8 @@ msgstr "ユーザーの上書きをインポートできません\n"
+ msgid "Unable to import group overrides\n"
+ msgstr "グループの上書きをインポートできません\n"
+ 
+-#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82
+-#: src/tools/sssctl/sssctl_domains.c:315
++#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74
++#: src/tools/sssctl/sssctl_domains.c:339
+ msgid "Start SSSD if it is not running"
+ msgstr "実行中でない場合、SSSD を開始します"
+ 
+@@ -2447,7 +2522,9 @@ msgstr "ローカルデータのバックアップを作成中...\n"
+ #: src/tools/sssctl/sssctl_data.c:238
+ #, c-format
+ msgid "Unable to create backup of local data, can not remove the cache.\n"
+-msgstr "ローカルデータのバックアップの作成ができません。キャッシュを削除できません。\n"
++msgstr ""
++"ローカルデータのバックアップの作成ができません。キャッシュを削除できませ"
++"ん。\n"
+ 
+ #: src/tools/sssctl/sssctl_data.c:243
+ #, c-format
+@@ -2464,74 +2541,69 @@ msgstr "キャッシュファイルを削除できません\n"
+ msgid "Restoring local data...\n"
+ msgstr "ローカルデータの復元中...\n"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:83
++#: src/tools/sssctl/sssctl_domains.c:75
+ msgid "Show domain list including primary or trusted domain type"
+-msgstr "プライマリーまたは信頼されたドメインタイプを含むドメインリストを表示します"
+-
+-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:354
+-#: src/tools/sssctl/sssctl_user_checks.c:95
+-#, c-format
+-msgid "Unable to connect to system bus!\n"
+-msgstr "システムバスに接続できません!\n"
++msgstr ""
++"プライマリーまたは信頼されたドメインタイプを含むドメインリストを表示します"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:167
++#: src/tools/sssctl/sssctl_domains.c:156
+ #, c-format
+ msgid "Online status: %s\n"
+ msgstr "オンライン状態: %s\n"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:167
++#: src/tools/sssctl/sssctl_domains.c:156
+ msgid "Online"
+ msgstr "オンライン"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:167
++#: src/tools/sssctl/sssctl_domains.c:156
+ msgid "Offline"
+ msgstr "オフライン"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:212
++#: src/tools/sssctl/sssctl_domains.c:214
+ #, c-format
+ msgid "Active servers:\n"
+ msgstr "アクティブサーバー:\n"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:223
++#: src/tools/sssctl/sssctl_domains.c:231
+ msgid "not connected"
+ msgstr "接続していません"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:260
++#: src/tools/sssctl/sssctl_domains.c:278
+ #, c-format
+ msgid "Discovered %s servers:\n"
+ msgstr "%s サーバーを発見:\n"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:272
++#: src/tools/sssctl/sssctl_domains.c:296
+ msgid "None so far.\n"
+ msgstr "今のところありません。\n"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:312
++#: src/tools/sssctl/sssctl_domains.c:336
+ msgid "Show online status"
+ msgstr "オンライン状態を表示"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:313
++#: src/tools/sssctl/sssctl_domains.c:337
+ msgid "Show information about active server"
+ msgstr "アクティブサーバーに関する情報の表示"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:314
++#: src/tools/sssctl/sssctl_domains.c:338
+ msgid "Show list of discovered servers"
+ msgstr "発見されたサーバーに関する一覧を表示"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:320
++#: src/tools/sssctl/sssctl_domains.c:344
+ msgid "Specify domain name."
+ msgstr "ドメイン名を指定します。"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:342
++#: src/tools/sssctl/sssctl_domains.c:360
+ #, c-format
+ msgid "Out of memory!\n"
+ msgstr "メモリの空き容量がありません。\n"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:362 src/tools/sssctl/sssctl_domains.c:372
++#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387
+ #, c-format
+ msgid "Unable to get online status\n"
+ msgstr "オンライン状態を取得できません\n"
+ 
+-#: src/tools/sssctl/sssctl_domains.c:382
++#: src/tools/sssctl/sssctl_domains.c:397
+ #, c-format
+ msgid "Unable to get server list\n"
+ msgstr "サーバー一覧を取得できません\n"
+@@ -2583,220 +2655,276 @@ msgstr "ログファイルのアーカイブができません\n"
+ msgid "Specify debug level you want to set"
+ msgstr "設定したいデバッグレベルを指定します"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:117
++#: src/tools/sssctl/sssctl_sifp.c:28
++msgid ""
++"Check that SSSD is running and the InfoPipe responder is enabled. Make sure "
++"'ifp' is listed in the 'services' option in sssd.conf.\n"
++msgstr ""
++
++#: src/tools/sssctl/sssctl_user_checks.c:91
++#, fuzzy, c-format
++msgid "Unable to connect to the InfoPipe"
++msgstr "システムバスに接続できません!\n"
++
++#: src/tools/sssctl/sssctl_user_checks.c:97
++#, fuzzy, c-format
++msgid "Unable to get user object"
++msgstr "サーバー一覧を取得できません\n"
++
++#: src/tools/sssctl/sssctl_user_checks.c:101
+ #, c-format
+ msgid "SSSD InfoPipe user lookup result:\n"
+ msgstr "SSSD InfoPipe ユーザー検索の結果:\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:167
++#: src/tools/sssctl/sssctl_user_checks.c:113
++#, fuzzy, c-format
++msgid "Unable to get user name attr"
++msgstr "サーバー一覧を取得できません\n"
++
++#: src/tools/sssctl/sssctl_user_checks.c:146
+ #, c-format
+ msgid "dlopen failed with [%s].\n"
+ msgstr "dlopen は [%s] で失敗しました。\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:174
++#: src/tools/sssctl/sssctl_user_checks.c:153
+ #, c-format
+ msgid "dlsym failed with [%s].\n"
+ msgstr "dlsym は [%s] で失敗しました。\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:182
++#: src/tools/sssctl/sssctl_user_checks.c:161
+ #, c-format
+ msgid "malloc failed.\n"
+ msgstr "malloc は失敗しました。\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:189
++#: src/tools/sssctl/sssctl_user_checks.c:168
+ #, c-format
+ msgid "sss_getpwnam_r failed with [%d].\n"
+ msgstr "sss_getpwnam_r が [%d] で失敗しました。\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:194
++#: src/tools/sssctl/sssctl_user_checks.c:173
+ #, c-format
+ msgid "SSSD nss user lookup result:\n"
+ msgstr "SSSD nss ユーザー検索の結果:\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:195
++#: src/tools/sssctl/sssctl_user_checks.c:174
+ #, c-format
+ msgid " - user name: %s\n"
+ msgstr " - user name: %s\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:196
++#: src/tools/sssctl/sssctl_user_checks.c:175
+ #, c-format
+ msgid " - user id: %d\n"
+ msgstr " - user id: %d\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:197
++#: src/tools/sssctl/sssctl_user_checks.c:176
+ #, c-format
+ msgid " - group id: %d\n"
+ msgstr " - group id: %d\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:198
++#: src/tools/sssctl/sssctl_user_checks.c:177
+ #, c-format
+ msgid " - gecos: %s\n"
+ msgstr " - gecos: %s\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:199
++#: src/tools/sssctl/sssctl_user_checks.c:178
+ #, c-format
+ msgid " - home directory: %s\n"
+ msgstr " - home directory: %s\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:200
++#: src/tools/sssctl/sssctl_user_checks.c:179
+ #, c-format
+-msgid " - shell: %s\n"
++msgid ""
++" - shell: %s\n"
+ "\n"
+-msgstr " - shell: %s\n"
++msgstr ""
++" - shell: %s\n"
+ "\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:232
++#: src/tools/sssctl/sssctl_user_checks.c:211
+ msgid "PAM action [auth|acct|setc|chau|open|clos], default: "
+ msgstr "PAM アクション [auth|acct|setc|chau|open|clos]、デフォルト: "
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:235
++#: src/tools/sssctl/sssctl_user_checks.c:214
+ msgid "PAM service, default: "
+ msgstr "PAM サービス、デフォルト: "
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:240
++#: src/tools/sssctl/sssctl_user_checks.c:219
+ msgid "Specify user name."
+ msgstr "ユーザー名を指定します。"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:247
++#: src/tools/sssctl/sssctl_user_checks.c:226
+ #, c-format
+-msgid "user: %s\n"
++msgid ""
++"user: %s\n"
+ "action: %s\n"
+ "service: %s\n"
+ "\n"
+-msgstr "ユーザー: %s\n"
++msgstr ""
++"ユーザー: %s\n"
+ "アクション: %s\n"
+ "サービス: %s\n"
+ "\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:253
++#: src/tools/sssctl/sssctl_user_checks.c:232
+ #, c-format
+ msgid "User name lookup with [%s] failed.\n"
+ msgstr "[%s] でのユーザー名の検索に失敗しました。\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:258
++#: src/tools/sssctl/sssctl_user_checks.c:237
+ #, c-format
+ msgid "InfoPipe User lookup with [%s] failed.\n"
+ msgstr "[%s] での InfoPipe ユーザーの検索に失敗しました。\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:265
++#: src/tools/sssctl/sssctl_user_checks.c:244
+ #, c-format
+ msgid "pam_start failed: %s\n"
+ msgstr "pam_start に失敗しました: %s\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:270
++#: src/tools/sssctl/sssctl_user_checks.c:249
+ #, c-format
+-msgid "testing pam_authenticate\n"
++msgid ""
++"testing pam_authenticate\n"
+ "\n"
+-msgstr "pam_authenticate のテスト中\n"
++msgstr ""
++"pam_authenticate のテスト中\n"
+ "\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:274
++#: src/tools/sssctl/sssctl_user_checks.c:253
+ #, c-format
+ msgid "pam_get_item failed: %s\n"
+ msgstr "pam_get_item に失敗しました: %s\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:278
++#: src/tools/sssctl/sssctl_user_checks.c:257
+ #, c-format
+-msgid "pam_authenticate for user [%s]: %s\n"
++msgid ""
++"pam_authenticate for user [%s]: %s\n"
+ "\n"
+-msgstr "ユーザー [%s] 向けの pam_authenticate: %s\n"
++msgstr ""
++"ユーザー [%s] 向けの pam_authenticate: %s\n"
+ "\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:281
++#: src/tools/sssctl/sssctl_user_checks.c:260
+ #, c-format
+-msgid "testing pam_chauthtok\n"
++msgid ""
++"testing pam_chauthtok\n"
+ "\n"
+-msgstr "pam_chauthtok のテスト中\n"
++msgstr ""
++"pam_chauthtok のテスト中\n"
+ "\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:283
++#: src/tools/sssctl/sssctl_user_checks.c:262
+ #, c-format
+-msgid "pam_chauthtok: %s\n"
++msgid ""
++"pam_chauthtok: %s\n"
+ "\n"
+-msgstr "pam_chauthtok: %s\n"
++msgstr ""
++"pam_chauthtok: %s\n"
+ "\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:285
++#: src/tools/sssctl/sssctl_user_checks.c:264
+ #, c-format
+-msgid "testing pam_acct_mgmt\n"
++msgid ""
++"testing pam_acct_mgmt\n"
+ "\n"
+ msgstr "pam_acct_mgmt のテスト中\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:287
++#: src/tools/sssctl/sssctl_user_checks.c:266
+ #, c-format
+-msgid "pam_acct_mgmt: %s\n"
++msgid ""
++"pam_acct_mgmt: %s\n"
+ "\n"
+-msgstr "pam_acct_mgmt: %s\n"
++msgstr ""
++"pam_acct_mgmt: %s\n"
+ "\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:289
++#: src/tools/sssctl/sssctl_user_checks.c:268
+ #, c-format
+-msgid "testing pam_setcred\n"
++msgid ""
++"testing pam_setcred\n"
+ "\n"
+-msgstr "pam_setcred のテスト中\n"
++msgstr ""
++"pam_setcred のテスト中\n"
+ "\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:291
++#: src/tools/sssctl/sssctl_user_checks.c:270
+ #, c-format
+-msgid "pam_setcred: [%s]\n"
++msgid ""
++"pam_setcred: [%s]\n"
+ "\n"
+-msgstr "pam_setcred: [%s]\n"
++msgstr ""
++"pam_setcred: [%s]\n"
+ "\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:293
++#: src/tools/sssctl/sssctl_user_checks.c:272
+ #, c-format
+-msgid "testing pam_open_session\n"
++msgid ""
++"testing pam_open_session\n"
+ "\n"
+ msgstr "pam_open_session のテスト中\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:295
++#: src/tools/sssctl/sssctl_user_checks.c:274
+ #, c-format
+-msgid "pam_open_session: %s\n"
++msgid ""
++"pam_open_session: %s\n"
+ "\n"
+-msgstr "pam_open_session: %s\n"
++msgstr ""
++"pam_open_session: %s\n"
+ "\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:297
++#: src/tools/sssctl/sssctl_user_checks.c:276
+ #, c-format
+-msgid "testing pam_close_session\n"
++msgid ""
++"testing pam_close_session\n"
+ "\n"
+ msgstr "pam_close_session のテスト中\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:299
++#: src/tools/sssctl/sssctl_user_checks.c:278
+ #, c-format
+-msgid "pam_close_session: %s\n"
++msgid ""
++"pam_close_session: %s\n"
+ "\n"
+-msgstr "pam_close_session: %s\n"
++msgstr ""
++"pam_close_session: %s\n"
+ "\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:302
++#: src/tools/sssctl/sssctl_user_checks.c:281
+ #, c-format
+ msgid "unknown action\n"
+ msgstr "不明なアクション\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:305
++#: src/tools/sssctl/sssctl_user_checks.c:284
+ #, c-format
+ msgid "PAM Environment:\n"
+ msgstr "PAM 環境:\n"
+ 
+-#: src/tools/sssctl/sssctl_user_checks.c:313
++#: src/tools/sssctl/sssctl_user_checks.c:292
+ #, c-format
+ msgid " - no env -\n"
+ msgstr " - no env -\n"
+ 
+-#: src/util/util.h:73
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr "次のようにサーバーを実行するユーザー ID"
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr "次のようにサーバーを実行するグループ ID"
+ 
+-#: src/util/util.h:83
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr "レスポンダーがソケットでアクティベートされたと知らせます"
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr "レスポンダーが dbus でアクティベートされたと知らせます"
+ 
++#~ msgid "Additional timeout to wait for a card if requested"
++#~ msgstr "要求された場合に、カードが待つ追加のタイムアウト"
++
++#~ msgid ""
++#~ "PKCS#11 URI to restrict the selection of devices for Smartcard "
++#~ "authentication"
++#~ msgstr "スマートカード認証向けのデバイスの選択を PKCS#11 URI が制限"
++
++#~ msgid "Similar to --genconf, but only refreshes the given section"
++#~ msgstr "--genconf と似ていますが、任意のセクションのみをリフレッシュします"
+diff --git a/po/nb.po b/po/nb.po
+index 6dc7d69e0..8edd3e842 100644
+--- a/po/nb.po
++++ b/po/nb.po
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:46+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Norwegian Bokmål (http://www.transifex.com/projects/p/sssd/"
+@@ -1507,63 +1507,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr ""
+ 
+@@ -1595,88 +1595,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr ""
+ 
+@@ -1685,7 +1685,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr ""
+ 
+@@ -1698,7 +1698,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr ""
+ 
+@@ -2146,88 +2146,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2791,18 +2791,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/nl.po b/po/nl.po
+index 5401af0c3..3dbbfa3b1 100644
+--- a/po/nl.po
++++ b/po/nl.po
+@@ -13,7 +13,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:47+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Dutch (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1580,63 +1580,63 @@ msgstr "Print versie nummer en sluit af"
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Debug niveau"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Voeg tijdstempels toe aan debugberichten"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr "Toon tijdstempel met microseconden"
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr "Een geopend bestand voor de debug logs"
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr "Domein voor de informatie provider (verplicht)"
+ 
+@@ -1669,89 +1669,89 @@ msgstr "Onverwachtte fout bij het opzoeken van een omschrijving"
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Serverbericht:"
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Wachtwoorden komen niet overeen"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr "Wachtwoorden als root wijzigen wordt niet ondersteund."
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr "Geauthenticeerd met gecachte inloggegevens."
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", uw wachtwoord verloopt op:"
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ "Je wachtwoord is verlopen. Je hebt nog slechts %1$d login(s) beschikbaar."
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr "Je wachtwoord zal verlopen in %1$d %2$s."
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr "Inloggen wordt geweigerd tot:"
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "Systeem is offline, wachtwoord wijzigen niet mogelijk"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Wijzigen van wachtwoord mislukt."
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Nieuw Wachtwoord: "
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Voer nieuw wachtwoord nogmaals in: "
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Wachtwoord: "
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Huidig wachtwoord:"
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "Wachtwoord verlopen. Verander nu uw wachtwoord."
+ 
+@@ -1760,7 +1760,7 @@ msgstr "Wachtwoord verlopen. Verander nu uw wachtwoord."
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "Het debugniveau waarmee gestart wordt"
+ 
+@@ -1773,7 +1773,7 @@ msgstr "Hrt te gebruiken SSSD domein"
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "Fout bij het zetten van de locale\n"
+ 
+@@ -2254,81 +2254,81 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr "Maak bepaalde gebruiker ongeldig"
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr "Maak alle gebruikers ongeldig"
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr "Maak bepaalde groep ongeldig"
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr "Maak alle groepen ongeldig"
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr "Maak bepaalde netgroep ongeldig"
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr "Maak alle netgroepen ongeldig"
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr "Maak bepaalde service ongeldig "
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr "Maak alle services ongeldig"
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr "Maak bepaalde autofs map ongeldig"
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr "Maak alle autofs mappen ongeldig"
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr "Maak alleen ingangen van een bepaald domein ongeldig"
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr "Selecteer tenminste een object om ongeldig te maken\n"
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+@@ -2338,7 +2338,7 @@ msgstr ""
+ "is, gebruik dan de volledig gekwalificeerde naam in plaats van --domain/-d "
+ "parameter.\n"
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr "Kon beschikbare domeinen niet openen\n"
+ 
+@@ -2902,18 +2902,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/pl.po b/po/pl.po
+index e3352155c..e12bfd488 100644
+--- a/po/pl.po
++++ b/po/pl.po
+@@ -14,7 +14,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2019-03-01 06:40+0000\n"
+ "Last-Translator: Piotr Drąg <piotrdrag@gmail.com>\n"
+ "Language-Team: Polish (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1612,64 +1612,64 @@ msgstr "Wyświetla numer wersji i kończy działanie"
+ msgid "SSSD is already running\n"
+ msgstr "Usługa SSSD jest już uruchomiona\n"
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Poziom debugowania"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Dodaje czasy debugowania"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr "Wyświetlanie dat z mikrosekundami"
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr "Otwiera deskryptor pliku dla dzienników debugowania"
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ "Wysyła wyjście debugowania bezpośrednio do standardowego wyjścia błędów."
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr "Użytkownik, jako który utworzyć ccache FAST"
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr "Grupa, jako którą utworzyć ccache FAST"
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr "Używany obszar Kerberosa"
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr "Żądany czas trwania biletu"
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr "Żądany odnawialny czas trwania biletu"
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr "Opcje FAST („never”, „try”, „demand”)"
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr "Podaje naczelnika serwera używanego dla FAST"
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr "Żąda ujednolicenie nazwy naczelnika"
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr "Użycie niestandardowej wersji krb5_get_init_creds_password"
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr "Domena dostawcy informacji (wymagane)"
+ 
+@@ -1701,46 +1701,46 @@ msgstr "Nieoczekiwany błąd podczas wyszukiwania opisu błędu"
+ msgid "Permission denied. "
+ msgstr "Odmowa uprawnienia."
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Komunikat serwera: "
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Hasła się nie zgadzają"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr "Przywrócenie hasła przez użytkownika root nie jest obsługiwane."
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr "Uwierzytelniono za pomocą danych z pamięci podręcznej"
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", hasło w pamięci podręcznej wygaśnie za: "
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr "Hasło wygasło. Pozostało %1$d możliwych logowań."
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr "Hasło wygaśnie za %1$d %2$s."
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr "Uwierzytelnianie jest zabronione do: "
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "System jest w trybie offline, zmiana hasła nie jest możliwa"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+@@ -1748,43 +1748,43 @@ msgstr ""
+ "Po zmianie hasła OTP należy się wylogować i zalogować ponownie, aby uzyskać "
+ "bilet"
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Zmiana hasła się nie powiodła. "
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Nowe hasło: "
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Proszę ponownie podać nowe hasło: "
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr "Pierwszy czynnik: "
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr "Drugi czynnik (opcjonalnie): "
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr "Drugi czynnik: "
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Hasło: "
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr "Pierwszy czynnik (obecne hasło): "
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Bieżące hasło: "
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "Hasło wygasło. Proszę je zmienić teraz."
+ 
+@@ -1793,7 +1793,7 @@ msgstr "Hasło wygasło. Proszę je zmienić teraz."
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "Poziom debugowania, z jakim uruchomić"
+ 
+@@ -1806,7 +1806,7 @@ msgstr "Używana domena SSSD"
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "Błąd podczas ustawiania lokalizacji\n"
+ 
+@@ -2289,71 +2289,71 @@ msgstr "Nie można unieważnić %1$s\n"
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr "Nie można unieważnić %1$s %2$s\n"
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr "Unieważnia wszystkie wpisy w pamięci podręcznej"
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr "Unieważnia podanego użytkownika"
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr "Unieważnia wszystkich użytkowników"
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr "Unieważnia podaną grupę"
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr "Unieważnia wszystkie grupy"
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr "Unieważnia podaną grupę sieciową"
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr "Unieważnia wszystkie grupy sieciowe"
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr "Unieważnia podaną usługę"
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr "Unieważnia wszystkie usługi"
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr "Unieważnia podaną mapę autofs"
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr "Unieważnia wszystkie mapy autofs"
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr "Unieważnia konkretny komputer SSH"
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr "Unieważnia wszystkie komputery SSH"
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr "Unieważnia podaną regułę sudo"
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr "Unieważnia wszystkie reguły sudo w pamięci podręcznej"
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr "Unieważnia wpisy tylko z podanej domeny"
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+@@ -2361,11 +2361,11 @@ msgstr ""
+ "Podano nieoczekiwane parametry, opcje unieważniające jeden obiekt przyjmują "
+ "tylko jeden podany parametr.\n"
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr "Proszę wybrać co najmniej jeden obiekt do unieważnienia\n"
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+@@ -2375,7 +2375,7 @@ msgstr ""
+ "domeną), należy użyć w pełni kwalifikowanej nazwy zamiast parametru --"
+ "domain/-d.\n"
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr "Nie można otworzyć dostępnych domen\n"
+ 
+@@ -2975,19 +2975,19 @@ msgstr "Środowisko PAM:\n"
+ msgid " - no env -\n"
+ msgstr " — brak środowiska —\n"
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr "Identyfikator użytkownika, jako który uruchomić serwer"
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr "Identyfikator grupy, jako którą uruchomić serwer"
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr "Informuje, że program odpowiadający został aktywowany gniazdem"
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr "Informuje, że program odpowiadający został aktywowany magistralą D-Bus"
+ 
+diff --git a/po/pt.po b/po/pt.po
+index 15691ecbf..b7e46f62f 100644
+--- a/po/pt.po
++++ b/po/pt.po
+@@ -7,7 +7,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:47+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Portuguese (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1518,63 +1518,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Nível de depuração"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Adicionar tempos na depuração"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr "Um descritor de ficheiro aberto para os registos de depuração"
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr "Domínio do fornecedor de informação (obrigatório)"
+ 
+@@ -1606,88 +1606,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Mensagem do Servidor: "
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Senhas não coincidem"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", a sua senha guardada em cache irá expirar em: "
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "O sistema está offline, a mudança de senha não é possível"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Alteração da senha falhou."
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Nova Senha: "
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Digite a senha novamente: "
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Senha: "
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Senha actual: "
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "A senha expirou. Altere a sua senha agora."
+ 
+@@ -1696,7 +1696,7 @@ msgstr "A senha expirou. Altere a sua senha agora."
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "O nível de depuração a utilizar durante a execução"
+ 
+@@ -1709,7 +1709,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "Erro ao definir a configuração regional\n"
+ 
+@@ -2175,88 +2175,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2820,18 +2820,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/pt_BR.po b/po/pt_BR.po
+index 1b3922359..f7beb2024 100644
+--- a/po/pt_BR.po
++++ b/po/pt_BR.po
+@@ -3,7 +3,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2015-10-27 08:15+0000\n"
+ "Last-Translator: Marco Aurélio Krause <ouesten@me.com>\n"
+ "Language-Team: Portuguese (Brazil)\n"
+@@ -1501,63 +1501,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr ""
+ 
+@@ -1589,88 +1589,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr ""
+ 
+@@ -1679,7 +1679,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr ""
+ 
+@@ -1692,7 +1692,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr ""
+ 
+@@ -2140,88 +2140,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2785,18 +2785,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/ru.po b/po/ru.po
+index 0b3833cdb..1fc53cd84 100644
+--- a/po/ru.po
++++ b/po/ru.po
+@@ -9,7 +9,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2016-02-23 10:04+0000\n"
+ "Last-Translator: Oleksii Levan <exlevan@gmail.com>\n"
+ "Language-Team: Russian (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1536,63 +1536,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Уровень отладки"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Добавить отладочные отметки времени"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr "Открытый дескриптор файла для журналов отладки"
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr "Домен поставщика информации (обязательный)"
+ 
+@@ -1626,88 +1626,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Сообщение сервера:"
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Пароли не совпадают"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", срок действия вашего кэшированного пароль истечёт:"
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "Система находится в автономном режиме, невозможно сменить пароль"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Не удалось сменить пароль."
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Новый пароль:"
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Введите новый пароль ещё раз:"
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Пароль:"
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Текущий пароль:"
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "Срок действия пароля истёк. Необходимо сейчас изменить ваш пароль."
+ 
+@@ -1716,7 +1716,7 @@ msgstr "Срок действия пароля истёк. Необходимо
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "Уровень отладки для запуска"
+ 
+@@ -1729,7 +1729,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr ""
+ 
+@@ -2192,88 +2192,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2837,18 +2837,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr "ID пользователя, под которым запускать сервер"
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr "ID группы, под которым запускать сервер"
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/sssd.pot b/po/sssd.pot
+index e351f82ff..634db1303 100644
+--- a/po/sssd.pot
++++ b/po/sssd.pot
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+ "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+ "Language-Team: LANGUAGE <LL@li.org>\n"
+@@ -1504,63 +1504,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr ""
+ 
+@@ -1592,88 +1592,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr ""
+ 
+@@ -1682,7 +1682,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr ""
+ 
+@@ -1695,7 +1695,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr ""
+ 
+@@ -2143,88 +2143,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2788,18 +2788,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/sv.po b/po/sv.po
+index e193b50b7..bb0c29b73 100644
+--- a/po/sv.po
++++ b/po/sv.po
+@@ -10,7 +10,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2018-06-25 02:36+0000\n"
+ "Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n"
+ "Language-Team: Swedish (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1577,63 +1577,63 @@ msgstr "Skriv ut versionsnumret och avsluta"
+ msgid "SSSD is already running\n"
+ msgstr "SSSD kör redan\n"
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Felsökningsnivå"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Lägg till felsökningstidstämplar"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr "Visa tidsstämplar med mikrosekunder"
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr "En öppen fildeskriptor för felsökningsloggarna"
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr "Skicka felsökningsutdata direkt till standard fel."
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr "Användaren att skapa en FAST-ccache som"
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr "Gruppen att skapa en FAST-ccache som"
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr "Kerberosrike att använda"
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr "Begärd livslängd på biljetten"
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr "Begärd förnybar livslängd på biljetten"
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr "FAST-flaggor (”never”, ”try”, ”demand”)"
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr "Anger serverhuvudmannen att använda för FAST"
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr "Begär kanonisering av huvudmannanamnet"
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr "Använd en anpassad version av krb5_get_init_creds_password"
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr "Domän för informationsleverantören (obligatoriskt)"
+ 
+@@ -1665,46 +1665,46 @@ msgstr "Oväntat fel vid sökning efter ett felmeddelande"
+ msgid "Permission denied. "
+ msgstr "Åtkomst nekas. "
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Servermeddelande: "
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Lösenorden stämmer inte överens"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr "Återställning av lösenord av root stöds inte."
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr "Autentiserad med cachade kreditiv"
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", ditt cache-lösenord kommer gå ut: "
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr "Ditt lösenord har gått ut.  Du har en frist på %1$d inloggningar kvar."
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr "Ditt lösenordet kommer gå ut om %1$d %2$s."
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr "Autentisering nekas till: "
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "Systemet är frånkopplat, ändring av lösenord är inte möjligt"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+@@ -1712,43 +1712,43 @@ msgstr ""
+ "Efter att ha ändrat OTP-lösenordet behöver du logga ut och tillbaka in för "
+ "att få en biljett"
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Lösenordsändringen misslyckades. "
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Nytt lösenord: "
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Skriv det nya lösenordet igen: "
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr "Första faktorn: "
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr "Andra faktorn (frivillig): "
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr "Andra faktorn: "
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Lösenord: "
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr "Första faktorn (nuvarande lösenord): "
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Nuvarande lösenord: "
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "Lösenordet har gått ut.  Ändra ditt lösenord nu."
+ 
+@@ -1757,7 +1757,7 @@ msgstr "Lösenordet har gått ut.  Ändra ditt lösenord nu."
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "Felsökningsnivån att köra med"
+ 
+@@ -1770,7 +1770,7 @@ msgstr "SSSD-domäner att använda"
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "Fel när lokalen sattes\n"
+ 
+@@ -2246,71 +2246,71 @@ msgstr "Kunde inte invalidera %1$s\n"
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr "Kunde inte invalidera %1$s %2$s\n"
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr "Invalidera alla cachade poster"
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr "Invalidera en viss användare"
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr "Invalidera alla användare"
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr "Invalidera en viss grupp"
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr "Invalidera alla grupper"
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr "Invalidera en viss nätgrupp"
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr "Invalidera alla nätgrupper"
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr "Invalidera en viss tjänst"
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr "Invalidera alla tjänster"
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr "Invalidera en viss autofs-mapp"
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr "Invalidera alla autofs-mappar"
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr "Invalidera en viss SSH-värd"
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr "Invalidera alla SSH-värdar"
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr "Invalidera en viss sudo-regel"
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr "Invalidera alla cachade sudo-regler"
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr "Invalidera endast poster från en viss domän"
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+@@ -2318,11 +2318,11 @@ msgstr ""
+ "Oväntat argument angivet, flaggor som invaliderar ett ensamt objekt tar bara "
+ "ett ensamt angivet argument.\n"
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr "Välj åtminstone ett objekt att invalidera\n"
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+@@ -2331,7 +2331,7 @@ msgstr ""
+ "Kunde inte öppna domänen %1$s.  Om domänen är en underdomän (betrodd domän), "
+ "använd fullt kvalificerat namn istället för parametrarna --domain/-d.\n"
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr "Kunde inte öppna tillgängliga domäner\n"
+ 
+@@ -2932,18 +2932,18 @@ msgstr "PAM-miljö:\n"
+ msgid " - no env -\n"
+ msgstr " - ingen miljö -\n"
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr "Användar-ID:t att köra servern som"
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr "Grupp-ID:t att köra servern som"
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr "Informerar att respondenten har blivit uttagsaktiverad"
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr "Informerar att respondenten har blivit dbus-aktiverad"
+diff --git a/po/tg.po b/po/tg.po
+index 398a7f571..87c94ed34 100644
+--- a/po/tg.po
++++ b/po/tg.po
+@@ -7,7 +7,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:48+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Tajik (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1506,63 +1506,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr ""
+ 
+@@ -1594,88 +1594,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Паролҳо номувофиқанд"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Пароли нав:"
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Парол:"
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr ""
+ 
+@@ -1684,7 +1684,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr ""
+ 
+@@ -1697,7 +1697,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr ""
+ 
+@@ -2145,88 +2145,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2790,18 +2790,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/tr.po b/po/tr.po
+index c5a6c09f9..1f7c43a9a 100644
+--- a/po/tr.po
++++ b/po/tr.po
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:49+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Turkish (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1507,63 +1507,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr ""
+ 
+@@ -1595,88 +1595,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr ""
+ 
+@@ -1685,7 +1685,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr ""
+ 
+@@ -1698,7 +1698,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr ""
+ 
+@@ -2146,88 +2146,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2791,18 +2791,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/uk.po b/po/uk.po
+index f06aef187..373496c08 100644
+--- a/po/uk.po
++++ b/po/uk.po
+@@ -14,7 +14,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2019-03-03 07:23+0000\n"
+ "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
+ "Language-Team: Ukrainian (http://www.transifex.com/projects/p/sssd/language/"
+@@ -1653,64 +1653,64 @@ msgstr "Вивести номер версії і завершити робот
+ msgid "SSSD is already running\n"
+ msgstr "SSSD вже запущено\n"
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "Рівень зневаджування"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "Додавати діагностичні часові позначки"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr "Показувати мікросекунди у часових позначках"
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr "Дескриптор відкритого файла для запису журналів діагностики"
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr "Надіслати діагностичну інформацію безпосередньо до stderr."
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr "Користувач, від імені якого слід створити ccache FAST"
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr "Група, від імені якої слід створити ccache FAST"
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr "Область Kerberos, якою слід скористатися"
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr "Запитаний строк дії квитка"
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr "Запитаний час оновлення строку дії квитка"
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr "Параметри FAST ('never', 'try', 'demand')"
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ "Визначає реєстраційний запис сервера, який слід використовувати для FAST"
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr "Вимагає перетворення реєстраційного запису у канонічну форму"
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr "Використовувати нетипову версію krb5_get_init_creds_password"
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr "Домен надання відомостей (обов’язковий)"
+ 
+@@ -1742,46 +1742,46 @@ msgstr "Неочікувана помилка під час пошуку опи
+ msgid "Permission denied. "
+ msgstr "Відмовлено у доступі. "
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "Повідомлення сервера: "
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "Паролі не збігаються"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr "Підтримки скидання пароля користувачем root не передбачено."
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr "Розпізнано за реєстраційними даними з кешу"
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ", строк дії вашого кешованого пароля завершиться: "
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr "Строк дії вашого пароля вичерпано. Залишилося %1$d резервних входи."
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr "Строк дії вашого пароля завершиться за %1$d %2$s."
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr "Розпізнавання заборонено до: "
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "Система працює у автономному режимі, зміна пароля неможлива"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+@@ -1789,43 +1789,43 @@ msgstr ""
+ "Після зміни пароля OTP вам слід вийти із системи і увійти до неї знову, щоб "
+ "отримати про квиток"
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "Спроба зміни пароля зазнала невдачі. "
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "Новий пароль: "
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "Ще раз введіть новий пароль: "
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr "Перший фактор:"
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr "Другий фактор (необов'язковий): "
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr "Другий фактор:"
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "Пароль: "
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr "Перший фактор (поточний пароль): "
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "Поточний пароль: "
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "Строк дії пароля вичерпано. Змініть ваш пароль."
+ 
+@@ -1834,7 +1834,7 @@ msgstr "Строк дії пароля вичерпано. Змініть ваш
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr "Рівень діагностики під час запуску"
+ 
+@@ -1847,7 +1847,7 @@ msgstr "Домен SSSD, який слід використовувати"
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "Помилка під час спроби встановити локаль\n"
+ 
+@@ -2334,71 +2334,71 @@ msgstr "Не вдалося скасувати чинність %1$s\n"
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr "Не вдалося скасувати чинність %1$s %2$s\n"
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr "Скасувати чинність усіх кешованих записів"
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr "Скасувати визначення певного користувача"
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr "Скасувати визначення всіх користувачів"
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr "Скасувати визначення певної групи"
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr "Скасувати визначення всіх груп"
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr "Скасувати визначення певної мережевої групи"
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr "Скасувати визначення всіх мережевих груп"
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr "Скасувати визначення певної служби"
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr "Скасувати визначення всіх служб"
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr "Скасувати визначення певну карту autofs"
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr "Скасувати визначення всіх карт autofs"
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr "Скасувати чинність певного вузла SSH"
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr "Скасувати чинність усіх вузлів SSH"
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr "Скасувати чинність певного правила sudo"
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr "Скасувати чинність усіх кешованих правил sudo"
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr "Скасувати визначення лише записів з певного домену"
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+@@ -2406,12 +2406,12 @@ msgstr ""
+ "Надано неочікувані аргументи. Параметри, які скасовують чинність окремого "
+ "об'єкта вимагають лише одного наданого аргументу.\n"
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ "Будь ласка, виберіть принаймні один об’єкт для скасовування відповідності\n"
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+@@ -2420,7 +2420,7 @@ msgstr ""
+ "Не вдалося відкрити домен %1$s. Якщо цей домен є піддоменом (довіреним "
+ "доменом), скористайтеся повною назвою замість параметра --domain/-d.\n"
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr "Не вдалося відкрити доступні домени\n"
+ 
+@@ -3023,19 +3023,19 @@ msgstr "Середовище PAM:\n"
+ msgid " - no env -\n"
+ msgstr " - немає середовища -\n"
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr "Ідентифікатор користувача, від імені якого слід запустити сервер"
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr "Ідентифікатор групи, від імені якої слід запустити сервер"
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr "Інформує про те, що на відповідачі задіяно сокет"
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr "Інформує про те, що на відповідачі задіяно D-Bus"
+ 
+diff --git a/po/zh_CN.po b/po/zh_CN.po
+index c75d8edf2..3c09e7dac 100644
+--- a/po/zh_CN.po
++++ b/po/zh_CN.po
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:50+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Chinese (China) (http://www.transifex.com/projects/p/sssd/"
+@@ -1507,63 +1507,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr ""
+ 
+@@ -1595,88 +1595,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr ""
+ 
+@@ -1685,7 +1685,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr ""
+ 
+@@ -1698,7 +1698,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr ""
+ 
+@@ -2146,88 +2146,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2791,18 +2791,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/po/zh_TW.po b/po/zh_TW.po
+index b19680d93..00662b946 100644
+--- a/po/zh_TW.po
++++ b/po/zh_TW.po
+@@ -7,7 +7,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+-"POT-Creation-Date: 2019-03-20 22:07+0100\n"
++"POT-Creation-Date: 2019-10-07 11:34+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:50+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Chinese (Taiwan) (http://www.transifex.com/projects/p/sssd/"
+@@ -1507,63 +1507,63 @@ msgstr ""
+ msgid "SSSD is already running\n"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605
++#: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+ msgstr "除錯層級"
+ 
+-#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607
++#: src/providers/krb5/krb5_child.c:3231 src/providers/ldap/ldap_child.c:607
+ msgid "Add debug timestamps"
+ msgstr "加入除錯時間戳記"
+ 
+-#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609
++#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:609
+ msgid "Show timestamps with microseconds"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611
++#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:611
+ msgid "An open file descriptor for the debug logs"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613
++#: src/providers/krb5/krb5_child.c:3238 src/providers/ldap/ldap_child.c:613
+ msgid "Send the debug output to stderr directly."
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3228
++#: src/providers/krb5/krb5_child.c:3241
+ msgid "The user to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3230
++#: src/providers/krb5/krb5_child.c:3243
+ msgid "The group to create FAST ccache as"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3232
++#: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3234
++#: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3236
++#: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3238
++#: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3241
++#: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3243
++#: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+ msgstr ""
+ 
+-#: src/providers/krb5/krb5_child.c:3245
++#: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+ msgstr ""
+ 
+-#: src/providers/data_provider_be.c:556
++#: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+ msgstr ""
+ 
+@@ -1595,88 +1595,88 @@ msgstr ""
+ msgid "Permission denied. "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782
+-#: src/sss_client/pam_sss.c:793
++#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:785
++#: src/sss_client/pam_sss.c:796
+ msgid "Server message: "
+ msgstr "伺服器訊息:"
+ 
+-#: src/sss_client/pam_sss.c:300
++#: src/sss_client/pam_sss.c:303
+ msgid "Passwords do not match"
+ msgstr "密碼不相符"
+ 
+-#: src/sss_client/pam_sss.c:488
++#: src/sss_client/pam_sss.c:491
+ msgid "Password reset by root is not supported."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:529
++#: src/sss_client/pam_sss.c:532
+ msgid "Authenticated with cached credentials"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:530
++#: src/sss_client/pam_sss.c:533
+ msgid ", your cached password will expire at: "
+ msgstr ",您快取的密碼將在此刻過期:"
+ 
+-#: src/sss_client/pam_sss.c:560
++#: src/sss_client/pam_sss.c:563
+ #, c-format
+ msgid "Your password has expired. You have %1$d grace login(s) remaining."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:606
++#: src/sss_client/pam_sss.c:609
+ #, c-format
+ msgid "Your password will expire in %1$d %2$s."
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:655
++#: src/sss_client/pam_sss.c:658
+ msgid "Authentication is denied until: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:676
++#: src/sss_client/pam_sss.c:679
+ msgid "System is offline, password change not possible"
+ msgstr "系統已離線,不可能作密碼變更"
+ 
+-#: src/sss_client/pam_sss.c:691
++#: src/sss_client/pam_sss.c:694
+ msgid ""
+ "After changing the OTP password, you need to log out and back in order to "
+ "acquire a ticket"
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792
++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795
+ msgid "Password change failed. "
+ msgstr "密碼變更失敗。"
+ 
+-#: src/sss_client/pam_sss.c:1926
++#: src/sss_client/pam_sss.c:1972
+ msgid "New Password: "
+ msgstr "新密碼:"
+ 
+-#: src/sss_client/pam_sss.c:1927
++#: src/sss_client/pam_sss.c:1973
+ msgid "Reenter new Password: "
+ msgstr "再次輸入新密碼:"
+ 
+-#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042
++#: src/sss_client/pam_sss.c:2130 src/sss_client/pam_sss.c:2133
+ msgid "First Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202
++#: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205
++#: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2058
++#: src/sss_client/pam_sss.c:2149
+ msgid "Password: "
+ msgstr "密碼:"
+ 
+-#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204
++#: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+ msgstr ""
+ 
+-#: src/sss_client/pam_sss.c:2208
++#: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+ msgstr "目前的密碼:"
+ 
+-#: src/sss_client/pam_sss.c:2536
++#: src/sss_client/pam_sss.c:2628
+ msgid "Password expired. Change your password now."
+ msgstr "密碼已過期。請立刻變更您的密碼。"
+ 
+@@ -1685,7 +1685,7 @@ msgstr "密碼已過期。請立刻變更您的密碼。"
+ #: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44
+ #: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668
+ #: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47
+-#: src/tools/sss_cache.c:687
++#: src/tools/sss_cache.c:702
+ msgid "The debug level to run with"
+ msgstr ""
+ 
+@@ -1698,7 +1698,7 @@ msgstr ""
+ #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54
+ #: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680
+ #: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79
+-#: src/tools/sss_cache.c:733
++#: src/tools/sss_cache.c:748
+ msgid "Error setting the locale\n"
+ msgstr "設定區域設置時發生錯誤\n"
+ 
+@@ -2146,88 +2146,88 @@ msgstr ""
+ msgid "Couldn't invalidate %1$s %2$s\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:689
++#: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:691
++#: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:693
++#: src/tools/sss_cache.c:708
+ msgid "Invalidate all users"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:695
++#: src/tools/sss_cache.c:710
+ msgid "Invalidate particular group"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:697
++#: src/tools/sss_cache.c:712
+ msgid "Invalidate all groups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:699
++#: src/tools/sss_cache.c:714
+ msgid "Invalidate particular netgroup"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:701
++#: src/tools/sss_cache.c:716
+ msgid "Invalidate all netgroups"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:703
++#: src/tools/sss_cache.c:718
+ msgid "Invalidate particular service"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:705
++#: src/tools/sss_cache.c:720
+ msgid "Invalidate all services"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:708
++#: src/tools/sss_cache.c:723
+ msgid "Invalidate particular autofs map"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:710
++#: src/tools/sss_cache.c:725
+ msgid "Invalidate all autofs maps"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:714
++#: src/tools/sss_cache.c:729
+ msgid "Invalidate particular SSH host"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:716
++#: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:720
++#: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:722
++#: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:725
++#: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:779
++#: src/tools/sss_cache.c:794
+ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:789
++#: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:872
++#: src/tools/sss_cache.c:887
+ #, c-format
+ msgid ""
+ "Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+ "use fully qualified name instead of --domain/-d parameter.\n"
+ msgstr ""
+ 
+-#: src/tools/sss_cache.c:877
++#: src/tools/sss_cache.c:892
+ msgid "Could not open available domains\n"
+ msgstr ""
+ 
+@@ -2791,18 +2791,18 @@ msgstr ""
+ msgid " - no env -\n"
+ msgstr ""
+ 
+-#: src/util/util.h:75
++#: src/util/util.h:83
+ msgid "The user ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:77
++#: src/util/util.h:85
+ msgid "The group ID to run the server as"
+ msgstr ""
+ 
+-#: src/util/util.h:85
++#: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+ msgstr ""
+ 
+-#: src/util/util.h:87
++#: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr ""
+diff --git a/src/man/po/br.po b/src/man/po/br.po
+index 0e8197d20..5a29f3f75 100644
+--- a/src/man/po/br.po
++++ b/src/man/po/br.po
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:51+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Breton (http://www.transifex.com/projects/p/sssd/language/"
+@@ -299,10 +299,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr "Dre ziouer : true"
+@@ -321,16 +321,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -355,8 +355,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr ""
+ 
+@@ -371,7 +371,7 @@ msgid "The [sssd] section"
+ msgstr "Ar rann [sssd]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr "Arventennoù ar rann"
+ 
+@@ -451,7 +451,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr "re_expression (neudennad)"
+ 
+@@ -471,12 +471,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr "full_name_format (neudennad)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -484,39 +484,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -641,9 +641,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -834,7 +834,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+@@ -1156,7 +1156,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -1577,7 +1577,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1590,7 +1590,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1604,7 +1604,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr "Dre ziouer : 0"
+ 
+@@ -1667,7 +1667,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr ""
+ 
+@@ -1732,9 +1732,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr ""
+ 
+@@ -1832,48 +1832,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2316,7 +2316,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr ""
+ 
+@@ -2532,41 +2532,49 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2574,24 +2582,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2600,17 +2608,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2619,34 +2627,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2654,7 +2662,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2662,8 +2670,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2672,8 +2680,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2681,19 +2689,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2702,7 +2710,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2710,22 +2718,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2737,7 +2745,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2745,19 +2753,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2765,7 +2773,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2773,35 +2781,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2809,19 +2817,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -2830,7 +2838,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -2838,29 +2846,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -2868,7 +2876,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2876,35 +2884,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2912,32 +2920,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -2948,7 +2956,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -2957,12 +2965,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -2970,7 +2978,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -2978,31 +2986,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3010,7 +3018,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3019,17 +3027,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3037,43 +3045,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3081,7 +3089,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3089,7 +3097,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3097,24 +3105,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3122,12 +3130,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3137,7 +3145,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3146,29 +3154,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3176,7 +3184,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3186,59 +3194,59 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3247,77 +3255,77 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3325,7 +3333,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3333,17 +3341,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3351,34 +3359,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3386,32 +3394,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3421,47 +3429,55 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3469,41 +3485,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3513,14 +3538,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3528,34 +3553,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3567,29 +3601,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3597,12 +3631,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3611,12 +3645,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3624,19 +3658,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3653,7 +3687,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3661,17 +3695,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3680,7 +3714,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3690,7 +3724,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3710,12 +3744,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3723,73 +3757,73 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -3797,17 +3831,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -3816,17 +3850,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -3834,17 +3868,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -3852,17 +3886,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -3873,64 +3907,176 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++msgid "ldap_sasl_mech,"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++msgid "password_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3960,7 +4106,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -3969,7 +4115,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -3977,7 +4123,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -4878,7 +5024,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr ""
+ 
+@@ -5583,7 +5729,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -5686,11 +5832,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -5699,7 +5850,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -5707,26 +5858,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5734,7 +5885,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5742,7 +5893,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -5750,41 +5901,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -5793,32 +5944,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -5826,24 +5977,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -5851,17 +6002,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -5872,29 +6023,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
++msgid ""
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -5907,29 +6069,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -5937,77 +6099,78 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6019,7 +6182,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6027,7 +6190,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6035,39 +6198,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6077,7 +6240,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6085,26 +6248,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6112,7 +6275,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6120,31 +6283,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6153,56 +6316,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6218,12 +6381,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6232,14 +6395,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6248,24 +6411,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6273,19 +6436,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6294,7 +6457,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6302,7 +6465,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6311,7 +6474,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6319,22 +6482,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6344,14 +6507,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6364,12 +6527,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6379,7 +6542,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6389,63 +6552,63 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6454,74 +6617,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6532,7 +6695,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6540,24 +6703,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -6572,12 +6735,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -6585,208 +6748,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -6794,101 +6957,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -6897,111 +7060,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7010,32 +7173,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7044,22 +7207,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7068,14 +7231,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7083,7 +7246,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7096,27 +7259,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7132,13 +7295,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -8612,7 +8775,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -8627,7 +8790,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -8642,12 +8805,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -8668,12 +8831,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -8697,17 +8860,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -8715,7 +8878,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -8742,7 +8905,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -8755,12 +8918,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -8779,50 +8942,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -8933,26 +9096,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -8971,7 +9134,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -9852,12 +10015,27 @@ msgid "Default: False (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -9865,12 +10043,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -9878,14 +10056,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -9893,7 +10071,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9905,42 +10083,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -9948,7 +10126,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -9956,7 +10134,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -9964,7 +10142,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9976,22 +10154,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -9999,7 +10177,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -10007,7 +10185,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10015,7 +10193,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10027,22 +10205,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10050,14 +10228,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10065,7 +10243,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10077,23 +10255,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10101,14 +10279,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10116,7 +10294,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10127,19 +10305,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10147,7 +10325,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10159,29 +10337,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10189,12 +10367,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10207,57 +10385,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10265,17 +10443,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10285,12 +10463,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10301,19 +10479,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10323,12 +10501,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10336,7 +10514,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10351,7 +10529,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10360,7 +10538,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10368,7 +10546,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10378,7 +10556,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -11836,23 +12014,61 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-msgid "krb5_use_enterprise_principal (boolean)"
++msgid "krb5_kdcinfo_lookahead (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+ msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "Dre ziouer : 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
++msgid "krb5_use_enterprise_principal (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:542
++msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -11860,12 +12076,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -11875,7 +12091,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -11883,7 +12099,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -11903,7 +12119,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -11912,7 +12128,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/ca.po b/src/man/po/ca.po
+index 85b791ff0..49b945893 100644
+--- a/src/man/po/ca.po
++++ b/src/man/po/ca.po
+@@ -14,7 +14,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2015-10-18 04:13+0000\n"
+ "Last-Translator: Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>\n"
+ "Language-Team: Catalan (http://www.transifex.com/projects/p/sssd/language/"
+@@ -333,10 +333,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr "Per defecte: true"
+@@ -358,16 +358,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr "Per defecte: false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -392,8 +392,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr "Per defecte: 10"
+ 
+@@ -408,7 +408,7 @@ msgid "The [sssd] section"
+ msgstr "La secció [sssd]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr "Paràmetres de la secció"
+ 
+@@ -497,7 +497,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr "re_expression (cadena)"
+ 
+@@ -519,12 +519,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr "full_name_format (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -535,40 +535,40 @@ msgstr ""
+ "compondre un FQN des dels components del nom d'usuari i del nom del domini."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr "%1$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr "nom d'usuari"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr "%2$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ "el nom del domini tal com s'especifica al fitxer de configuració de l'SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr "%3$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -727,9 +727,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -920,7 +920,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr "Per defecte: Sense establir"
+@@ -1281,7 +1281,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "exemple: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+@@ -1732,7 +1732,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr "pam_pwd_expiration_warning (enter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1745,7 +1745,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1759,7 +1759,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr "Per defecte: 0"
+ 
+@@ -1822,7 +1822,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr "Per defecte: none"
+ 
+@@ -1887,9 +1887,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr "Per defecte: False"
+ 
+@@ -1987,48 +1987,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr "login"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr "su"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr "su-l"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr "gdm-smartcard"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr "gdm-password"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr "kdm"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr "sudo"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr "sudo-i"
+ 
+@@ -2486,7 +2486,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr "FALSE = Cap enumeració per a aquest domini"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr "Per defecte: FALSE"
+ 
+@@ -2712,43 +2712,51 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr "Per defecte: 0 (inhabilitat)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr "cache_credentials (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ "Determina si les credencials d'usuari també són emmagatzemades en la memòria "
+ "cau local de LDB"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2756,24 +2764,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr "Per defecte: 8"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr "account_cache_expiration (enter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2786,17 +2794,17 @@ msgstr ""
+ "ha de ser superior o igual que offline_credentials_expiration."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr "Per defecte: 0 (sense límit)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr "pwd_expiration_warning (enter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2805,34 +2813,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr "Per defecte: 7 (Kerberos), 0 (LDAP)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr "id_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2840,7 +2848,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2848,8 +2856,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2858,8 +2866,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2867,19 +2875,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr "use_fully_qualified_names (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2892,7 +2900,7 @@ msgstr ""
+ "l'usuari mentre que <command>getent passwd test@LOCAL</command> sí."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2900,22 +2908,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr "ignore_group_members (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2927,7 +2935,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2935,12 +2943,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr "auth_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+@@ -2949,7 +2957,7 @@ msgstr ""
+ "d'autenticació suportats són:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2960,7 +2968,7 @@ msgstr ""
+ "manvolnum></citerefentry> per a més informació sobre configuració d'LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2971,7 +2979,7 @@ msgstr ""
+ "manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+@@ -2979,17 +2987,17 @@ msgstr ""
+ "de PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr "<quote>none</quote> impossibilita l'autenticació explícitament."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+@@ -2998,12 +3006,12 @@ msgstr ""
+ "gestionar les sol·licituds d'autenticació."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr "access_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -3014,19 +3022,19 @@ msgstr ""
+ "instal·lats) Els proveïdors especials interns són:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr "<quote>deny</quote> sempre denega l'accés."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -3039,7 +3047,7 @@ msgstr ""
+ "configuració del mòdul d'accés simple."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -3047,22 +3055,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr "Per defecte: <quote>permit</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr "chpass_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+@@ -3071,7 +3079,7 @@ msgstr ""
+ "al domini.  Els proveïdors de canvi de contrasenya compatibles són:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -3079,7 +3087,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3090,7 +3098,7 @@ msgstr ""
+ "manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+@@ -3098,12 +3106,12 @@ msgstr ""
+ "objectiu PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr "<quote>none</quote> rebutja els canvis de contrasenya explícitament."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+@@ -3112,17 +3120,17 @@ msgstr ""
+ "gestionar peticions de canvi de contrasenya."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr "sudo_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3130,32 +3138,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -3166,7 +3174,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -3175,12 +3183,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr "selinux_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -3188,7 +3196,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3196,31 +3204,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr "subdomains_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3228,7 +3236,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3237,17 +3245,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3255,43 +3263,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr "autofs_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3299,7 +3307,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3307,7 +3315,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3315,24 +3323,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr "hostid_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3340,12 +3348,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3355,7 +3363,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3364,29 +3372,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3397,7 +3405,7 @@ msgstr ""
+ "quote> , el domini és tot el que hi ha després\""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3407,17 +3415,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr "Per defecte: <quote>%1$s@%2$s</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr "lookup_family_order (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+@@ -3426,42 +3434,42 @@ msgstr ""
+ "realitzar cerques de DNS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr "Valors admesos:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr "ipv4_first: Intenta resoldre l'adreça IPv4, si falla, intenta IPv6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr "ipv4_only: Intenta resoldre només noms màquina a adreces IPv4."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr "ipv6_first: Intenta resoldre l'adreça IPv6, si falla, intenta IPv4"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr "ipv6_only: Intenta resoldre només noms màquina a adreces IPv6."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr "Per defecte: ipv4_first"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr "dns_resolver_timeout (enter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3470,25 +3478,25 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr "Per defecte: 6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr "dns_discovery_domain (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+@@ -3497,52 +3505,52 @@ msgstr ""
+ "del domini de la consulta DNS del servei de descobriment."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr "Per defecte: Utilitza la part del domini del nom de màquina"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr "override_gid (enter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr "case_sensitive (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr "True"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr "False"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3550,7 +3558,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3558,17 +3566,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr "subdomain_inherit (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3576,34 +3584,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr "ignore_group_members"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr "ldap_purge_cache_timeout"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr "ldap_use_tokengroups"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr "ldap_user_principal"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3613,32 +3621,32 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "Exemple: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr "subdomain_homedir (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr "%F"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3648,47 +3656,55 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr "Per defecte: <filename>/home/%d/%u</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr "realmd_tags (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3696,43 +3712,52 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ #, fuzzy
+ #| msgid "False"
+ msgid "false"
+ msgstr "False"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3742,14 +3767,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3757,7 +3782,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ #, fuzzy
+ #| msgid ""
+ #| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+@@ -3770,27 +3795,36 @@ msgstr ""
+ "\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3805,17 +3839,17 @@ msgstr ""
+ "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr "proxy_pam_target (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr "El servidor intermediari on reenvia PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+@@ -3824,12 +3858,12 @@ msgstr ""
+ "de pam existent o crear-ne una de nova i afegir aquí el nom del servei."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr "proxy_lib_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3840,12 +3874,12 @@ msgstr ""
+ "format _nss_$(libName)_$(function), per exemple _nss_files_getpwent."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr "proxy_fast_alias (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3854,12 +3888,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3867,7 +3901,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+@@ -3876,12 +3910,12 @@ msgstr ""
+ "\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3898,7 +3932,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3906,17 +3940,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3925,7 +3959,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3935,7 +3969,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3955,12 +3989,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr "La secció del domini local"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3971,29 +4005,29 @@ msgstr ""
+ "<replaceable>id_provider = local</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr "default_shell (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ "El shell predeterminat per als usuaris que es creen amb eines de l'espai "
+ "d'usuari de l'SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr "Per defecte: <filename>/bin/bash</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr "base_directory (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+@@ -4002,46 +4036,46 @@ msgstr ""
+ "replaceable> i utilitzen aquest com el directori inicial."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr "Per defecte: <filename>/home</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr "create_homedir (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr "Per defecte: TRUE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr "remove_homedir (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr "homedir_umask (enter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -4052,17 +4086,17 @@ msgstr ""
+ "defecte en un directori inicial acabat de crear."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr "Per defecte: 077"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr "skel_dir (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -4075,17 +4109,17 @@ msgstr ""
+ "manvolnum></citerefentry>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr "Per defecte: <filename>/etc/skel</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr "mail_dir (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -4096,17 +4130,17 @@ msgstr ""
+ "suprimit.  Si no s'especifica, s'utilitzarà un valor per defecte."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr "Per defecte: <filename>/var/correu</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr "userdel_cmd (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -4117,17 +4151,17 @@ msgstr ""
+ "té en compte."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr "Per defecte: Cap, no s'executa cap comanda"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -4138,64 +4172,194 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++#, fuzzy
++#| msgid "ldap_sasl_mech (string)"
++msgid "ldap_sasl_mech,"
++msgstr "ldap_sasl_mech (cadena)"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++#, fuzzy
++#| msgid "CONFIGURATION OPTIONS"
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr "OPCIONS DE CONFIGURACIÓ"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++#, fuzzy
++#| msgid "password"
++msgid "password_prompt"
++msgstr "contrasenya"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++#, fuzzy
++#| msgid ""
++#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
++#| "\"0\"/>"
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++"Opcions vàlides per als dominis del servidor intermediari. <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++#, fuzzy
++#| msgid ""
++#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
++#| "\"0\"/>"
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++"Opcions vàlides per als dominis del servidor intermediari. <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4249,7 +4413,7 @@ msgstr ""
+ "enumerate = False\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -4258,7 +4422,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -4266,7 +4430,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -5235,7 +5399,7 @@ msgstr "L'atribut LDAP que correspon al nom complet de l'usuari."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr "Per defecte: cn"
+ 
+@@ -5956,7 +6120,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr "Per defecte: 900 (15 minuts)"
+ 
+@@ -6059,11 +6223,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -6072,7 +6241,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -6080,12 +6249,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr "ldap_tls_reqcert (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+@@ -6095,7 +6264,7 @@ msgstr ""
+ "valors següents:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+@@ -6104,7 +6273,7 @@ msgstr ""
+ "certificat del servidor."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -6116,7 +6285,7 @@ msgstr ""
+ "normalment."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -6127,7 +6296,7 @@ msgstr ""
+ "proporciona un certificat dolent, immediatament s'acaba la sessió."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -6138,22 +6307,22 @@ msgstr ""
+ "immediatament s'acaba la sessió."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr "<emphasis>hard</emphasis> = Igual que <quote>demand</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr "Per defecte: hard"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr "ldap_tls_cacert (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+@@ -6162,7 +6331,7 @@ msgstr ""
+ "Certificació que reconeixerà l'<command>sssd</command>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+@@ -6171,12 +6340,12 @@ msgstr ""
+ "<filename>/etc/openldap/ldap.conf</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr "ldap_tls_cacertdir (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -6190,32 +6359,32 @@ msgstr ""
+ "correctes."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr "ldap_tls_cert (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr "ldap_tls_key (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr "ldap_tls_cipher_suite (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -6223,12 +6392,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr "ldap_id_use_start_tls (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+@@ -6237,12 +6406,12 @@ msgstr ""
+ "class=\"protocol\">tls</systemitem> per a protegir el canal."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr "ldap_id_mapping (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -6250,17 +6419,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -6271,31 +6440,46 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr "ldap_sasl_mech (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++#, fuzzy
++#| msgid ""
++#| "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
++#| "supported."
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
+ msgstr ""
+ "Especifica el mecanisme SASL a utilitzar.  Actualment només GSSAPI és provat "
+ "i suportat."
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
++msgid ""
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr "ldap_sasl_authid (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -6308,29 +6492,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr "ldap_sasl_realm (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -6338,82 +6522,92 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr "Per defecte: el valor de krb5_realm."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr "ldap_sasl_canonicalize (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr "Per defecte: false;"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr "ldap_krb5_keytab (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++#, fuzzy
++#| msgid "Specify the keytab to use when using SASL/GSSAPI."
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr "Especifica el fitxer keytab a utilitzar quan s'utilitza SASL/GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ "Per defecte: Fitxer keytab de sistema, normalment <filename>/etc/krb5."
+ "keytab</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr "ldap_krb5_init_creds (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
++#, fuzzy
++#| msgid ""
++#| "Specifies that the id_provider should init Kerberos credentials (TGT).  "
++#| "This action is performed only if SASL is used and the mechanism selected "
++#| "is GSSAPI."
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ "Especifica que id_provider ha d'iniciar les credencials del Kerberos (TGT). "
+ "Aquesta acció únicament es realitza si s'utilitza SASL i el mecanisme "
+ "seleccionat és GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr "ldap_krb5_ticket_lifetime (enter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++#, fuzzy
++#| msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr "Especifica el temps de vida en segons de la TGT si s'utilitza GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr "Per defecte: 86400 (24 hores)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr "krb5_server, krb5_backup_server (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6425,7 +6619,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6436,7 +6630,7 @@ msgstr ""
+ "retorna a _tcp si no se'n troba cap."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6448,41 +6642,43 @@ msgstr ""
+ "<quote>krb5_server</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr "krb5_realm (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++#, fuzzy
++#| msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr "Especifica l'àmbit KERBEROS (per a l'autenticació SASL/GSSAPI)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ "Per defecte: Paràmetres predeterminats del sistema, vegeu <filename>/etc/"
+ "krb5.conf</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr "krb5_canonicalize (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr "krb5_use_kdcinfo (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6492,7 +6688,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6500,12 +6696,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr "ldap_pwd_policy (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+@@ -6514,7 +6710,7 @@ msgstr ""
+ "costat del client. S'admeten els valors següents:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+@@ -6523,7 +6719,7 @@ msgstr ""
+ "opció no inhabilita les polítiques de contrasenya de servidor."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6531,7 +6727,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6543,25 +6739,25 @@ msgstr ""
+ "contrasenya."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr "ldap_referrals (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ "Especifica si el seguiment automàtic del referenciador s'hauria d'habilitar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+@@ -6570,7 +6766,7 @@ msgstr ""
+ "quan es compila amb la versió 2.4.13 o superiors d'OpenLDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6579,29 +6775,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr "ldap_dns_service_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ "Especifica el nom de servei per utilitzar quan està habilitada la detecció "
+ "de serveis."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr "Per defecte: ldap"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr "ldap_chpass_dns_service_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+@@ -6611,30 +6807,30 @@ msgstr ""
+ "dels serveis."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ "Defecte: no definit, és a dir, el descobriment de serveis està inhabilitat"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr "ldap_chpass_update_last_change (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr "ldap_access_filter (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6650,12 +6846,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr "Exemple:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6664,14 +6860,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6680,17 +6876,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr "Per defecte: Buit"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr "ldap_account_expire_policy (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+@@ -6699,7 +6895,7 @@ msgstr ""
+ "d'atributs de control d'accés."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6711,12 +6907,12 @@ msgstr ""
+ "contrasenya és correcta."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr "S'admeten els valors següents:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+@@ -6725,7 +6921,7 @@ msgstr ""
+ "determinar si el compte ha caducat."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6734,7 +6930,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6742,7 +6938,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6751,7 +6947,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6759,24 +6955,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr "ldap_access_order (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ "Llista separada per comes d'opcions de control d'accés. Els valors permesos "
+ "són:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr "<emphasis>filter</emphasis>: utilitza ldap_access_filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6786,14 +6982,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6806,12 +7002,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr "<emphasis>expire</emphasis>: utilitza ldap_account_expire_policy"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6821,7 +7017,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6831,20 +7027,20 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+@@ -6853,31 +7049,31 @@ msgstr ""
+ "authorizedService per determinar l'accés"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr "Per defecte: filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+@@ -6886,12 +7082,12 @@ msgstr ""
+ "s'utilitza més d'una vegada."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr "ldap_pwdlockout_dn (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6900,22 +7096,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr "Exemple: cn=ppolicy,ou=policies,dc=exemple,dc=com"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr "Per defecte: cn=ppolicy,ou=policies,$ldap_search_base"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr "ldap_deref (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+@@ -6924,13 +7120,13 @@ msgstr ""
+ "es fa una cerca. S'admeten les opcions següents:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ "<emphasis>never</emphasis>: les referències dels àlies mai són eliminades."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+@@ -6940,7 +7136,7 @@ msgstr ""
+ "de la cerca."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+@@ -6949,7 +7145,7 @@ msgstr ""
+ "només en localitzar l'objecte base de la cerca."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+@@ -6958,7 +7154,7 @@ msgstr ""
+ "en la recerca i en la localització de l'objecte base de la cerca."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+@@ -6967,19 +7163,19 @@ msgstr ""
+ "biblioteques de client LDAP)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr "ldap_rfc2307_fallback_to_local_users (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6990,7 +7186,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6998,24 +7194,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -7036,12 +7232,12 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr "OPCIONS DE SUDO"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -7049,208 +7245,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr "ldap_sudorule_object_class (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr "Per defecte: sudoRole"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr "ldap_sudorule_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr "ldap_sudorule_command (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr "Per defecte: sudoCommand"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr "ldap_sudorule_host (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr "Per defecte: sudoHost"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr "ldap_sudorule_user (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr "Per defecte: sudoUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr "ldap_sudorule_option (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr "Per defecte: sudoOption"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr "ldap_sudorule_runasuser (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr "Per defecte: sudoRunAsUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr "ldap_sudorule_runasgroup (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr "Per defecte: sudoRunAsGroup"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr "ldap_sudorule_notbefore (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr "Per defecte: sudoNotBefore"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr "ldap_sudorule_notafter (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr "Per defecte: sudoNotAfter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr "ldap_sudorule_order (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr "Per defecte: sudoOrder"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr "ldap_sudo_full_refresh_interval (enter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr "Per defecte: 21600 (6 hores)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr "ldap_sudo_smart_refresh_interval (enter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -7258,101 +7454,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr "ldap_sudo_use_host_filter (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr "ldap_sudo_hostnames (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr "ldap_sudo_ip (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr "ldap_sudo_include_netgroups (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr "ldap_sudo_include_regexp (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -7361,111 +7557,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr "OPCIONS D'AUTOFS"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr "ldap_autofs_map_master_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr "Per defecte: auto.master"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr "ldap_autofs_map_object_class (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr "ldap_autofs_map_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr "ldap_autofs_entry_object_class (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr "ldap_autofs_entry_key (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr "ldap_autofs_entry_value (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7474,32 +7670,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr "OPCIONS AVANÇADES"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr "ldap_netgroup_search_base (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr "ldap_user_search_base (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr "ldap_group_search_base (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr "<note>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7508,22 +7704,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr "</note>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr "ldap_sudo_search_base (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr "ldap_autofs_search_base (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7532,14 +7728,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr "EXEMPLE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7550,7 +7746,7 @@ msgstr ""
+ "replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7563,27 +7759,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7599,13 +7795,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr "NOTES"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -9193,7 +9389,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr "dyndns_update (booleà)"
+ 
+@@ -9208,7 +9404,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -9223,12 +9419,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr "dyndns_ttl (enter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -9249,12 +9445,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr "dyndns_iface (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -9278,17 +9474,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -9296,7 +9492,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -9323,7 +9519,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr "dyndns_refresh_interval (enter)"
+ 
+@@ -9336,12 +9532,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr "dyndns_update_ptr (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -9360,50 +9556,50 @@ msgid "Default: False (disabled)"
+ msgstr "Per defecte: False (inhabilitat)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr "dyndns_force_tcp (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -9514,26 +9710,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr "krb5_confd_path (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -9552,7 +9748,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr "Per defecte: 5 (segons)"
+ 
+@@ -10445,12 +10641,29 @@ msgid "Default: False (seconds)"
+ msgstr "Per defecte: 5 (segons)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++#, fuzzy
++#| msgid "ad_enable_gc (boolean)"
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr "ad_enable_gc (booleà)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr "ad_gpo_cache_timeout (enter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -10458,12 +10671,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr "ad_gpo_map_interactive (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -10471,14 +10684,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -10488,7 +10701,7 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10500,42 +10713,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr "gdm-fingerprint"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr "ad_gpo_map_remote_interactive (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -10543,7 +10756,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -10551,7 +10764,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -10561,7 +10774,7 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10573,22 +10786,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr "sshd"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr "ad_gpo_map_network (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -10596,7 +10809,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -10604,7 +10817,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10614,7 +10827,7 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10626,22 +10839,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr "ftp"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr "samba"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr "ad_gpo_map_batch (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10649,14 +10862,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10666,7 +10879,7 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10678,23 +10891,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr "crond"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr "ad_gpo_map_service (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10702,14 +10915,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10719,7 +10932,7 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10730,19 +10943,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr "ad_gpo_map_permit (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10752,7 +10965,7 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10764,29 +10977,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr "systemd-user"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr "ad_gpo_map_deny (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10796,12 +11009,12 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr "ad_gpo_default_right (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10814,57 +11027,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10872,17 +11085,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10892,12 +11105,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10908,19 +11121,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr "Per defecte: 3600 (segons)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10930,12 +11143,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr "Per defecte: True"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10943,7 +11156,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10967,7 +11180,7 @@ msgstr ""
+ "ad_domain = exemple.com\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10979,7 +11192,7 @@ msgstr ""
+ "ldap_account_expire_policy = ad\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10987,7 +11200,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10997,7 +11210,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -12574,23 +12787,79 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
++#, fuzzy
++#| msgid "krb5_confd_path (string)"
++msgid "krb5_kdcinfo_lookahead (string)"
++msgstr "krb5_confd_path (cadena)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:508
++#, fuzzy
++#| msgid ""
++#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
++#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
++#| "citerefentry> for more information on configuring Kerberos."
++msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++"<quote>krb5</quote> per canviar la contrasenya Kerberos. Vegeu "
++"<citerefentry><refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++#, fuzzy
++#| msgid ""
++#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
++#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
++#| "citerefentry> for more information on configuring Kerberos."
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++"<quote>krb5</quote> per canviar la contrasenya Kerberos. Vegeu "
++"<citerefentry><refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "Per defecte: 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
+ msgid "krb5_use_enterprise_principal (boolean)"
+ msgstr "krb5_use_enterprise_principal (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:508
++#: sssd-krb5.5.xml:542
+ msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -12598,12 +12867,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr "krb5_map_user (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -12613,7 +12882,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -12623,7 +12892,7 @@ msgstr ""
+ "krb5_map_user = joe:juser,dick:richard\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -12643,7 +12912,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -12652,7 +12921,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/cs.po b/src/man/po/cs.po
+index 07b54985b..73ba69ee9 100644
+--- a/src/man/po/cs.po
++++ b/src/man/po/cs.po
+@@ -9,7 +9,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2017-09-11 08:53+0000\n"
+ "Last-Translator: Zdenek <chmelarz@gmail.com>\n"
+ "Language-Team: Czech (http://www.transifex.com/projects/p/sssd/language/"
+@@ -296,10 +296,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr ""
+@@ -318,16 +318,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -352,8 +352,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr ""
+ 
+@@ -368,7 +368,7 @@ msgid "The [sssd] section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr ""
+ 
+@@ -448,7 +448,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr ""
+ 
+@@ -468,12 +468,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -481,39 +481,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -638,9 +638,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -831,7 +831,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+@@ -1153,7 +1153,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -1574,7 +1574,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1587,7 +1587,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1601,7 +1601,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr ""
+ 
+@@ -1664,7 +1664,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr ""
+ 
+@@ -1729,9 +1729,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr ""
+ 
+@@ -1829,48 +1829,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2313,7 +2313,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr ""
+ 
+@@ -2529,41 +2529,49 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2571,24 +2579,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2597,17 +2605,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2616,34 +2624,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2651,7 +2659,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2659,8 +2667,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2669,8 +2677,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2678,19 +2686,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2699,7 +2707,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2707,22 +2715,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2734,7 +2742,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2742,19 +2750,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2762,7 +2770,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2770,35 +2778,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2806,19 +2814,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -2827,7 +2835,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -2835,29 +2843,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -2865,7 +2873,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2873,35 +2881,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2909,32 +2917,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -2945,7 +2953,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -2954,12 +2962,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -2967,7 +2975,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -2975,31 +2983,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3007,7 +3015,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3016,17 +3024,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3034,43 +3042,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3078,7 +3086,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3086,7 +3094,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3094,24 +3102,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3119,12 +3127,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3134,7 +3142,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3144,29 +3152,29 @@ msgstr ""
+ 
+ # auto translated by TM merge from project: Fedora Websites, version: fedorahosted.org, DocId: po/fedorahosted
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr "username"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3174,7 +3182,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3184,59 +3192,59 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3245,77 +3253,77 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3323,7 +3331,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3331,17 +3339,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3349,34 +3357,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3384,32 +3392,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3419,47 +3427,55 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3467,41 +3483,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3511,14 +3536,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3526,34 +3551,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3565,29 +3599,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3595,12 +3629,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3609,12 +3643,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3622,19 +3656,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3651,7 +3685,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3659,17 +3693,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3678,7 +3712,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3688,7 +3722,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3708,12 +3742,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3721,73 +3755,73 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -3795,17 +3829,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -3814,17 +3848,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -3832,17 +3866,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -3850,17 +3884,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -3871,64 +3905,179 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++msgid "ldap_sasl_mech,"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++# auto translated by TM merge from project: FreeIPA, version: ipa-4-5, DocId: po/ipa
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++#, fuzzy
++#| msgid "password"
++msgid "password_prompt"
++msgstr "heslo"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3958,7 +4107,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -3967,7 +4116,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -3975,7 +4124,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -4875,7 +5024,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr ""
+ 
+@@ -5580,7 +5729,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -5683,11 +5832,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -5696,7 +5850,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -5704,26 +5858,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5731,7 +5885,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5739,7 +5893,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -5747,41 +5901,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -5790,32 +5944,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -5823,24 +5977,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -5848,17 +6002,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -5869,29 +6023,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++msgid ""
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -5904,29 +6069,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -5934,77 +6099,78 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6016,7 +6182,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6024,7 +6190,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6032,39 +6198,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6074,7 +6240,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6082,26 +6248,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6109,7 +6275,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6117,31 +6283,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6150,56 +6316,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6215,12 +6381,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6229,14 +6395,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6245,24 +6411,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6270,19 +6436,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6291,7 +6457,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6299,7 +6465,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6308,7 +6474,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6316,22 +6482,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6341,14 +6507,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6361,12 +6527,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6376,7 +6542,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6386,63 +6552,63 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6451,74 +6617,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6529,7 +6695,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6537,24 +6703,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -6569,12 +6735,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -6582,208 +6748,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -6791,101 +6957,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -6894,111 +7060,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7007,32 +7173,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7041,22 +7207,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7065,14 +7231,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7080,7 +7246,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7093,27 +7259,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7129,13 +7295,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -8609,7 +8775,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -8624,7 +8790,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -8639,12 +8805,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -8665,12 +8831,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -8694,17 +8860,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -8712,7 +8878,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -8739,7 +8905,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -8752,12 +8918,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -8776,50 +8942,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -8930,26 +9096,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -8968,7 +9134,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -9849,12 +10015,27 @@ msgid "Default: False (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -9862,12 +10043,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -9875,14 +10056,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -9890,7 +10071,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9902,42 +10083,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -9945,7 +10126,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -9953,7 +10134,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -9961,7 +10142,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9973,22 +10154,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -9996,7 +10177,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -10004,7 +10185,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10012,7 +10193,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10024,22 +10205,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10047,14 +10228,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10062,7 +10243,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10074,23 +10255,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10098,14 +10279,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10113,7 +10294,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10124,19 +10305,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10144,7 +10325,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10156,29 +10337,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10186,12 +10367,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10204,57 +10385,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10262,17 +10443,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10282,12 +10463,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10298,19 +10479,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10320,12 +10501,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10333,7 +10514,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10348,7 +10529,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10357,7 +10538,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10365,7 +10546,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10375,7 +10556,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -11833,23 +12014,59 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-msgid "krb5_use_enterprise_principal (boolean)"
++msgid "krb5_kdcinfo_lookahead (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+ msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++msgid "Default: 3:1"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
++msgid "krb5_use_enterprise_principal (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:542
++msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -11857,12 +12074,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -11872,7 +12089,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -11880,7 +12097,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -11900,7 +12117,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -11909,7 +12126,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/de.po b/src/man/po/de.po
+index a4219370a..bc021ec26 100644
+--- a/src/man/po/de.po
++++ b/src/man/po/de.po
+@@ -10,7 +10,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:53+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: German (http://www.transifex.com/projects/p/sssd/language/"
+@@ -323,10 +323,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr "Voreinstellung: »true«"
+@@ -345,16 +345,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr "Voreinstellung: »false«"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -379,8 +379,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr "Voreinstellung: 10"
+ 
+@@ -395,7 +395,7 @@ msgid "The [sssd] section"
+ msgstr "Der Abschnitt [sssd]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr "Abschnittsparameter"
+ 
+@@ -484,7 +484,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr "re_expression (Zeichenkette)"
+ 
+@@ -507,12 +507,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr "full_name_format (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -524,32 +524,32 @@ msgstr ""
+ "zusammengestellt wird."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr "%1$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr "Benutzername"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr "%2$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr "Domain-Name, wie er durch die SSSD-Konfigurationsdatei angegeben wird"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr "%3$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+@@ -558,7 +558,7 @@ msgstr ""
+ "direkt konfiguriert als auch über IPA-Trust"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -713,9 +713,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -906,7 +906,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr "Voreinstellung: Nicht gesetzt"
+@@ -1275,7 +1275,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "Beispiel: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+@@ -1749,7 +1749,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr "pam_pwd_expiration_warning (Ganzzahl)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr "zeigt N Tage vor Ablauf des Passworts eine Warnung an."
+ 
+@@ -1765,7 +1765,7 @@ msgstr ""
+ "SSSD keine Warnung anzeigen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1784,7 +1784,7 @@ msgstr ""
+ "emphasis> für eine bestimmte Domain außer Kraft gesetzt werden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr "Voreinstellung: 0"
+ 
+@@ -1847,7 +1847,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr "Voreinstellung: none"
+ 
+@@ -1912,9 +1912,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr "Voreinstellung: False"
+ 
+@@ -2012,48 +2012,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2535,7 +2535,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr "FALSE = keine Aufzählungen für diese Domain"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr "Voreinstellung: FALSE"
+ 
+@@ -2792,47 +2792,55 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ "Sie können in Betracht ziehen, diesen Wert auf 3/4 * entry_cache_timeout zu "
+ "setzen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr "Voreinstellung: 0 (deaktiviert)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr "cache_credentials (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ "bestimmt, ob auch Benutzerberechtigungen im lokalen LDB-Zwischenspeicher "
+ "zwischengespeichert werden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ "Benutzerberechtigungen werden in einem SHA512-Hash, nicht im Klartext "
+ "gespeichert."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2840,24 +2848,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr "account_cache_expiration (Ganzzahl)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2870,17 +2878,17 @@ msgstr ""
+ "Parameters muss größer oder gleich »offline_credentials_expiration« sein."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr "Voreinstellung: 0 (unbegrenzt)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr "pwd_expiration_warning (Ganzzahl)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2893,17 +2901,17 @@ msgstr ""
+ "Authentifizierungsanbieter konfiguriert werden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr "Voreinstellung: 7 (Kerberos), 0 (LDAP)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr "id_provider (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+@@ -2911,18 +2919,18 @@ msgstr ""
+ "werden unterstützt:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2930,7 +2938,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2941,8 +2949,8 @@ msgstr ""
+ "<manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2955,8 +2963,8 @@ msgstr ""
+ "manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2968,12 +2976,12 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr "use_fully_qualified_names (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+@@ -2983,7 +2991,7 @@ msgstr ""
+ "Benutzers, der an NSS gemeldet wird."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2997,7 +3005,7 @@ msgstr ""
+ "test@LOCAL</command> würde ihn hingegen finden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -3009,22 +3017,22 @@ msgstr ""
+ "nicht voll qualifizierter Name angefragt wird."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr "ignore_group_members (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr "gibt beim Nachschlagen der Gruppe nicht die Gruppenmitglieder zurück."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -3036,7 +3044,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -3044,12 +3052,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr "auth_provider (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+@@ -3058,7 +3066,7 @@ msgstr ""
+ "Authentifizierungsanbieter werden unterstützt:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3069,7 +3077,7 @@ msgstr ""
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3081,24 +3089,24 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ "»proxy« zur Weitergabe der Authentifizierung an irgendein anderes PAM-Ziel"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr "»local«: SSSDs interner Anbieter für lokale Benutzer"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr "»none« deaktiviert explizit die Authentifizierung."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+@@ -3107,12 +3115,12 @@ msgstr ""
+ "mit Authentifizierungsanfragen umgehen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr "access_provider (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -3123,7 +3131,7 @@ msgstr ""
+ "Backends enthalten sind). Interne Spezialanbieter sind:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+@@ -3132,12 +3140,12 @@ msgstr ""
+ "für eine lokale Domain."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr "»deny« verweigert dem Zugriff immer."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -3150,7 +3158,7 @@ msgstr ""
+ "simple</refentrytitle> <manvolnum>5</manvolnum></citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -3158,22 +3166,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr "Voreinstellung: »permit«"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr "chpass_provider (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+@@ -3182,7 +3190,7 @@ msgstr ""
+ "Folgende Anbieter von Passwortänderungen werden unterstützt:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -3190,7 +3198,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3202,19 +3210,19 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ "»proxy« zur Weitergabe der Passwortänderung an irgendein anderes PAM-Ziel"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr "»none« verbietet explizit Passwortänderungen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+@@ -3223,19 +3231,19 @@ msgstr ""
+ "kann mit Passwortänderungsanfragen umgehen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr "sudo_provider (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ "der für diese Domain benutzte Sudo-Anbieter. Folgende Sudo-Anbieter werden "
+ "unterstützt:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3246,7 +3254,7 @@ msgstr ""
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+@@ -3255,7 +3263,7 @@ msgstr ""
+ "Vorgabeeinstellungen für IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+@@ -3264,19 +3272,19 @@ msgstr ""
+ "Vorgabeeinstellungen für AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr "»none« deaktiviert explizit Sudo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ "Voreinstellung: Falls gesetzt, wird der Wert von »id_provider« benutzt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -3293,7 +3301,7 @@ msgstr ""
+ "<manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -3302,12 +3310,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr "selinux_provider (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -3318,7 +3326,7 @@ msgstr ""
+ "Zugriffsanbieter beendet hat. Folgende SELinux-Anbieter werden unterstützt:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3330,12 +3338,12 @@ msgstr ""
+ "manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr "»none« verbietet explizit das Abholen von SELinux-Einstellungen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+@@ -3344,12 +3352,12 @@ msgstr ""
+ "kann SELinux-Ladeanfragen handhaben."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr "subdomains_provider (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+@@ -3359,7 +3367,7 @@ msgstr ""
+ "werden unterstützt:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3371,7 +3379,7 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3380,17 +3388,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr "»none« deaktiviert explizit das Abholen von Subdomains."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3398,37 +3406,37 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr "autofs_provider (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+@@ -3436,7 +3444,7 @@ msgstr ""
+ "»autofs« werden unterstützt:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3448,7 +3456,7 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3460,7 +3468,7 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3468,17 +3476,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr "»none« deaktiviert explizit »autofs«."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr "hostid_provider (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+@@ -3487,7 +3495,7 @@ msgstr ""
+ "wird. Folgende Anbieter von »hostid« werden unterstützt:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3499,12 +3507,12 @@ msgstr ""
+ "manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr "»none« deaktiviert explizit »hostid«."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3519,7 +3527,7 @@ msgstr ""
+ "(NetBIOS-) Namen der Domain entsprechen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3531,22 +3539,22 @@ msgstr ""
+ "P&lt;Name&gt;[^@\\\\]+)$))« "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr "Benutzername"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr "Benutzername@Domain.Name"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr "Domain\\Benutzername"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+@@ -3556,7 +3564,7 @@ msgstr ""
+ "Windows-Domains zu ermöglichen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3566,7 +3574,7 @@ msgstr ""
+ "bedeutet »der Name ist alles bis zum »@«-Zeichen, die Domain alles danach«"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3576,17 +3584,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr "Voreinstellung: »%1$s@%2$s«"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr "lookup_family_order (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+@@ -3594,46 +3602,46 @@ msgstr ""
+ "ermöglicht es, die bei DNS-Abfragen zu bevorzugende Adressfamilie zu wählen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr "unterstützte Werte:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ "ipv4_first: versucht die IPv4- und, falls dies fehlschlägt, die IPv6-Adresse "
+ "nachzuschlagen"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr "ipv4_only: versucht, nur Rechnernamen zu IPv4-Adressen aufzulösen"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ "ipv6_first: versucht die IPv6- und, falls dies fehlschlägt, die IPv4-Adresse "
+ "nachzuschlagen"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr "ipv6_only: versucht, nur Rechnernamen zu IPv6-Adressen aufzulösen"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr "Voreinstellung: ipv4_first"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr "dns_resolver_timeout (Ganzzahl)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3642,25 +3650,25 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr "Voreinstellung: 6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr "dns_discovery_domain (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+@@ -3669,52 +3677,52 @@ msgstr ""
+ "DNS-Dienstabfrage an."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr "Voreinstellung: Der Domain-Teil des Rechnernamens wird benutzt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr "override_gid (Ganzzahl)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr "überschreibt die Haupt-GID mit der angegebenen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3722,7 +3730,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3730,17 +3738,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3748,34 +3756,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr "ldap_use_tokengroups"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3783,32 +3791,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr "subdomain_homedir (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr "%F"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr "flacher (NetBIOS-) Name einer Subdomain"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3823,7 +3831,7 @@ msgstr ""
+ "verwendet werden.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+@@ -3831,17 +3839,17 @@ msgstr ""
+ "überschrieben werden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr "Voreinstellung: <filename>/home/%d/%u</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr "realmd_tags (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+@@ -3849,25 +3857,33 @@ msgstr ""
+ "Kennzeichnungen"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3875,41 +3891,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3919,14 +3944,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3934,7 +3959,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ #, fuzzy
+ #| msgid ""
+ #| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+@@ -3947,27 +3972,36 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3983,17 +4017,17 @@ msgstr ""
+ "\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr "proxy_pam_target (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr "das Proxy-Ziel, an das PAM weiterleitet"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+@@ -4003,12 +4037,12 @@ msgstr ""
+ "hinzufügen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr "proxy_lib_name (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -4019,12 +4053,12 @@ msgstr ""
+ "$(libName)_$(function)«, zum Beispiel »_nss_files_getpwent«."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr "proxy_fast_alias (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -4038,12 +4072,12 @@ msgstr ""
+ "veranlassen, die ID im Zwischenspeicher nachzuschlagen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -4051,7 +4085,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+@@ -4060,12 +4094,12 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -4082,7 +4116,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -4090,17 +4124,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -4109,7 +4143,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -4119,7 +4153,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4139,12 +4173,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr "Der Abschnitt lokale Domain"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -4155,29 +4189,29 @@ msgstr ""
+ "<replaceable>ID_Anbieter=lokal</replaceable> benutzt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr "default_shell (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ "die Standard-Shell für Anwender, die mit den SSSD-Werkzeugen für den "
+ "Benutzerbereich erstellt wurde."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr "Voreinstellung: <filename>/bin/bash</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr "base_directory (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+@@ -4186,17 +4220,17 @@ msgstr ""
+ "replaceable> und benutzen dies als Home-Verzeichnis."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr "Voreinstellung: <filename>/home</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr "create_homedir (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+@@ -4205,17 +4239,17 @@ msgstr ""
+ "werden soll; kann auf der Befehlszeile überschrieben werden"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr "Voreinstellung: TRUE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr "remove_homedir (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+@@ -4224,12 +4258,12 @@ msgstr ""
+ "entfernt werden soll; kann auf der Befehlszeile überschrieben werden"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr "homedir_umask (Ganzzahl)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -4240,17 +4274,17 @@ msgstr ""
+ "Standardzugriffsrechte für ein neu erstelltes Home-Verzeichnis anzugeben."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr "Voreinstellung: 077"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr "skel_dir (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -4263,17 +4297,17 @@ msgstr ""
+ "<manvolnum>8</manvolnum> </citerefentry> erstellt wird"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr "Voreinstellung: <filename>/etc/skel</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr "mail_dir (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -4284,17 +4318,17 @@ msgstr ""
+ "wurde. Ist dies nicht angegeben wird ein Standardwert verwendet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr "Voreinstellung: <filename>/var/mail</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr "userdel_cmd (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -4306,17 +4340,17 @@ msgstr ""
+ "berücksichtigt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr "Voreinstellung: keine, es wird kein Befehl ausgeführt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -4327,64 +4361,194 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++#, fuzzy
++#| msgid "ldap_sasl_mech (string)"
++msgid "ldap_sasl_mech,"
++msgstr "ldap_sasl_mech (Zeichenkette)"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++#, fuzzy
++#| msgid "CONFIGURATION OPTIONS"
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr "KONFIGURATIONSOPTIONEN"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++#, fuzzy
++#| msgid "password"
++msgid "password_prompt"
++msgstr "password"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++#, fuzzy
++#| msgid ""
++#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
++#| "\"0\"/>"
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++"gültige Optionen für Proxy-Domains. <placeholder type=\"variablelist\" id="
++"\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++#, fuzzy
++#| msgid ""
++#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
++#| "\"0\"/>"
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++"gültige Optionen für Proxy-Domains. <placeholder type=\"variablelist\" id="
++"\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4438,7 +4602,7 @@ msgstr ""
+ "enumerate = False\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -4447,7 +4611,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -4455,7 +4619,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -5506,7 +5670,7 @@ msgstr "das LDAP-Attribut, das dem vollständigen Benutzernamen entspricht"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr "Voreinstellung: cn"
+ 
+@@ -6282,7 +6446,7 @@ msgstr ""
+ "Lebensdauer) verwendet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr "Voreinstellung: 900 (15 Minuten)"
+ 
+@@ -6414,13 +6578,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+-"Sie können dereferenzierendes Nachschlagen komplett ausschalten, indem Sie "
+-"den Wert auf 0 setzen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -6433,7 +6600,7 @@ msgstr ""
+ "unterstützten Server sind 389/RHDS, OpenLDAP und Active Directory."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -6444,12 +6611,12 @@ msgstr ""
+ "Nachschlagen ohne Rücksicht auf die Einstellung deaktiviert."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr "ldap_tls_reqcert (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+@@ -6459,7 +6626,7 @@ msgstr ""
+ "Werte angegeben werden:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+@@ -6468,7 +6635,7 @@ msgstr ""
+ "oder anfordern."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -6480,7 +6647,7 @@ msgstr ""
+ "Sitzung fährt normal fort."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -6491,7 +6658,7 @@ msgstr ""
+ "ungültiges Zertifikat bereitgestellt wird, wird die Sitzung sofort beendet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -6502,22 +6669,22 @@ msgstr ""
+ "sofort beendet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr "<emphasis>hard</emphasis> = entspricht »demand«"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr "Voreinstellung: hard"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr "ldap_tls_cacert (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+@@ -6526,7 +6693,7 @@ msgstr ""
+ "die <command>sssd</command> erkennen wird."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+@@ -6535,12 +6702,12 @@ msgstr ""
+ "<filename>/etc/openldap/ldap.conf</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr "ldap_tls_cacertdir (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -6554,33 +6721,33 @@ msgstr ""
+ "Erstellen der korrekten Namen verwendet werden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr "ldap_tls_cert (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ "gibt die Datei an, die das Zertifikat für den Schlüssel des Clients enthält."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr "ldap_tls_key (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr "gibt die Datei an, die den Schlüssel des Clients enthält."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr "ldap_tls_cipher_suite (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -6588,12 +6755,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr "ldap_id_use_start_tls (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+@@ -6602,12 +6769,12 @@ msgstr ""
+ "\">tls</systemitem> benutzen muss, um den Kanal abzusichern."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr "ldap_id_mapping (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -6619,19 +6786,19 @@ msgstr ""
+ "verlassen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ "Derzeit unterstützt diese Funktionalität nur das Abbilden von Active-"
+ "Directory-ObjectSIDs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -6650,31 +6817,46 @@ msgstr ""
+ "Abbildung von IDs wählen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr "Voreinstellung: nicht gesetzt (beide Optionen sind auf 0 gesetzt)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr "ldap_sasl_mech (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++#, fuzzy
++#| msgid ""
++#| "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
++#| "supported."
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
+ msgstr ""
+ "gibt an, welcher SASL-Mechanismus benutzt werden soll. Derzeit ist nur "
+ "GSSAPI getestet und wird unterstützt."
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
++msgid ""
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr "ldap_sasl_authid (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -6687,29 +6869,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr "Voreinstellung Rechner/MeinRechner@BEREICH"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr "ldap_sasl_realm (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -6720,17 +6902,17 @@ msgstr ""
+ "»ldap_sasl_authid« ebenfalls den Realm enthält, wird diese Option ignoriert."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr "Voreinstellung: der Wert von »krb5_realm«"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr "ldap_sasl_canonicalize (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+@@ -6740,66 +6922,76 @@ msgstr ""
+ "Bind in eine kanonische Form zu bringen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr "Voreinstellung: false;"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr "ldap_krb5_keytab (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++#, fuzzy
++#| msgid "Specify the keytab to use when using SASL/GSSAPI."
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr "gibt die Keytab an, wenn SASL/GSSAPI benutzt wird."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ "Voreinstellung: Keytab des Systems, normalerweise <filename>/etc/krb5."
+ "keytab</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr "ldap_krb5_init_creds (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
++#, fuzzy
++#| msgid ""
++#| "Specifies that the id_provider should init Kerberos credentials (TGT).  "
++#| "This action is performed only if SASL is used and the mechanism selected "
++#| "is GSSAPI."
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ "gibt an, dass der »id_provider« Kerberos-Anmeldedaten (TGT) initialisieren "
+ "soll. Diese Aktion wird nur durchgeführt, falls SASL benutzt wird und der "
+ "ausgewählte Mechnaismus GSSAPI ist."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr "ldap_krb5_ticket_lifetime (Ganzzahl)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++#, fuzzy
++#| msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ "gibt die Lebensdauer eines TGT in Sekunden an, falls GSSAPI benutzt wird."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr "Voreinstellung: 86400 (24 Stunden)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr "krb5_server, krb5_backup_server (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6818,7 +7010,7 @@ msgstr ""
+ "Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6829,7 +7021,7 @@ msgstr ""
+ "Protokoll angeben. Falls keine gefunden werden, weicht es auf _tcp aus."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6841,29 +7033,31 @@ msgstr ""
+ "migrieren."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr "krb5_realm (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++#, fuzzy
++#| msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr "gibt den Kerberos-REALM an (für SASL/GSSAPI-Authentifizierung)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ "Voreinstellung: Systemvoreinstellungen, siehe <filename>/etc/krb5.conf</"
+ "filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr "krb5_canonicalize (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+@@ -6873,12 +7067,12 @@ msgstr ""
+ "Kerberos >= 1.7 verfügbar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr "krb5_use_kdcinfo (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6894,7 +7088,7 @@ msgstr ""
+ "manvolnum> </citerefentry> einrichten."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6905,12 +7099,12 @@ msgstr ""
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr "ldap_pwd_policy (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+@@ -6919,7 +7113,7 @@ msgstr ""
+ "Passworts abgeschätzt werden soll. Die folgenden Werte sind erlaubt:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+@@ -6928,7 +7122,7 @@ msgstr ""
+ "kann keine Server-seitigen Passwortregelwerke deaktivieren."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6939,7 +7133,7 @@ msgstr ""
+ "manvolnum></citerefentry>, um abzuschätzen, ob das Passwort erloschen ist."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6951,7 +7145,7 @@ msgstr ""
+ "Passwort geändert wurde."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+@@ -6961,17 +7155,17 @@ msgstr ""
+ "festgelegten Regel."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr "ldap_referrals (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr "gibt an, ob automatische Verweisverfolgung aktiviert werden soll."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+@@ -6980,7 +7174,7 @@ msgstr ""
+ "mit OpenLDAP Version 2.4.13 oder höher kompiliert wurde."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6994,28 +7188,28 @@ msgstr ""
+ "merkliche Leistungsverbesserung bringen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr "ldap_dns_service_name (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ "gibt an, welcher Dienstname bei aktivierter Dienstsuche benutzt werden soll."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr "Voreinstellung: ldap"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr "ldap_chpass_dns_service_name (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+@@ -7024,17 +7218,17 @@ msgstr ""
+ "soll, der Passwortänderungen bei aktivierter Dienstsuche ermöglicht."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr "Voreinstellung: nicht gesetzt, d.h. Dienstsuche ist deaktiviert"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr "ldap_chpass_update_last_change (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+@@ -7043,12 +7237,12 @@ msgstr ""
+ "Passwortänderung mit Unix-Zeit geändert wird."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr "ldap_access_filter (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -7078,12 +7272,12 @@ msgstr ""
+ "refentrytitle><manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr "Beispiel:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -7095,7 +7289,7 @@ msgstr ""
+ "                        "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+@@ -7104,7 +7298,7 @@ msgstr ""
+ "beschränkt, deren employeeType-Attribut auf »admin« gesetzt ist."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -7113,17 +7307,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr "Voreinstellung: leer"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr "ldap_account_expire_policy (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+@@ -7132,7 +7326,7 @@ msgstr ""
+ "Zugriffssteuerungsattribute aktiviert werden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -7143,12 +7337,12 @@ msgstr ""
+ "einem geeigneten Fehlercode zurückweisen, wenn das Passwort korrekt ist."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr "Die folgenden Werte sind erlaubt:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+@@ -7157,7 +7351,7 @@ msgstr ""
+ "»ldap_user_shadow_expire«, um zu bestimmen, ob das Konto abgelaufen ist."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -7170,7 +7364,7 @@ msgstr ""
+ "gewährt. Außerdem wird die Ablaufzeit des Kontos geprüft."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -7181,7 +7375,7 @@ msgstr ""
+ "Zugriff erlaubt wird oder nicht."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -7194,7 +7388,7 @@ msgstr ""
+ "Zugriff gewährt wird. Falls diese Attribute fehlen, wird Zugriff erteilt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -7205,24 +7399,24 @@ msgstr ""
+ "»ldap_account_expire_policy« funktioniert."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr "ldap_access_order (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ "durch Kommata getrennte Liste von Zugriffssteuerungsoptionen. Folgende Werte "
+ "sind erlaubt:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr "<emphasis>filter</emphasis>: verwendet »ldap_access_filter«."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -7232,14 +7426,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -7252,12 +7446,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr "<emphasis>expire</emphasis>: verwendet »ldap_account_expire_policy«."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -7267,7 +7461,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -7277,20 +7471,20 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+@@ -7299,33 +7493,33 @@ msgstr ""
+ "»authorizedService«, um zu bestimmen, ob Zugriff gewährt wird."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ "<emphasis>host</emphasis>: verwendet das Attribut »host«, um zu bestimmen, "
+ "ob Zugriff gewährt wird."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr "Voreinstellung: filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+@@ -7334,12 +7528,12 @@ msgstr ""
+ "mehr als einmal benutzt wird."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -7348,22 +7542,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr "ldap_deref (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+@@ -7372,12 +7566,12 @@ msgstr ""
+ "folgenden Optionen sind erlaubt:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr "<emphasis>never</emphasis>: Alias werden nie dereferenziert."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+@@ -7387,7 +7581,7 @@ msgstr ""
+ "Suche."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+@@ -7396,7 +7590,7 @@ msgstr ""
+ "der Suche dereferenziert."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+@@ -7405,7 +7599,7 @@ msgstr ""
+ "Orten des Basisobjekts der Suche dereferenziert."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+@@ -7414,12 +7608,12 @@ msgstr ""
+ "<emphasis>never</emphasis> gehandhabt.)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr "ldap_rfc2307_fallback_to_local_users (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+@@ -7428,7 +7622,7 @@ msgstr ""
+ "beizubehalten, die das Schema RFC2307 benutzen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -7446,7 +7640,7 @@ msgstr ""
+ "getpw*() oder initgroups() abzurufen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -7457,24 +7651,24 @@ msgstr ""
+ "die lokalen Benutzer um zusätzliche LDAP-Gruppen erweitert werden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -7494,12 +7688,12 @@ msgstr ""
+ "type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr "SUDO-OPTIONEN"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -7510,52 +7704,52 @@ msgstr ""
+ "<manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr "ldap_sudorule_object_class (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr "die Objektklasse eines Sudo-Regeleintrags in LDAP"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr "Voreinstellung: sudoRole"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr "ldap_sudorule_name (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr "das LDAP-Attribut, das dem Namen der Sudo-Regel entspricht"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr "ldap_sudorule_command (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr "das LDAP-Attribut, das dem Namen des Befehls entspricht"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr "Voreinstellung: sudoCommand"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr "ldap_sudorule_host (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+@@ -7564,17 +7758,17 @@ msgstr ""
+ "Netzwerk oder des Netzwerkgruppe des Rechners) entspricht"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr "Voreinstellung: sudoHost"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr "ldap_sudorule_user (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+@@ -7583,32 +7777,32 @@ msgstr ""
+ "oder der Netzwerkgruppe des Benutzers) entspricht"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr "Voreinstellung: sudoUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr "ldap_sudorule_option (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr "das LDAP-Attribut, das den Sudo-Optionen entspricht"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr "Voreinstellung: sudoOption"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr "ldap_sudorule_runasuser (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+@@ -7617,17 +7811,17 @@ msgstr ""
+ "ausgeführt werden können"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr "Voreinstellung: sudoRunAsUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr "ldap_sudorule_runasgroup (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+@@ -7636,17 +7830,17 @@ msgstr ""
+ "worunter Befehle ausgeführt werden können"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr "Voreinstellung: sudoRunAsGroup"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr "ldap_sudorule_notbefore (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+@@ -7655,17 +7849,17 @@ msgstr ""
+ "Sudo-Regel gültig wird."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr "Voreinstellung: sudoNotBefore"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr "ldap_sudorule_notafter (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+@@ -7674,32 +7868,32 @@ msgstr ""
+ "der die Sudo-Regel nicht länger gültig ist."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr "Voreinstellung: sudoNotAfter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr "ldap_sudorule_order (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr "das LDAP-Attribut, das dem Reihenfolgenindex der Regel entspricht"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr "Voreinstellung: sudoOrder"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr "ldap_sudo_full_refresh_interval (Ganzzahl)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+@@ -7709,7 +7903,7 @@ msgstr ""
+ "heruntergeladen werden)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+@@ -7718,17 +7912,17 @@ msgstr ""
+ "emphasis> sein."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr "Voreinstellung: 21600 (6 Stunden)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr "ldap_sudo_smart_refresh_interval (Ganzzahl)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -7739,7 +7933,7 @@ msgstr ""
+ "höchste USN der zwischengespeicherten Regeln haben, heruntergeladen werden)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+@@ -7748,12 +7942,12 @@ msgstr ""
+ "das Attribut »modifyTimestamp« benutzt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr "ldap_sudo_use_host_filter (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+@@ -7763,12 +7957,12 @@ msgstr ""
+ "Netzwerkadressen und Rechnernamen)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr "ldap_sudo_hostnames (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+@@ -7777,7 +7971,7 @@ msgstr ""
+ "Domain-Namen, die zum Filtern der Regeln benutzt werden sollen"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+@@ -7786,8 +7980,8 @@ msgstr ""
+ "voll qualifizierten Domain-Namen automatisch herauszufinden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+@@ -7796,17 +7990,17 @@ msgstr ""
+ "emphasis> ist, hat diese Option keine Auswirkungen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr "Voreinstellung: nicht angegeben"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr "ldap_sudo_ip (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+@@ -7815,7 +8009,7 @@ msgstr ""
+ "Netzwerkadressen, die zum Filtern der Regeln benutzt werden sollen"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+@@ -7824,12 +8018,12 @@ msgstr ""
+ "herauszufinden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr "ldap_sudo_include_netgroups (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+@@ -7838,12 +8032,12 @@ msgstr ""
+ "eine Netzgruppe im Attribut »sudoHost« enthält."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr "ldap_sudo_include_regexp (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+@@ -7852,7 +8046,7 @@ msgstr ""
+ "einen Platzhalter im Attribut »sudoHost« enthält."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -7865,87 +8059,87 @@ msgstr ""
+ "manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr "AUTOFS-OPTIONEN"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr "ldap_autofs_map_master_name (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr "Der Name der Automount-Master-Abbildung in LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr "Voreinstellung: auto.master"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr "ldap_autofs_map_object_class (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr "die Objektklasse eines Automount-Abbildungseintrags in LDAP"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr "ldap_autofs_map_name (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr "der Name eines Automount-Abbildungseintrags in LDAP"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr "ldap_autofs_entry_object_class (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr "ldap_autofs_entry_key (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+@@ -7954,24 +8148,24 @@ msgstr ""
+ "Eintrag einem Einhängepunkt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr "ldap_autofs_entry_value (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7984,32 +8178,32 @@ msgstr ""
+ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr "ERWEITERTE OPTIONEN"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr "ldap_netgroup_search_base (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr "ldap_user_search_base (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr "ldap_group_search_base (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -8018,22 +8212,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr "ldap_sudo_search_base (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr "ldap_autofs_search_base (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -8042,14 +8236,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr "BEISPIEL"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -8060,7 +8254,7 @@ msgstr ""
+ "gesetzt ist."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -8073,27 +8267,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -8109,13 +8303,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr "ANMERKUNGEN"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -9711,7 +9905,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr "dyndns_update (Boolesch)"
+ 
+@@ -9726,7 +9920,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -9748,12 +9942,12 @@ msgstr ""
+ "Konfigurationsdatei migrieren."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr "dyndns_ttl (Ganzzahl)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -9782,12 +9976,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr "Voreinstellung: 1200 (Sekunden)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr "dyndns_iface (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -9815,17 +10009,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -9833,7 +10027,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -9868,7 +10062,7 @@ msgstr ""
+ "gefundenen als Sicherungsserver."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr "dyndns_refresh_interval (Ganzzahl)"
+ 
+@@ -9884,12 +10078,12 @@ msgstr ""
+ "Diese Option ist optional und nur anwendbar, wenn »dyndns_update« »true« ist."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr "dyndns_update_ptr (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -9914,12 +10108,12 @@ msgid "Default: False (disabled)"
+ msgstr "Voreinstellung: False (deaktiviert)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr "dyndns_force_tcp (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+@@ -9928,38 +10122,38 @@ msgstr ""
+ "DNS-Server verwenden soll"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr "Voreinstellung: False (lässt Nsupdate das Protokoll auswählen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -10083,26 +10277,26 @@ msgstr ""
+ "zu verwenden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -10121,7 +10315,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr "Voreinstellung: 5 (Sekunden)"
+ 
+@@ -11115,12 +11309,29 @@ msgid "Default: False (seconds)"
+ msgstr "Voreinstellung: 5 (Sekunden)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++#, fuzzy
++#| msgid "ad_enable_gc (boolean)"
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr "ad_enable_gc (Boolesch)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -11128,12 +11339,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -11141,14 +11352,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -11156,7 +11367,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11168,42 +11379,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -11211,7 +11422,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -11219,7 +11430,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -11227,7 +11438,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11239,22 +11450,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -11262,7 +11473,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -11270,7 +11481,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -11278,7 +11489,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11290,22 +11501,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -11313,14 +11524,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -11328,7 +11539,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11340,23 +11551,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -11364,14 +11575,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -11379,7 +11590,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -11390,19 +11601,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -11410,7 +11621,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11422,29 +11633,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -11452,12 +11663,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -11470,57 +11681,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -11528,17 +11739,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -11548,12 +11759,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -11571,19 +11782,19 @@ msgstr ""
+ "»dyndns_iface« angegeben wurde."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr "Voreinstellung: 3600 (Sekunden)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -11593,12 +11804,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr "Voreinstellung: True"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -11610,7 +11821,7 @@ msgstr ""
+ "Optionen von AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -11634,7 +11845,7 @@ msgstr ""
+ "ad_domain = example.com\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -11646,7 +11857,7 @@ msgstr ""
+ "ldap_account_expire_policy = ad\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -11657,7 +11868,7 @@ msgstr ""
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -11667,7 +11878,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -13430,11 +13641,67 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
++#, fuzzy
++#| msgid "krb5_ccachedir (string)"
++msgid "krb5_kdcinfo_lookahead (string)"
++msgstr "krb5_ccachedir (Zeichenkette)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:508
++#, fuzzy
++#| msgid ""
++#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
++#| "more information on the locator plugin."
++msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++"Weitere Informationen über die Locator-Erweiterung finden Sie auf der "
++"Handbuchseite <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++#, fuzzy
++#| msgid ""
++#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
++#| "more information on the locator plugin."
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++"Weitere Informationen über die Locator-Erweiterung finden Sie auf der "
++"Handbuchseite <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "Voreinstellung: 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
+ msgid "krb5_use_enterprise_principal (boolean)"
+ msgstr "krb5_use_enterprise_principal (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:508
++#: sssd-krb5.5.xml:542
+ msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+@@ -13444,12 +13711,12 @@ msgstr ""
+ "Abschnitt 5 von RFC 6806."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr "Voreinstellung: falsch (AD-Anbieter: wahr)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -13457,12 +13724,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -13472,7 +13739,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -13480,7 +13747,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -13506,7 +13773,7 @@ msgstr ""
+ "id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -13519,7 +13786,7 @@ msgstr ""
+ "keine Identitätsanbieter."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+@@ -17901,3 +18168,9 @@ msgstr ""
+ #: include/ipa_modified_defaults.xml:118
+ msgid "ldap_group_external_member = ipaExternalMember"
+ msgstr ""
++
++#~ msgid ""
++#~ "You can turn off dereference lookups completely by setting the value to 0."
++#~ msgstr ""
++#~ "Sie können dereferenzierendes Nachschlagen komplett ausschalten, indem "
++#~ "Sie den Wert auf 0 setzen."
+diff --git a/src/man/po/es.po b/src/man/po/es.po
+index 693f9ce96..56469b2de 100644
+--- a/src/man/po/es.po
++++ b/src/man/po/es.po
+@@ -17,7 +17,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2019-03-17 04:48+0000\n"
+ "Last-Translator: Emilio Herrera <ehespinosa57@gmail.com>\n"
+ "Language-Team: Spanish (http://www.transifex.com/projects/p/sssd/language/"
+@@ -363,10 +363,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr "Predeterminado: true"
+@@ -388,16 +388,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr "Predeterminado: false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -425,8 +425,8 @@ msgstr ""
+ "Advierta que después de tres pulsaciones perdidas el servicio se terminará."
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr "Predeterminado: 10"
+ 
+@@ -441,7 +441,7 @@ msgid "The [sssd] section"
+ msgstr "La sección [sssd]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr "Parámetros de sección"
+ 
+@@ -542,7 +542,7 @@ msgstr ""
+ "bajos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr "re_expression (cadena)"
+ 
+@@ -567,12 +567,12 @@ msgstr ""
+ "las SECCIONES DOMINIO para mas información sobre estas expresiones regulares."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr "full_name_format (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -584,33 +584,33 @@ msgstr ""
+ "dominio."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr "%1$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr "nombre de usuario"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr "%2$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ "nombre de dominio como se especifica en el fichero de configuración SSSD"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr "%3$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+@@ -620,7 +620,7 @@ msgstr ""
+ "medio de IPA de confianza."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -788,9 +788,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -1045,7 +1045,7 @@ msgstr ""
+ "casos donde los nombres de usuarios se deben compartir entre dominios."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr "Por defecto: No definido"
+@@ -1432,7 +1432,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+@@ -1895,7 +1895,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr "pam_pwd_expiration_warning (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr "Mostrar una advertencia N días antes que la contraseña caduque."
+ 
+@@ -1911,7 +1911,7 @@ msgstr ""
+ "información desaparece, sssd no podrá mostrar un aviso."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1930,7 +1930,7 @@ msgstr ""
+ "<emphasis>pwd_expiration_warning</emphasis> para un dominio concreto."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr "Predeterminado: 0"
+ 
+@@ -1993,7 +1993,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr "Predeterminado: none"
+ 
+@@ -2058,9 +2058,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr "Por defecto: False"
+ 
+@@ -2158,48 +2158,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2665,7 +2665,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr "FALSE = Sin enumeraciones para este dominio"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr "Predeterminado: FALSE"
+ 
+@@ -2905,45 +2905,53 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr "cache_credentials (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ "Determina si las credenciales del usuario están también escondidas en el "
+ "cache LDB local"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ "Las credenciales de usuario son almacenadas en un hash SHA512, no en texto "
+ "plano"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2951,24 +2959,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr "account_cache_expiration (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2981,17 +2989,17 @@ msgstr ""
+ "grande o igual que offline_credentials_expiration."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr "Predeterminado: 0 (ilimitado)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr "pwd_expiration_warning (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -3004,17 +3012,17 @@ msgstr ""
+ "configurar un proveedor de autorización para el backend."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr "Por defecto: 7 (Kerberos), 0 (LDAP)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr "id_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+@@ -3022,18 +3030,18 @@ msgstr ""
+ "soportados son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -3041,7 +3049,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -3052,8 +3060,8 @@ msgstr ""
+ "información sobre la configuración de LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -3066,8 +3074,8 @@ msgstr ""
+ "configuración de FreeIPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3079,12 +3087,12 @@ msgstr ""
+ "Directory."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr "use_fully_qualified_names (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+@@ -3094,7 +3102,7 @@ msgstr ""
+ "NSS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -3108,7 +3116,7 @@ msgstr ""
+ "command> lo haría."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -3116,22 +3124,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr "ignore_group_members (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr "No devuelve miembros de grupo para búsquedas de grupo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -3143,7 +3151,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -3151,12 +3159,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr "auth_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+@@ -3165,7 +3173,7 @@ msgstr ""
+ "autenticación soportados son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3176,7 +3184,7 @@ msgstr ""
+ "citerefentry> para más información sobre la configuración LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3187,7 +3195,7 @@ msgstr ""
+ "citerefentry> para más información sobre la configuración de Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+@@ -3195,17 +3203,17 @@ msgstr ""
+ "objetivo PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr "<quote>local</quote>: Proveedor interno SSSD para usuarios locales"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr "<quote>none</quote> deshabilita la autenticación explícitamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+@@ -3214,12 +3222,12 @@ msgstr ""
+ "manejar las peticiones de autenticación."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr "access_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -3230,7 +3238,7 @@ msgstr ""
+ "proveedores especiales internos son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+@@ -3239,12 +3247,12 @@ msgstr ""
+ "sólo permitido para un dominio local."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr "<quote>deny</quote> siempre niega el acceso."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -3257,7 +3265,7 @@ msgstr ""
+ "configuración del módulo de acceso sencillo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -3265,22 +3273,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr "Predeterminado: <quote>permit</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr "chpass_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+@@ -3289,7 +3297,7 @@ msgstr ""
+ "el dominio. Los proveedores de cambio de passweord soportados son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -3297,7 +3305,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3308,7 +3316,7 @@ msgstr ""
+ "citerefentry> para más información sobre configurar Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+@@ -3316,13 +3324,13 @@ msgstr ""
+ "otros objetivos PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ "<quote>none</quote> deniega explícitamente los cambios en la contraseña."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+@@ -3331,18 +3339,18 @@ msgstr ""
+ "puede manejar las peticiones de cambio de password."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr "sudo_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ "El proveedor SUDO usado por el dominio. Los proveedores SUDO soportados son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3353,33 +3361,33 @@ msgstr ""
+ "citerefentry> para más información sobre la configuración LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr "<quote>none</quote>deshabilita SUDO explícitamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ "Por defecto: el valor de <quote>id_provider</quote> se usa si está fijado."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -3390,7 +3398,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -3399,12 +3407,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr "selinux_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -3415,7 +3423,7 @@ msgstr ""
+ "finalice. Los proveedores selinux soportados son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3427,14 +3435,14 @@ msgstr ""
+ "IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ "<quote>none</quote> deshabilita ir a buscar los ajustes selinux "
+ "explícitamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+@@ -3443,12 +3451,12 @@ msgstr ""
+ "manejar las peticiones de carga selinux."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr "subdomains_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+@@ -3458,7 +3466,7 @@ msgstr ""
+ "soportados son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3470,7 +3478,7 @@ msgstr ""
+ "configuración de IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3479,18 +3487,18 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ "<quote>none</quote> deshabilita el buscador de subdominios explícitamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3498,37 +3506,37 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr "autofs_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+@@ -3536,7 +3544,7 @@ msgstr ""
+ "son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3548,7 +3556,7 @@ msgstr ""
+ "LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3560,7 +3568,7 @@ msgstr ""
+ "IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3568,17 +3576,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr "<quote>none</quote> deshabilita autofs explícitamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr "hostid_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+@@ -3587,7 +3595,7 @@ msgstr ""
+ "proveedores de hostid soportados son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3599,12 +3607,12 @@ msgstr ""
+ "configuración de IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr "<quote>none</quote> deshabilita hostid explícitamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3614,7 +3622,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3627,22 +3635,22 @@ msgstr ""
+ "nombres de usuario:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr "nombre de usuario"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr "username@domain.name"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr "dominio/nombre_de_usuario"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+@@ -3652,7 +3660,7 @@ msgstr ""
+ "dominios Windows."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3663,7 +3671,7 @@ msgstr ""
+ "el nombre, el dominio es el resto detrás de este signo\""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3673,17 +3681,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr "Predeterminado: <quote>%1$s@%2$s</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr "lookup_family_order (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+@@ -3692,42 +3700,42 @@ msgstr ""
+ "a usar cuando se lleven a cabo búsquedas DNS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr "Valores soportados:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr "ipv4_first: Intenta buscar dirección IPv4, si falla, intenta IPv6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr "ipv4_only: Sólo intenta resolver nombres de host a direccones IPv4."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr "ipv6_first: Intenta buscar dirección IPv6, si falla, intenta IPv4"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr "ipv6_only: Sólo intenta resolver nombres de host a direccones IPv6."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr "Predeterminado: ipv4_first"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr "dns_resolver_timeout (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3736,25 +3744,25 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr "Predeterminado: 6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr "dns_discovery_domain (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+@@ -3763,53 +3771,53 @@ msgstr ""
+ "de dominio de la pregunta al descubridor de servicio DNS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ "Predeterminado: Utilizar la parte del dominio del nombre de host del equipo"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr "override_gid (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr "Anula el valor primario GID con el especificado."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3817,7 +3825,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ #, fuzzy
+ #| msgid ""
+ #| "With this parameter the certificate verification can be tuned with a "
+@@ -3833,17 +3841,17 @@ msgstr ""
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3851,34 +3859,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3886,32 +3894,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr "subdomain_homedir (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3921,7 +3929,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+@@ -3929,41 +3937,49 @@ msgstr ""
+ "emphasis>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr "Por defecto: <filename>/home/%d/%u</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3971,41 +3987,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -4015,14 +4040,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -4030,7 +4055,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ #, fuzzy
+ #| msgid ""
+ #| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+@@ -4043,27 +4068,36 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -4079,17 +4113,17 @@ msgstr ""
+ "id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr "proxy_pam_target (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr "El proxy de destino PAM próximo a."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+@@ -4098,12 +4132,12 @@ msgstr ""
+ "pam existente o crear una nueva y añadir el nombre de servicio aquí."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr "proxy_lib_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -4114,12 +4148,12 @@ msgstr ""
+ "$(function), por ejemplo _nss_files_getpwent."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr "proxy_fast_alias (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -4133,12 +4167,12 @@ msgstr ""
+ "razones de rendimiento."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -4146,7 +4180,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+@@ -4155,12 +4189,12 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -4177,7 +4211,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -4185,17 +4219,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -4204,7 +4238,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -4214,7 +4248,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4234,12 +4268,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr "La sección de dominio local"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -4250,29 +4284,29 @@ msgstr ""
+ "utiliza <replaceable>id_provider=local</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr "default_shell (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ "El shell predeterminado para los usuarios creados con herramientas de "
+ "espacio de usuario SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr "Predeterminado: <filename>/bin/bash</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr "base_directory (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+@@ -4282,17 +4316,17 @@ msgstr ""
+ "de inicio."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr "Predeterminado: <filename>/home</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr "create_homedir (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+@@ -4301,17 +4335,17 @@ msgstr ""
+ "Puede ser anulado desde la línea de comando."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr "Predeterminado: TRUE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr "remove_homedir (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+@@ -4320,12 +4354,12 @@ msgstr ""
+ "borrados. Puede ser anulado desde la línea de comando."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr "homedir_umask (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -4336,17 +4370,17 @@ msgstr ""
+ "predeterminados en un directorio de inicio recién creado."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr "Predeterminado: 077"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr "skel_dir (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -4359,17 +4393,17 @@ msgstr ""
+ "<manvolnum>8</manvolnum></citerefentry>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr "Predeterminado: <filename>/etc/skel</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr "mail_dir (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -4380,17 +4414,17 @@ msgstr ""
+ "Si no se especifica, se utiliza un valor por defecto."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr "Predeterminado: <filename>/var/mail</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr "userdel_cmd (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -4401,17 +4435,17 @@ msgstr ""
+ "único parámetro. El código de retorno del comando no es tenido en cuenta."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr "Predeterminado: None, no se ejecuta comando"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -4422,64 +4456,194 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++#, fuzzy
++#| msgid "ldap_sasl_mech (string)"
++msgid "ldap_sasl_mech,"
++msgstr "ldap_sasl_mech (cadena)"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++#, fuzzy
++#| msgid "CONFIGURATION OPTIONS"
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr "OPCIONES DE CONFIGURACIÓN"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++#, fuzzy
++#| msgid "password"
++msgid "password_prompt"
++msgstr "contraseña"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++#, fuzzy
++#| msgid ""
++#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
++#| "\"0\"/>"
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++"Opciones válidas para dominios proxy.  <placeholder type=\"variablelist\" id="
++"\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++#, fuzzy
++#| msgid ""
++#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
++#| "\"0\"/>"
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++"Opciones válidas para dominios proxy.  <placeholder type=\"variablelist\" id="
++"\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4533,7 +4697,7 @@ msgstr ""
+ "enumerate = False\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -4542,7 +4706,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -4550,7 +4714,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -5578,7 +5742,7 @@ msgstr "El atributo LDAP que corresponde al nombre completo del usuario."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr "Predeterminado: cn"
+ 
+@@ -6326,7 +6490,7 @@ msgstr ""
+ "temprano (este valor contra el tiempo de vida TGT)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr "Predeterminado: 900 (15 minutos)"
+ 
+@@ -6448,13 +6612,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+-"Usted puede quitar las búsquedas dereference completamente fijando el valor "
+-"a 0."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -6467,7 +6634,7 @@ msgstr ""
+ "soportados son 389/RHDS, OpenLDAP y Active Directory."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -6478,12 +6645,12 @@ msgstr ""
+ "será deshabilitado sin tener en cuenta este ajuste."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr "ldap_tls_reqcert (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+@@ -6493,7 +6660,7 @@ msgstr ""
+ "los siguientes valores:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+@@ -6502,7 +6669,7 @@ msgstr ""
+ "certificado de servidor."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -6513,7 +6680,7 @@ msgstr ""
+ "certificado malo, será ignorado y la sesión continua normalmente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -6524,7 +6691,7 @@ msgstr ""
+ "certificado malo, la sesión se termina inmediatamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -6535,22 +6702,22 @@ msgstr ""
+ "termina inmediatamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr "<emphasis>hard</emphasis> = Igual que <quote>demand</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr "Predeterminado: hard"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr "ldap_tls_cacert (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+@@ -6559,7 +6726,7 @@ msgstr ""
+ "de Certificación que <command>sssd</command> reconocerá."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+@@ -6568,12 +6735,12 @@ msgstr ""
+ "etc/openldap/ldap.conf</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr "ldap_tls_cacertdir (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -6587,33 +6754,33 @@ msgstr ""
+ "para crear los nombres correctos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr "ldap_tls_cert (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ "Especifica el fichero que contiene el certificado para la clave del cliente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr "ldap_tls_key (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr "Especifica el archivo que contiene la clave del cliente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr "ldap_tls_cipher_suite (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -6621,12 +6788,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr "ldap_id_use_start_tls (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+@@ -6635,12 +6802,12 @@ msgstr ""
+ "<systemitem class=\"protocol\">tls</systemitem> para proteger el canal."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr "ldap_id_mapping (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -6651,18 +6818,18 @@ msgstr ""
+ "ldap_user_uid_number y ldap_group_gid_number."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ "Actualmente está función soporta sólo mapeos de objectSID de ActiveDirectory."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -6673,31 +6840,46 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr "ldap_sasl_mech (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++#, fuzzy
++#| msgid ""
++#| "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
++#| "supported."
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
+ msgstr ""
+ "Especifica el mecanismo SASL a emplear.  Actualmente sólo GSSAPI está "
+ "probado y soportado."
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
++msgid ""
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr "ldap_sasl_authid (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -6710,29 +6892,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr "Por defecto: host/nombre_de_host@REALM"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr "ldap_sasl_realm (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -6743,17 +6925,17 @@ msgstr ""
+ "reino también, esta opción se ignora."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr "Por defecto: el valor de krb5_realm."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr "ldap_sasl_canonicalize (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+@@ -6762,65 +6944,75 @@ msgstr ""
+ "para para canocalizar el nombre de host durante una unión SASL."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr "Predeterminado: false;"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr "ldap_krb5_keytab (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++#, fuzzy
++#| msgid "Specify the keytab to use when using SASL/GSSAPI."
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr "Especifica la keytab a usar cuando se utilice SASL/GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ "Por defecto: Keytab del sistema, normalmente <filename>/etc/krb5.keytab</"
+ "filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr "ldap_krb5_init_creds (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
++#, fuzzy
++#| msgid ""
++#| "Specifies that the id_provider should init Kerberos credentials (TGT).  "
++#| "This action is performed only if SASL is used and the mechanism selected "
++#| "is GSSAPI."
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ "Especifica la id de proveedor que iniciaría las credenciales Kerberos (TGT). "
+ "Esta acción se lleva a cabo sólo si SASL se usa y el mecanismo seleccionado "
+ "es GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr "ldap_krb5_ticket_lifetime (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++#, fuzzy
++#| msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr "Especifica el tiempo de vida en segundos del TGT si se usa GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr "Predeterminado: 86400 (24 horas)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr "krb5_server, krb5_backup_server (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6839,7 +7031,7 @@ msgstr ""
+ "información, vea la sección <quote>SERVICE DISCOVERY</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6850,7 +7042,7 @@ msgstr ""
+ "regresa a _tcp si no se encuentra nada."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6862,29 +7054,31 @@ msgstr ""
+ "configuración para usar <quote>krb5_server</quote> en su lugar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr "krb5_realm (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++#, fuzzy
++#| msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr "Especifica el REALM Kerberos (para autorización SASL/GSSAPI)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ "Predeterminado: Predeterminados del sistema, vea <filename>/etc/krb5.conf</"
+ "filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr "krb5_canonicalize (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+@@ -6893,12 +7087,12 @@ msgstr ""
+ "servidor LDAP. Esta función está disponible con MIT Kerberos >= 1.7"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6908,7 +7102,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6916,12 +7110,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr "ldap_pwd_policy (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+@@ -6930,7 +7124,7 @@ msgstr ""
+ "del cliente. Los siguientes valores son permitidos:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+@@ -6939,7 +7133,7 @@ msgstr ""
+ "no puede deshabilitar las políticas de password en el lado servidor."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6950,7 +7144,7 @@ msgstr ""
+ "manvolnum></citerefentry> para evaluar si la contraseña ha expirado."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6962,26 +7156,26 @@ msgstr ""
+ "password."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr "ldap_referrals (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ "Especifica si el seguimiento de referencias automático debería ser "
+ "habilitado."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+@@ -6990,7 +7184,7 @@ msgstr ""
+ "está compilado con OpenLDAP versión 2.4.13 o más alta."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -7003,29 +7197,29 @@ msgstr ""
+ "esta opción a false le llevará a una notable mejora de rendimiento."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr "ldap_dns_service_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ "Especifica el nombre del servicio para utilizar cuando está habilitado el "
+ "servicio de descubrimiento."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr "Predeterminado: ldap"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr "ldap_chpass_dns_service_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+@@ -7035,17 +7229,17 @@ msgstr ""
+ "descubrimiento."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr "Por defecto: no fijado, esto es servicio descubridor deshabilitado."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr "ldap_chpass_update_last_change (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+@@ -7054,12 +7248,12 @@ msgstr ""
+ "desde el Epoch después de una operación de cambio de contraseña."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr "ldap_access_filter (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -7075,12 +7269,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr "Ejemplo:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -7089,14 +7283,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -7105,17 +7299,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr "Predeterminado: vacío"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr "ldap_account_expire_policy (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+@@ -7124,7 +7318,7 @@ msgstr ""
+ "control de acceso del lado cliente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -7135,12 +7329,12 @@ msgstr ""
+ "una código de error definible aunque el password sea correcto."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr "Los siguientes valores están permitidos:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+@@ -7149,7 +7343,7 @@ msgstr ""
+ "determinar si la cuenta ha expirado."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -7162,7 +7356,7 @@ msgstr ""
+ "se comprueba el tiempo de expiración de la cuenta."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -7173,7 +7367,7 @@ msgstr ""
+ "el acceso o no."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -7186,7 +7380,7 @@ msgstr ""
+ "permitido. Si ambos atributos están desaparecidos se concede el acceso."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -7194,24 +7388,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr "ldap_access_order (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ "Lista separada por coma de opciones de control de acceso.  Los valores "
+ "permitidos son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr "<emphasis>filtro</emphasis>: utilizar ldap_access_filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -7221,14 +7415,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -7241,12 +7435,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr "<emphasis>caducar</emphasis>: utilizar ldap_account_expire_policy"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -7256,7 +7450,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -7266,20 +7460,20 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+@@ -7288,32 +7482,32 @@ msgstr ""
+ "autorizedService para determinar el acceso"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ "<emphasis>host</emphasis>: usa el atributo host para determinar el acceso"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr "Predeterminado: filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+@@ -7322,12 +7516,12 @@ msgstr ""
+ "una vez."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -7336,22 +7530,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr "ldap_deref (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+@@ -7360,13 +7554,13 @@ msgstr ""
+ "lleva a cabo una búsqueda. Están permitidas las siguientes opciones:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ "<emphasis>never</emphasis>: Nunca serán eliminadas las referencias al alias."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+@@ -7376,7 +7570,7 @@ msgstr ""
+ "búsqueda."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+@@ -7385,7 +7579,7 @@ msgstr ""
+ "cuando se localice el objeto base de la búsqueda."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+@@ -7394,7 +7588,7 @@ msgstr ""
+ "para la búsqueda como en la localización del objeto base de la búsqueda."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+@@ -7403,12 +7597,12 @@ msgstr ""
+ "librerías cliente LDAP)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr "ldap_rfc2307_fallback_to_local_users (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+@@ -7417,7 +7611,7 @@ msgstr ""
+ "servidores que usan el esquema RFC2307."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -7435,7 +7629,7 @@ msgstr ""
+ "llamadas getpw*() o initgroups()."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -7446,24 +7640,24 @@ msgstr ""
+ "initgroups() aumentará los usuarios locales con los grupos LDAP adicionales."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -7483,12 +7677,12 @@ msgstr ""
+ "completos. <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr "OPCIONES SUDO"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -7496,52 +7690,52 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr "ldap_sudorule_object_class (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr "El objeto clase de una regla de entrada sudo en LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr "Por defecto: sudoRole"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr "ldap_sudorule_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr "El atributo LDAP que corresponde a la regla nombre de sudo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr "ldap_sudorule_command (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr "El atributo LDAP que corresponde al nombre de comando."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr "Por defecto: sudoCommand"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr "ldap_sudorule_host (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+@@ -7550,17 +7744,17 @@ msgstr ""
+ "red IP del host o grupo de red del host)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr "Por defecto: sudoHost"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr "ldap_sudorule_user (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+@@ -7569,32 +7763,32 @@ msgstr ""
+ "grupo o grupo de red del usuario)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr "Por defecto: sudoUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr "ldap_sudorule_option (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr "El atributo LDAP que corresponde a las opciones sudo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr "Por defecto: sudoOption"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr "ldap_sudorule_runasuser (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+@@ -7603,17 +7797,17 @@ msgstr ""
+ "pueden ejecutar como."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr "Por defectot: sudoRunAsUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr "ldap_sudorule_runasgroup (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+@@ -7622,17 +7816,17 @@ msgstr ""
+ "ejecutar comandos como."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr "Por defecto: sudoRunAsGroup"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr "ldap_sudorule_notbefore (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+@@ -7641,17 +7835,17 @@ msgstr ""
+ "regla sudo es válida."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr "Por defecto: sudoNotBefore"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr "ldap_sudorule_notafter (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+@@ -7660,32 +7854,32 @@ msgstr ""
+ "la regla sudo dejará de ser válida."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr "Por defecto: sudoNotAfter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr "ldap_sudorule_order (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr "El atributo LDAP que corresponde al índice de ordenación de la regla."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr "Por defecto: sudoOrder"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr "ldap_sudo_full_refresh_interval (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+@@ -7695,7 +7889,7 @@ msgstr ""
+ "servidor)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+@@ -7704,17 +7898,17 @@ msgstr ""
+ "emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr "Por defecto: 21600 (6 horas)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr "ldap_sudo_smart_refresh_interval (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -7725,7 +7919,7 @@ msgstr ""
+ "USBN más alto que el USN más alto de las reglas escondidas)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+@@ -7734,12 +7928,12 @@ msgstr ""
+ "atributo modifyTimestamp."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr "ldap_sudo_use_host_filter (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+@@ -7748,12 +7942,12 @@ msgstr ""
+ "máquina (usando las direcciones de host/red y nombres de host IPv4 o IPv6)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr "ldap_sudo_hostnames (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+@@ -7762,7 +7956,7 @@ msgstr ""
+ "totalmente cualificados que sería usada para filtrar las reglas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+@@ -7771,8 +7965,8 @@ msgstr ""
+ "nombre de dominio totalmente cualificado automáticamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+@@ -7781,17 +7975,17 @@ msgstr ""
+ "emphasis> esta opción no tiene efecto."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr "Por defecto: no especificado"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr "ldap_sudo_ip (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+@@ -7800,7 +7994,7 @@ msgstr ""
+ "usada para filtrar las reglas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+@@ -7809,12 +8003,12 @@ msgstr ""
+ "automáticamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr "sudo_include_netgroups (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+@@ -7823,12 +8017,12 @@ msgstr ""
+ "atributo sudoHost."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr "ldap_sudo_include_regexp (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+@@ -7837,7 +8031,7 @@ msgstr ""
+ "atributo sudoHost."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -7850,87 +8044,87 @@ msgstr ""
+ "manvolnum> </citerefentry>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr "OPCIONES AUTOFS"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr "ldap_autofs_map_object_class (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr "El objeto clase de una entrada de mapa de automontaje en LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr "ldap_autofs_map_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr "El nombre de una entrada de mapa de automontaje en LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr "ldap_autofs_entry_object_class (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr "ldap_autofs_entry_key (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+@@ -7939,24 +8133,24 @@ msgstr ""
+ "normalmente a un punto de montaje."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr "ldap_autofs_entry_value (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7965,32 +8159,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr "OPCIONES AVANZADAS"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr "ldap_netgroup_search_base (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr "ldap_user_search_base (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr "ldap_group_search_base (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7999,22 +8193,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr "ldap_sudo_search_base (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr "ldap_autofs_search_base (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -8023,14 +8217,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr "EJEMPLO"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -8041,7 +8235,7 @@ msgstr ""
+ "replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -8054,27 +8248,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -8090,13 +8284,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr "NOTAS"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -9673,7 +9867,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -9688,7 +9882,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -9706,12 +9900,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -9732,12 +9926,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr "Por defecto: 1200 (segundos)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -9761,17 +9955,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -9779,7 +9973,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -9806,7 +10000,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -9819,12 +10013,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -9843,50 +10037,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -10008,26 +10202,26 @@ msgstr ""
+ "convertido hacia la base DN para usarlo para llevar a cabo operaciones LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -10046,7 +10240,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr "Predeterminado: 5 (segundos)"
+ 
+@@ -10964,12 +11158,29 @@ msgid "Default: False (seconds)"
+ msgstr "Predeterminado: 5 (segundos)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++#, fuzzy
++#| msgid "ldap_referrals (boolean)"
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr "ldap_referrals (boolean)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -10977,12 +11188,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -10990,14 +11201,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -11005,7 +11216,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11017,42 +11228,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -11060,7 +11271,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -11068,7 +11279,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -11076,7 +11287,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11088,22 +11299,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -11111,7 +11322,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -11119,7 +11330,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -11127,7 +11338,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11139,22 +11350,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -11162,14 +11373,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -11177,7 +11388,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11189,23 +11400,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -11213,14 +11424,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -11228,7 +11439,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -11239,19 +11450,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -11259,7 +11470,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11271,29 +11482,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -11301,12 +11512,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -11319,57 +11530,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -11377,17 +11588,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -11397,12 +11608,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -11413,19 +11624,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -11435,12 +11646,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr "Predeterminado: True"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -11451,7 +11662,7 @@ msgstr ""
+ "Este ejemplo muestra sólo las opciones específicas del proveedor AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -11475,7 +11686,7 @@ msgstr ""
+ "ad_domain = example.com\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -11487,7 +11698,7 @@ msgstr ""
+ "ldap_account_expire_policy = ad\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -11498,7 +11709,7 @@ msgstr ""
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -11508,7 +11719,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -13177,23 +13388,79 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
++#, fuzzy
++#| msgid "krb5_ccachedir (string)"
++msgid "krb5_kdcinfo_lookahead (string)"
++msgstr "krb5_ccachedir (cadena)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:508
++#, fuzzy
++#| msgid ""
++#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
++#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
++#| "citerefentry> for more information on configuring Kerberos."
++msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++"<quote>krb5</quote> para cambiar una contraseña Kerberos. Vea <citerefentry> "
++"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry> para más información sobre configurar Kerberos."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++#, fuzzy
++#| msgid ""
++#| "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
++#| "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes "
++#| "to evaluate if the password has expired."
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++"<emphasis>shadow</emphasis> - Usa los atributos de estilo  "
++"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> para evaluar si la contraseña ha expirado."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "Predeterminado: 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
+ msgid "krb5_use_enterprise_principal (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:508
++#: sssd-krb5.5.xml:542
+ msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -13201,12 +13468,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -13216,7 +13483,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -13224,7 +13491,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -13244,7 +13511,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -13253,7 +13520,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+@@ -17500,6 +17767,12 @@ msgstr ""
+ msgid "ldap_group_external_member = ipaExternalMember"
+ msgstr ""
+ 
++#~ msgid ""
++#~ "You can turn off dereference lookups completely by setting the value to 0."
++#~ msgstr ""
++#~ "Usted puede quitar las búsquedas dereference completamente fijando el "
++#~ "valor a 0."
++
+ #~ msgid ""
+ #~ "(OpenSSL version) This option is currently ignored. All needed "
+ #~ "certificates must be available in the PEM file given by pam_cert_db_path."
+diff --git a/src/man/po/eu.po b/src/man/po/eu.po
+index 4f193bc1f..76eec8c09 100644
+--- a/src/man/po/eu.po
++++ b/src/man/po/eu.po
+@@ -7,7 +7,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:55+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Basque (http://www.transifex.com/projects/p/sssd/language/"
+@@ -293,10 +293,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr ""
+@@ -315,16 +315,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -349,8 +349,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr ""
+ 
+@@ -365,7 +365,7 @@ msgid "The [sssd] section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr ""
+ 
+@@ -445,7 +445,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr ""
+ 
+@@ -465,12 +465,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -478,39 +478,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -635,9 +635,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -828,7 +828,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+@@ -1150,7 +1150,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -1571,7 +1571,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1584,7 +1584,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1598,7 +1598,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr ""
+ 
+@@ -1661,7 +1661,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr ""
+ 
+@@ -1726,9 +1726,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr ""
+ 
+@@ -1826,48 +1826,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2310,7 +2310,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr ""
+ 
+@@ -2526,41 +2526,49 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2568,24 +2576,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2594,17 +2602,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2613,34 +2621,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2648,7 +2656,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2656,8 +2664,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2666,8 +2674,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2675,19 +2683,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2696,7 +2704,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2704,22 +2712,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2731,7 +2739,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2739,19 +2747,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2759,7 +2767,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2767,35 +2775,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2803,19 +2811,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -2824,7 +2832,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -2832,29 +2840,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -2862,7 +2870,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2870,35 +2878,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2906,32 +2914,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -2942,7 +2950,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -2951,12 +2959,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -2964,7 +2972,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -2972,31 +2980,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3004,7 +3012,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3013,17 +3021,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3031,43 +3039,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3075,7 +3083,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3083,7 +3091,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3091,24 +3099,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3116,12 +3124,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3131,7 +3139,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3140,29 +3148,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3170,7 +3178,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3180,59 +3188,59 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3241,77 +3249,77 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3319,7 +3327,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3327,17 +3335,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3345,34 +3353,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3380,32 +3388,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3415,47 +3423,55 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3463,41 +3479,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3507,14 +3532,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3522,34 +3547,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3561,29 +3595,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3591,12 +3625,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3605,12 +3639,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3618,19 +3652,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3647,7 +3681,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3655,17 +3689,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3674,7 +3708,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3684,7 +3718,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3704,12 +3738,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3717,73 +3751,73 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -3791,17 +3825,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -3810,17 +3844,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -3828,17 +3862,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -3846,17 +3880,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -3867,64 +3901,176 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++msgid "ldap_sasl_mech,"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++msgid "password_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3954,7 +4100,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -3963,7 +4109,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -3971,7 +4117,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -4870,7 +5016,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr ""
+ 
+@@ -5575,7 +5721,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -5678,11 +5824,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -5691,7 +5842,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -5699,26 +5850,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5726,7 +5877,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5734,7 +5885,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -5742,41 +5893,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -5785,32 +5936,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -5818,24 +5969,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -5843,17 +5994,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -5864,29 +6015,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++msgid ""
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -5899,29 +6061,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -5929,77 +6091,78 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6011,7 +6174,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6019,7 +6182,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6027,39 +6190,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6069,7 +6232,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6077,26 +6240,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6104,7 +6267,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6112,31 +6275,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6145,56 +6308,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6210,12 +6373,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6224,14 +6387,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6240,24 +6403,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6265,19 +6428,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6286,7 +6449,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6294,7 +6457,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6303,7 +6466,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6311,22 +6474,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6336,14 +6499,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6356,12 +6519,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6371,7 +6534,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6381,63 +6544,63 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6446,74 +6609,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6524,7 +6687,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6532,24 +6695,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -6564,12 +6727,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -6577,208 +6740,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -6786,101 +6949,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -6889,111 +7052,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7002,32 +7165,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7036,22 +7199,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7060,14 +7223,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7075,7 +7238,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7088,27 +7251,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7124,13 +7287,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -8604,7 +8767,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -8619,7 +8782,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -8634,12 +8797,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -8660,12 +8823,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -8689,17 +8852,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -8707,7 +8870,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -8734,7 +8897,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -8747,12 +8910,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -8771,50 +8934,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -8925,26 +9088,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -8963,7 +9126,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -9844,12 +10007,27 @@ msgid "Default: False (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -9857,12 +10035,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -9870,14 +10048,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -9885,7 +10063,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9897,42 +10075,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -9940,7 +10118,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -9948,7 +10126,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -9956,7 +10134,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9968,22 +10146,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -9991,7 +10169,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -9999,7 +10177,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10007,7 +10185,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10019,22 +10197,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10042,14 +10220,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10057,7 +10235,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10069,23 +10247,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10093,14 +10271,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10108,7 +10286,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10119,19 +10297,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10139,7 +10317,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10151,29 +10329,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10181,12 +10359,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10199,57 +10377,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10257,17 +10435,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10277,12 +10455,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10293,19 +10471,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10315,12 +10493,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10328,7 +10506,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10343,7 +10521,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10352,7 +10530,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10360,7 +10538,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10370,7 +10548,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -11828,23 +12006,59 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-msgid "krb5_use_enterprise_principal (boolean)"
++msgid "krb5_kdcinfo_lookahead (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+ msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++msgid "Default: 3:1"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
++msgid "krb5_use_enterprise_principal (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:542
++msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -11852,12 +12066,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -11867,7 +12081,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -11875,7 +12089,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -11895,7 +12109,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -11904,7 +12118,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/fi.po b/src/man/po/fi.po
+index 89f063cc9..6e225c2d5 100644
+--- a/src/man/po/fi.po
++++ b/src/man/po/fi.po
+@@ -3,7 +3,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2017-03-24 08:46+0000\n"
+ "Last-Translator: Toni Rantala <trantalafilo@gmail.com>\n"
+ "Language-Team: Finnish\n"
+@@ -288,10 +288,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr "Oletus:tosi"
+@@ -310,16 +310,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr "Oletus:epätosi"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -344,8 +344,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr ""
+ 
+@@ -360,7 +360,7 @@ msgid "The [sssd] section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr ""
+ 
+@@ -440,7 +440,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr ""
+ 
+@@ -460,12 +460,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -473,39 +473,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr "%1$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr "käyttäjänimi"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr "%2$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr "%3$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -630,9 +630,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -823,7 +823,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+@@ -1145,7 +1145,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -1566,7 +1566,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1579,7 +1579,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1593,7 +1593,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr ""
+ 
+@@ -1656,7 +1656,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr ""
+ 
+@@ -1721,9 +1721,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr ""
+ 
+@@ -1821,48 +1821,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2305,7 +2305,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr ""
+ 
+@@ -2521,41 +2521,49 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2563,24 +2571,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2589,17 +2597,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2608,34 +2616,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2643,7 +2651,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2651,8 +2659,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2661,8 +2669,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2670,19 +2678,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2691,7 +2699,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2699,22 +2707,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2726,7 +2734,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2734,19 +2742,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2754,7 +2762,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2762,35 +2770,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2798,19 +2806,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -2819,7 +2827,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -2827,29 +2835,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -2857,7 +2865,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2865,35 +2873,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2901,32 +2909,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -2937,7 +2945,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -2946,12 +2954,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -2959,7 +2967,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -2967,31 +2975,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -2999,7 +3007,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3008,17 +3016,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3026,43 +3034,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3070,7 +3078,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3078,7 +3086,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3086,24 +3094,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3111,12 +3119,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3126,7 +3134,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3135,29 +3143,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3165,7 +3173,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3175,59 +3183,59 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3236,77 +3244,77 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3314,7 +3322,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3322,17 +3330,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3340,34 +3348,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr "ignore_group_members"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr "ldap_purge_cache_timeout"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr "ldap_use_tokengroups"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr "ldap_user_principal"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3377,32 +3385,32 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "Esimerkki: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3412,47 +3420,55 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3460,41 +3476,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3504,14 +3529,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3519,7 +3544,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ #, fuzzy
+ #| msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+@@ -3528,27 +3553,36 @@ msgid ""
+ msgstr "<placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3560,29 +3594,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3590,12 +3624,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3604,12 +3638,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3617,19 +3651,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3646,7 +3680,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3654,17 +3688,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3673,7 +3707,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3683,7 +3717,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3703,12 +3737,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3716,73 +3750,73 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -3790,17 +3824,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -3809,17 +3843,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -3827,17 +3861,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -3845,17 +3879,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -3866,64 +3900,180 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++msgid "ldap_sasl_mech,"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++msgid "password_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++#, fuzzy
++#| msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr "<placeholder type=\"variablelist\" id=\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++#, fuzzy
++#| msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr "<placeholder type=\"variablelist\" id=\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3953,7 +4103,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -3962,7 +4112,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -3970,7 +4120,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -4871,7 +5021,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr ""
+ 
+@@ -5576,7 +5726,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -5679,11 +5829,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -5692,7 +5847,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -5700,26 +5855,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5727,7 +5882,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5735,7 +5890,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -5743,41 +5898,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -5786,32 +5941,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -5819,24 +5974,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -5844,17 +5999,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -5865,29 +6020,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++msgid ""
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -5900,29 +6066,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -5930,77 +6096,78 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6012,7 +6179,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6020,7 +6187,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6028,39 +6195,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6070,7 +6237,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6078,26 +6245,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6105,7 +6272,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6113,31 +6280,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6146,56 +6313,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6211,12 +6378,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6225,14 +6392,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6241,24 +6408,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6266,19 +6433,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6287,7 +6454,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6295,7 +6462,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6304,7 +6471,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6312,22 +6479,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6337,14 +6504,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6357,12 +6524,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6372,7 +6539,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6382,63 +6549,63 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6447,74 +6614,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6525,7 +6692,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6533,24 +6700,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -6565,12 +6732,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -6578,208 +6745,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -6787,101 +6954,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -6890,111 +7057,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7003,32 +7170,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7037,22 +7204,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7061,14 +7228,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7076,7 +7243,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7089,27 +7256,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7125,13 +7292,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -8605,7 +8772,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -8620,7 +8787,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -8635,12 +8802,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -8661,12 +8828,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -8690,17 +8857,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -8708,7 +8875,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -8735,7 +8902,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -8748,12 +8915,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -8772,50 +8939,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -8926,26 +9093,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -8964,7 +9131,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -9847,12 +10014,27 @@ msgid "Default: False (seconds)"
+ msgstr "Oletus:epätosi"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -9860,12 +10042,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -9873,14 +10055,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -9888,7 +10070,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9900,42 +10082,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -9943,7 +10125,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -9951,7 +10133,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -9959,7 +10141,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9971,22 +10153,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -9994,7 +10176,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -10002,7 +10184,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10010,7 +10192,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10022,22 +10204,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10045,14 +10227,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10060,7 +10242,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10072,23 +10254,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10096,14 +10278,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10111,7 +10293,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10122,19 +10304,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10142,7 +10324,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10154,29 +10336,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10184,12 +10366,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10202,57 +10384,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10260,17 +10442,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10280,12 +10462,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10296,19 +10478,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10318,12 +10500,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10331,7 +10513,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10346,7 +10528,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10355,7 +10537,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10363,7 +10545,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10373,7 +10555,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -11831,23 +12013,61 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-msgid "krb5_use_enterprise_principal (boolean)"
++msgid "krb5_kdcinfo_lookahead (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+ msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: true"
++msgid "Default: 3:1"
++msgstr "Oletus:tosi"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
++msgid "krb5_use_enterprise_principal (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:542
++msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -11855,12 +12075,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -11870,7 +12090,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -11878,7 +12098,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -11898,7 +12118,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -11907,7 +12127,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/fr.po b/src/man/po/fr.po
+index cc758d07c..8cb540c0e 100644
+--- a/src/man/po/fr.po
++++ b/src/man/po/fr.po
+@@ -16,7 +16,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2016-03-19 03:04+0000\n"
+ "Last-Translator: Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>\n"
+ "Language-Team: French (http://www.transifex.com/projects/p/sssd/language/"
+@@ -337,10 +337,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr "Par défaut : true"
+@@ -362,16 +362,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr "Par défaut : false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -396,8 +396,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr "Par défaut : 10"
+ 
+@@ -412,7 +412,7 @@ msgid "The [sssd] section"
+ msgstr "La section [sssd]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr "Paramètres de sections"
+ 
+@@ -501,7 +501,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr "re_expression (chaîne)"
+ 
+@@ -523,12 +523,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr "full_name_format (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -540,33 +540,33 @@ msgstr ""
+ "domaine."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr "%1$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr "nom d'utilisateur"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr "%2$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ "nom de domaine tel qu'indiqué dans le fichier de configuration de SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr "%3$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+@@ -576,7 +576,7 @@ msgstr ""
+ "d'approbation IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -735,9 +735,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -934,7 +934,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr "Par défaut : non défini"
+@@ -1300,7 +1300,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "exemple : <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+@@ -1782,7 +1782,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr "pam_pwd_expiration_warning (entier)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr "Afficher une alerte N jours avant l'expiration du mot de passe."
+ 
+@@ -1798,7 +1798,7 @@ msgstr ""
+ "ne peut afficher de message d'alerte."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1817,7 +1817,7 @@ msgstr ""
+ "<emphasis>pwd_expiration_warning</emphasis> pour un domaine particulier."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr "Par défaut : 0"
+ 
+@@ -1885,7 +1885,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr "Par défaut : aucun"
+ 
+@@ -1950,9 +1950,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr "Par défaut : False"
+ 
+@@ -2050,48 +2050,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2571,7 +2571,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr "FALSE = aucune énumération pour ce domaine"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr "Par défaut : FALSE"
+ 
+@@ -2828,46 +2828,54 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ "Il est envisageable de configurer cette valeur à 3/4 * entry_cache_timeout."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr "Par défaut : 0 (désactivé)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr "cache_credentials (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ "Détermine si les données d'identification de l'utilisateur sont aussi mis en "
+ "cache dans le cache LDB local"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ "Les informations d'identification utilisateur sont stockées dans une table "
+ "de hachage SHA512, et non en texte brut"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2875,24 +2883,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr "Par défaut : 8"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr "account_cache_expiration (entier)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2905,17 +2913,17 @@ msgstr ""
+ "paramètre doit être supérieur ou égal à offline_credentials_expiration."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr "Par défaut : 0 (illimité)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr "pwd_expiration_warning (integer)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2928,17 +2936,17 @@ msgstr ""
+ "fournisseur oauth doit être configuré pour le moteur."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr "Par défaut : 7 (Kerberos), 0 (LDAP)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr "id_provider (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+@@ -2946,18 +2954,18 @@ msgstr ""
+ "d'identification pris en charge sont :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2965,7 +2973,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2977,8 +2985,8 @@ msgstr ""
+ "LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2991,8 +2999,8 @@ msgstr ""
+ "configuration de FreeIPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3004,12 +3012,12 @@ msgstr ""
+ "d'Active Directory."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr "use_fully_qualified_names (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+@@ -3019,7 +3027,7 @@ msgstr ""
+ "communiqué à NSS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -3033,7 +3041,7 @@ msgstr ""
+ "trouve."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -3045,22 +3053,22 @@ msgstr ""
+ "qualifié sera demandé."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr "Par défaut : false (true si default_domain_suffix est utilisée)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr "ignore_group_members (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr "Ne pas envoyer les membres des groupes sur les recherches de groupes."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -3072,7 +3080,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -3080,12 +3088,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr "auth_provider (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+@@ -3094,7 +3102,7 @@ msgstr ""
+ "pris en charge sont :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3106,7 +3114,7 @@ msgstr ""
+ "LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3117,7 +3125,7 @@ msgstr ""
+ "citerefentry> pour plus d'informations sur la configuration de Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+@@ -3125,18 +3133,18 @@ msgstr ""
+ "PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ "<quote>local</quote> : Fournisseur interne SSSD pour les utilisateurs locaux"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr "<quote>none</quote> désactive l'authentification explicitement."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+@@ -3145,12 +3153,12 @@ msgstr ""
+ "gérer les requêtes d'authentification."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr "access_provider (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -3161,7 +3169,7 @@ msgstr ""
+ "installés). Les fournisseurs internes spécifiques sont :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+@@ -3170,12 +3178,12 @@ msgstr ""
+ "d'accès autorisé pour un domaine local."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr "<quote>deny</quote> toujours refuser les accès."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -3188,7 +3196,7 @@ msgstr ""
+ "d'informations sur la configuration du module d'accès simple."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -3196,22 +3204,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr "Par défaut : <quote>permit</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr "chpass_provider (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+@@ -3220,7 +3228,7 @@ msgstr ""
+ "domaine. Les fournisseurs pris en charge sont :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -3228,7 +3236,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3240,7 +3248,7 @@ msgstr ""
+ "Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+@@ -3248,14 +3256,14 @@ msgstr ""
+ "autre cible PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ "<quote>none</quote> pour désactiver explicitement le changement de mot de "
+ "passe."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+@@ -3264,19 +3272,19 @@ msgstr ""
+ "peut gérer les changements de mot de passe."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr "sudo_provider (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ "Le fournisseur SUDO, utilisé pour le domaine.  Les fournisseurs SUDO pris en "
+ "charge sont :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3288,7 +3296,7 @@ msgstr ""
+ "LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+@@ -3297,7 +3305,7 @@ msgstr ""
+ "par défaut pour IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+@@ -3306,20 +3314,20 @@ msgstr ""
+ "par défaut pour AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr "<quote>none</quote> désactive explicitement SUDO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ "Par défaut : La valeur de <quote>id_provider</quote> est utilisée si elle "
+ "est définie."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -3330,7 +3338,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -3339,12 +3347,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr "selinux_provider (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -3355,7 +3363,7 @@ msgstr ""
+ "fournisseur d'accès.  Les fournisseurs selinux pris en charge sont :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3367,14 +3375,14 @@ msgstr ""
+ "IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ "<quote>none</quote> n'autorise pas la récupération explicite des paramètres "
+ "selinux."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+@@ -3383,12 +3391,12 @@ msgstr ""
+ "gérer le chargement selinux"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr "subdomains_provider (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+@@ -3398,7 +3406,7 @@ msgstr ""
+ "fournisseurs de sous-domaine pris en charge sont :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3410,7 +3418,7 @@ msgstr ""
+ "IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3419,18 +3427,18 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ "<quote>none</quote> désactive la récupération explicite des sous-domaines."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3438,37 +3446,37 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr "autofs_provider (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+@@ -3476,7 +3484,7 @@ msgstr ""
+ "en charge sont :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3488,7 +3496,7 @@ msgstr ""
+ "LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3500,7 +3508,7 @@ msgstr ""
+ "IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3508,17 +3516,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr "<quote>none</quote> désactive explicitement autofs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr "hostid_provider (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+@@ -3527,7 +3535,7 @@ msgstr ""
+ "systèmes.  Les fournisseurs de hostid pris en charge sont :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3539,12 +3547,12 @@ msgstr ""
+ "configuration de IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr "<quote>none</quote> désactive explicitement hostid."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3560,7 +3568,7 @@ msgstr ""
+ "domaine."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3573,22 +3581,22 @@ msgstr ""
+ "styles différents pour les noms d'utilisateurs :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr "username"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr "username@domain.name"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr "domain\\username"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+@@ -3598,7 +3606,7 @@ msgstr ""
+ "utilisateurs de domaines Windows."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3609,7 +3617,7 @@ msgstr ""
+ "importe le domaine après »"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3619,17 +3627,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr "Par défaut : <quote>%1$s@%2$s</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr "lookup_family_order (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+@@ -3638,48 +3646,48 @@ msgstr ""
+ "utiliser pour effectuer les requêtes DNS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr "Valeurs prises en charge :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ "ipv4_first : essayer de chercher une adresse IPv4, et en cas d'échec, "
+ "essayer IPv6."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ "ipv4_only : ne tenter de résoudre les noms de systèmes qu'en adresses IPv4."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ "ipv6_first : essayer de chercher une adresse IPv6, et en cas d'échec, tenter "
+ "IPv4."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ "ipv6_only : ne tenter de résoudre les noms de systèmes qu'en adresses IPv6."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr "Par défaut : ipv4_first"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr "dns_resolver_timeout (entier)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3688,25 +3696,25 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr "Par défaut : 6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr "dns_discovery_domain (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+@@ -3715,54 +3723,54 @@ msgstr ""
+ "du domaine faisant partie de la requête DNS de découverte de services."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ "Par défaut : utiliser la partie du domaine qui est dans le nom de système de "
+ "la machine."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr "override_gid (entier)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr "Redéfinit le GID primaire avec la valeur spécifiée."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr "case_sensitive (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr "True"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr "False"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr "Insensible à la casse."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr "Preserving"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3774,7 +3782,7 @@ msgstr ""
+ "sortie."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3782,17 +3790,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr "Par défaut : true (false pour le fournisseur AD)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr "subdomain_inherit (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3800,34 +3808,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr "ignore_group_members"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr "ldap_purge_cache_timeout"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr "ldap_use_tokengroups"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr "ldap_user_principal"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3837,32 +3845,32 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "Exemple : <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr "subdomain_homedir (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr "%F"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr "nom plat (NetBIOS) d'un sous-domaine."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3878,7 +3886,7 @@ msgstr ""
+ "\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+@@ -3886,17 +3894,17 @@ msgstr ""
+ "emphasis>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr "Par défaut : <filename>/home/%d/%u</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr "realmd_tags (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+@@ -3904,25 +3912,33 @@ msgstr ""
+ "ce domaine."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3930,43 +3946,52 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ #, fuzzy
+ #| msgid "False"
+ msgid "false"
+ msgstr "False"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3976,14 +4001,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3991,7 +4016,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ #, fuzzy
+ #| msgid ""
+ #| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+@@ -4004,27 +4029,36 @@ msgstr ""
+ "id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -4040,17 +4074,17 @@ msgstr ""
+ "id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr "proxy_pam_target (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr "Le proxy cible duquel PAM devient mandataire."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+@@ -4059,12 +4093,12 @@ msgstr ""
+ "ou en créer une nouvelle et ajouter le nom de service ici."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr "proxy_lib_name (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -4075,12 +4109,12 @@ msgstr ""
+ "$(libName)_$(function), par exemple _nss_files_getpwent."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr "proxy_fast_alias (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -4094,12 +4128,12 @@ msgstr ""
+ "afin d'améliorer les performances."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -4107,7 +4141,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+@@ -4116,12 +4150,12 @@ msgstr ""
+ "id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -4138,7 +4172,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -4146,17 +4180,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -4165,7 +4199,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -4175,7 +4209,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4195,12 +4229,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr "La section du domaine local"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -4211,29 +4245,29 @@ msgstr ""
+ "dire un domaine qui utilise <replaceable>id_provider=local</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr "default_shell (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ "L'interpréteur de commandes par défaut pour les utilisateurs créés avec les "
+ "outils en espace utilisateur SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr "Par défaut : <filename>/bin/bash</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr "base_directory (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+@@ -4242,17 +4276,17 @@ msgstr ""
+ "replaceable> et l'utilisent comme dossier personnel."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr "Par défaut : <filename>/home</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr "create_homedir (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+@@ -4261,17 +4295,17 @@ msgstr ""
+ "utilisateurs. Peut être outrepassé par la ligne de commande."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr "Par défaut : TRUE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr "remove_homedir (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+@@ -4280,12 +4314,12 @@ msgstr ""
+ "suppression des utilisateurs. Peut être outrepassé par la ligne de commande."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr "homedir_umask (entier)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -4296,17 +4330,17 @@ msgstr ""
+ "défaut sur un répertoire personnel nouvellement créé."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr "Par défaut : 077"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr "skel_dir (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -4319,17 +4353,17 @@ msgstr ""
+ "manvolnum> </citerefentry>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr "Par défaut : <filename>/etc/skel</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr "mail_dir (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -4340,17 +4374,17 @@ msgstr ""
+ "précisé, la valeur par défaut est utilisée."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr "Par défaut : <filename>/var/mail</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr "userdel_cmd (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -4361,17 +4395,17 @@ msgstr ""
+ "code en retour de la commande n'est pas pris en compte."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr "Par défaut : None, aucune commande lancée"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -4382,64 +4416,194 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++#, fuzzy
++#| msgid "ldap_sasl_mech (string)"
++msgid "ldap_sasl_mech,"
++msgstr "ldap_sasl_mech (chaîne)"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++#, fuzzy
++#| msgid "CONFIGURATION OPTIONS"
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr "OPTIONS DE CONFIGURATION"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++#, fuzzy
++#| msgid "password"
++msgid "password_prompt"
++msgstr "password"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++#, fuzzy
++#| msgid ""
++#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
++#| "\"0\"/>"
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++"Options valides pour les domaines proxy. <placeholder type=\"variablelist\" "
++"id=\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++#, fuzzy
++#| msgid ""
++#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
++#| "\"0\"/>"
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++"Options valides pour les domaines proxy. <placeholder type=\"variablelist\" "
++"id=\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4493,7 +4657,7 @@ msgstr ""
+ "enumerate = False\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -4502,7 +4666,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -4510,7 +4674,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -5561,7 +5725,7 @@ msgstr "L'attribut LDAP correspondant au nom complet de l'utilisateur."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr "Par défaut : cn"
+ 
+@@ -6328,7 +6492,7 @@ msgstr ""
+ "courte des deux valeurs entre celle-ci et la durée de vie TGT sera utilisée."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr "Par défaut : 900 (15 minutes)"
+ 
+@@ -6457,13 +6621,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+-"Vous pouvez désactiver complètement les recherches de déréférencement  en "
+-"affectant la valeur 0."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -6476,7 +6643,7 @@ msgstr ""
+ "acceptés sont 389/RHDS, OpenLDAP et Active Directory."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -6487,12 +6654,12 @@ msgstr ""
+ "déréférencement est désactivée indépendamment de ce paramètre."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr "ldap_tls_reqcert (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+@@ -6501,7 +6668,7 @@ msgstr ""
+ "session TLS, si elle existe. Une des valeurs suivantes est utilisable :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+@@ -6510,7 +6677,7 @@ msgstr ""
+ "quelconque certificat du serveur."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -6521,7 +6688,7 @@ msgstr ""
+ "certificat est fourni, il est ignoré et la session continue normalement."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -6532,7 +6699,7 @@ msgstr ""
+ "certificat est fourni, la session se termine immédiatement."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -6543,22 +6710,22 @@ msgstr ""
+ "immédiatement."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr "<emphasis>hard</emphasis> : identique à <quote>demand</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr "Par défaut : hard"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr "ldap_tls_cacert (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+@@ -6567,7 +6734,7 @@ msgstr ""
+ "certification que <command>sssd</command> reconnaîtra."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+@@ -6576,12 +6743,12 @@ msgstr ""
+ "<filename>/etc/openldap/ldap.conf</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr "ldap_tls_cacertdir (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -6595,32 +6762,32 @@ msgstr ""
+ "corrects."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr "ldap_tls_cert (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr "Définit le fichier qui contient le certificat pour la clef du client."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr "ldap_tls_key (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr "Définit le fichier qui contient la clef du client."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr "ldap_tls_cipher_suite (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -6628,12 +6795,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr "ldap_id_use_start_tls (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+@@ -6643,12 +6810,12 @@ msgstr ""
+ "canal."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr "ldap_id_mapping (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -6660,19 +6827,19 @@ msgstr ""
+ "ldap_group_gid_number."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ "Cette fonctionnalité ne prend actuellement en charge que la correspondance "
+ "par objectSID avec Active Directory."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -6692,31 +6859,46 @@ msgstr ""
+ "identifiants."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr "Par défaut : non indiqué (les deux options sont à 0)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr "ldap_sasl_mech (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++#, fuzzy
++#| msgid ""
++#| "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
++#| "supported."
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
+ msgstr ""
+ "Définit le mécanisme SASL à utiliser. Actuellement, seul GSSAPI est testé et "
+ "pris en charge."
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
++msgid ""
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr "ldap_sasl_authid (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -6729,29 +6911,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr "Par défaut : host/hostname@REALM"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr "ldap_sasl_realm (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -6762,17 +6944,17 @@ msgstr ""
+ "domaine, cette option est ignorée."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr "Par défaut : la valeur de krb5_realm."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr "ldap_sasl_canonicalize (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+@@ -6781,65 +6963,75 @@ msgstr ""
+ "le nom de l'hôte au cours d'une liaison SASL."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr "Défaut : false;"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr "ldap_krb5_keytab (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++#, fuzzy
++#| msgid "Specify the keytab to use when using SASL/GSSAPI."
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr "Définit le fichier keytab à utiliser pour utiliser SASL/GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ "Par défaut : le fichier keytab du système, normalement <filename>/etc/krb5."
+ "keytab</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr "ldap_krb5_init_creds (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
++#, fuzzy
++#| msgid ""
++#| "Specifies that the id_provider should init Kerberos credentials (TGT).  "
++#| "This action is performed only if SASL is used and the mechanism selected "
++#| "is GSSAPI."
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ "Définit le fait que le fournisseur d'identité doit initialiser les données "
+ "d'identification Kerberos (TGT). Cette action est effectuée seulement si "
+ "SASL est utilisé et que le mécanisme choisi est GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr "ldap_krb5_ticket_lifetime (entier)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++#, fuzzy
++#| msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr "Définit la durée de vie, en secondes, des TGT si GSSAPI est utilisé."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr "Par défaut : 86400 (24 heures)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr "krb5_server, krb5_backup_server (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6859,7 +7051,7 @@ msgstr ""
+ "<quote>DÉCOUVERTE DE  SERVICES</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6870,7 +7062,7 @@ msgstr ""
+ "comme protocole, et passe sur _tcp si aucune entrée n'est trouvée."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6882,29 +7074,31 @@ msgstr ""
+ "l'utilisation de <quote>krb5_server</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr "krb5_realm (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++#, fuzzy
++#| msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr "Définit le DOMAINE de Kerberos (pour l'authentification SASL/GSSAPI)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ "Par défaut : valeur par défaut du système, voir <filename>/etc/krb5.conf</"
+ "filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr "krb5_canonicalize (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+@@ -6914,12 +7108,12 @@ msgstr ""
+ "Kerberos > = 1.7"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr "krb5_use_kdcinfo (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6934,7 +7128,7 @@ msgstr ""
+ "<manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6946,12 +7140,12 @@ msgstr ""
+ "localisation."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr "ldap_pwd_policy (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+@@ -6960,7 +7154,7 @@ msgstr ""
+ "valeurs suivantes sont acceptées :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+@@ -6969,7 +7163,7 @@ msgstr ""
+ "peut pas désactiver la politique sur les mots de passe du côté serveur."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6980,7 +7174,7 @@ msgstr ""
+ "manvolnum></citerefentry> pour évaluer si le mot de passe a expiré."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6992,7 +7186,7 @@ msgstr ""
+ "est changé."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+@@ -7001,17 +7195,17 @@ msgstr ""
+ "côté serveur, elle prend le pas sur la politique indiquée avec cette option."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr "ldap_referrals (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr "Définit si le déréférencement automatique doit être activé."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+@@ -7020,7 +7214,7 @@ msgstr ""
+ "compilé avec OpenLDAP version 2.4.13 ou supérieur."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -7034,29 +7228,29 @@ msgstr ""
+ "permettre d'améliorer de façon notable les performances."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr "ldap_dns_service_name (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ "Définit le nom de service à utiliser quand la découverte de services est "
+ "activée."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr "Par défaut : ldap"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr "ldap_chpass_dns_service_name (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+@@ -7065,19 +7259,19 @@ msgstr ""
+ "un changement de mot de passe quand la découverte de services est activée."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ "Par défaut : non défini, c'est-à-dire que le service de découverte est "
+ "désactivé."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr "ldap_chpass_update_last_change (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+@@ -7087,12 +7281,12 @@ msgstr ""
+ "de passe."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr "ldap_access_filter (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -7108,12 +7302,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr "Exemple :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -7125,7 +7319,7 @@ msgstr ""
+ "                        "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+@@ -7134,7 +7328,7 @@ msgstr ""
+ "dont l'attribut employeeType est « admin »."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -7143,17 +7337,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr "Par défaut : vide"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr "ldap_account_expire_policy (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+@@ -7162,7 +7356,7 @@ msgstr ""
+ "être activée."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -7174,12 +7368,12 @@ msgstr ""
+ "correct."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr "Les valeurs suivantes sont autorisées :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+@@ -7188,7 +7382,7 @@ msgstr ""
+ "pour déterminer si le compte a expiré."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -7201,7 +7395,7 @@ msgstr ""
+ "d'expiration du compte est aussi vérifiée."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -7212,7 +7406,7 @@ msgstr ""
+ "l'accès est autorisé ou non."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -7225,7 +7419,7 @@ msgstr ""
+ "est autorisé. Si les deux attributs sont manquants, l'accès est autorisé."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -7236,24 +7430,24 @@ msgstr ""
+ "ldap_account_expire_policy de fonctionner."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr "ldap_access_order (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ "Liste séparées par des virgules des options de contrôles d'accès. Les "
+ "valeurs autorisées sont :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr "<emphasis>filter</emphasis> : utiliser ldap_access_filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -7263,14 +7457,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -7283,12 +7477,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr "<emphasis>expire</emphasis>: utiliser ldap_account_expire_policy"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -7298,7 +7492,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -7308,20 +7502,20 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+@@ -7330,32 +7524,32 @@ msgstr ""
+ "authorizedService pour déterminer l'accès"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ "<emphasis>host</emphasis> : utilise l'attribut host pour déterminer l'accès"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr "Par défaut : filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+@@ -7364,12 +7558,12 @@ msgstr ""
+ "de configuration."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr "ldap_pwdlockout_dn (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -7378,22 +7572,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr "Exemple : cn=ppolicy,ou=policies,dc=example,dc=com"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr "ldap_deref (chaînes)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+@@ -7402,12 +7596,12 @@ msgstr ""
+ "recherche. Les options suivantes sont autorisées :"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr "<emphasis>never</emphasis> : les alias ne sont jamais déréférencés."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+@@ -7417,7 +7611,7 @@ msgstr ""
+ "recherche."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+@@ -7426,7 +7620,7 @@ msgstr ""
+ "la localisation de l'objet de base de la recherche."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+@@ -7435,7 +7629,7 @@ msgstr ""
+ "recherche et et la localisation de l'objet de base de la recherche."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+@@ -7444,12 +7638,12 @@ msgstr ""
+ "bibliothèques clientes LDAP)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr "ldap_rfc2307_fallback_to_local_users (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+@@ -7458,7 +7652,7 @@ msgstr ""
+ "LDAP pour les serveurs qui utilisent le schéma RFC2307."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -7476,7 +7670,7 @@ msgstr ""
+ "initgoups()."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -7487,24 +7681,24 @@ msgstr ""
+ "ajoutent les utilisateurs locaux aux groupes LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -7524,12 +7718,12 @@ msgstr ""
+ "détails. <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr "OPTIONS DE SUDO"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -7537,52 +7731,52 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr "ldap_sudorule_object_class (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr "La classe d'objet d'une entrée de règle de sudo dans LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr "Par défaut : sudoRole"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr "ldap_sudorule_name (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr "L'attribut LDAP qui correspond au nom de la règle de sudo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr "ldap_sudorule_command (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr "L'attribut LDAP qui correspond au nom de la commande."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr "Par défaut : sudoCommand"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr "ldap_sudorule_host (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+@@ -7591,17 +7785,17 @@ msgstr ""
+ "réseau IP de l'hôte ou netgroup de l'hôte)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr "Par défaut : sudoHost"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr "ldap_sudorule_user (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+@@ -7610,32 +7804,32 @@ msgstr ""
+ "groupe ou netgroup de l'utilisateur)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr "Par défaut : sudoUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr "ldap_sudorule_option (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr "L'attribut LDAP qui correspond aux options sudo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr "Par défaut : sudoOption"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr "ldap_sudorule_runasuser (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+@@ -7644,17 +7838,17 @@ msgstr ""
+ "nom d'utilisateur."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr "Par défaut : sudoRunAsUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr "ldap_sudorule_runasgroup (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+@@ -7663,17 +7857,17 @@ msgstr ""
+ "les commandes seront être exécutées."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr "Par défaut : sudoRunAsGroup"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr "ldap_sudorule_notbefore (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+@@ -7682,17 +7876,17 @@ msgstr ""
+ "règle sudo est valide."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr "Par défaut : sudoNotBefore"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr "ldap_sudorule_notafter (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+@@ -7701,32 +7895,32 @@ msgstr ""
+ "règle sudo ne sera plus valide."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr "Par défaut : sudoNotAfter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr "ldap_sudorule_order (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr "L'attribut LDAP qui correspond à l'index de tri de la règle."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr "Par défaut : sudoOrder"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr "ldap_sudo_full_refresh_interval (integer)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+@@ -7736,7 +7930,7 @@ msgstr ""
+ "règles qui sont stockées sur le serveur)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+@@ -7745,17 +7939,17 @@ msgstr ""
+ "emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr "Par défaut : 21600 (6 heures)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr "ldap_sudo_smart_refresh_interval (integer)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -7767,7 +7961,7 @@ msgstr ""
+ "cache)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+@@ -7776,12 +7970,12 @@ msgstr ""
+ "modifyTimestamp est utilisé à la place."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr "ldap_sudo_use_host_filter (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+@@ -7791,12 +7985,12 @@ msgstr ""
+ "noms de systèmes)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr "ldap_sudo_hostnames (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+@@ -7805,7 +7999,7 @@ msgstr ""
+ "doivent être utilisés pour filtrer les règles."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+@@ -7814,8 +8008,8 @@ msgstr ""
+ "nom de système et le nom de domaine pleinement qualifié."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+@@ -7824,17 +8018,17 @@ msgstr ""
+ "emphasis>, alors cette option n'a aucun effet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr "Par défaut : non spécifié"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr "ldap_sudo_ip (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+@@ -7843,7 +8037,7 @@ msgstr ""
+ "IPv6 qui doivent être utilisés pour filtrer les règles."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+@@ -7852,12 +8046,12 @@ msgstr ""
+ "automatiquement."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr "ldap_sudo_include_netgroups (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+@@ -7866,12 +8060,12 @@ msgstr ""
+ "netgroup dans l'attribut sudoHost."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr "ldap_sudo_include_regexp (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+@@ -7880,7 +8074,7 @@ msgstr ""
+ "un joker dans l'attribut sudoHost."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -7893,88 +8087,88 @@ msgstr ""
+ "manvolnum></citerefentry>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr "OPTIONS AUTOFS"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr "ldap_autofs_map_master_name (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr "Le nom de la table de montage automatique maîtresse dans LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr "Par défaut : auto.master"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr "ldap_autofs_map_object_class (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ "La classe d'objet d'une entrée de table de montage automatique dans LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr "ldap_autofs_map_name (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr "Le nom d'une entrée de table de montage automatique dans LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr "ldap_autofs_entry_object_class (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr "ldap_autofs_entry_key (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+@@ -7983,24 +8177,24 @@ msgstr ""
+ "généralement à un point de montage."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr "ldap_autofs_entry_value (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -8013,32 +8207,32 @@ msgstr ""
+ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr "OPTIONS AVANCÉES"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr "ldap_netgroup_search_base (chaînes)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr "ldap_user_search_base (chaînes)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr "ldap_group_search_base (chaînes)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr "<note>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -8047,22 +8241,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr "</note>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr "ldap_sudo_search_base (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr "ldap_autofs_search_base (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -8071,14 +8265,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr "EXEMPLE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -8089,7 +8283,7 @@ msgstr ""
+ "replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -8109,27 +8303,27 @@ msgstr ""
+ "cache_credentials = true\n"
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -8155,13 +8349,13 @@ msgstr ""
+ "cache_credentials = true\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr "NOTES"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -9742,7 +9936,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr "dyndns_update (booléen)"
+ 
+@@ -9757,7 +9951,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -9779,12 +9973,12 @@ msgstr ""
+ "configuration."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr "dyndns_ttl (entier)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -9811,12 +10005,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr "Par défaut : 1200 (secondes)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr "dyndns_iface (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -9844,17 +10038,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -9862,7 +10056,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -9897,7 +10091,7 @@ msgstr ""
+ "seront utilisés comme serveurs de repli"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr "dyndns_refresh_interval (entier)"
+ 
+@@ -9914,12 +10108,12 @@ msgstr ""
+ "configurée à true."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr "dyndns_update_ptr (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -9944,12 +10138,12 @@ msgid "Default: False (disabled)"
+ msgstr "Par défaut : False (désactivé)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr "dyndns_force_tcp (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+@@ -9958,38 +10152,38 @@ msgstr ""
+ "communication avec le serveur DNS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr "Par défaut : False (laisser nsupdate choisir le protocole)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -10112,26 +10306,26 @@ msgstr ""
+ "convertit en DN de base pour effectuer les opérations LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr "krb5_confd_path (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -10150,7 +10344,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr "Par défaut : 5 (secondes)"
+ 
+@@ -11086,12 +11280,29 @@ msgid "Default: False (seconds)"
+ msgstr "Par défaut : 5 (secondes)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++#, fuzzy
++#| msgid "ad_enable_gc (boolean)"
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr "ad_enable_gc (booléen)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr "ad_gpo_cache_timeout (entier)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -11099,12 +11310,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr "ad_gpo_map_interactive (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -11112,14 +11323,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -11127,7 +11338,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11139,42 +11350,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr "ad_gpo_map_remote_interactive (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -11182,7 +11393,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -11190,7 +11401,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -11198,7 +11409,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11210,22 +11421,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr "ad_gpo_map_network (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -11233,7 +11444,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -11241,7 +11452,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -11249,7 +11460,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11261,22 +11472,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr "ad_gpo_map_batch (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -11284,14 +11495,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -11299,7 +11510,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11311,23 +11522,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr "ad_gpo_map_service (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -11335,14 +11546,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -11350,7 +11561,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -11361,19 +11572,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr "ad_gpo_map_permit (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -11381,7 +11592,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11393,29 +11604,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr "ad_gpo_map_deny (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -11423,12 +11634,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr "ad_gpo_default_right (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -11441,57 +11652,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -11499,17 +11710,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -11519,12 +11730,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -11542,19 +11753,19 @@ msgstr ""
+ "<quote>dyndns_iface</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr "Par défaut : 3600 (secondes)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -11564,12 +11775,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr "Par défaut : True"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -11580,7 +11791,7 @@ msgstr ""
+ "exemples montrent seulement les options spécifiques au fournisseur AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -11604,7 +11815,7 @@ msgstr ""
+ "ad_domain = example.com\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -11616,7 +11827,7 @@ msgstr ""
+ "ldap_account_expire_policy = ad\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -11627,7 +11838,7 @@ msgstr ""
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -11637,7 +11848,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -13359,11 +13570,69 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
++#, fuzzy
++#| msgid "krb5_confd_path (string)"
++msgid "krb5_kdcinfo_lookahead (string)"
++msgstr "krb5_confd_path (chaîne)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:508
++#, fuzzy
++#| msgid ""
++#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
++#| "more information on the locator plugin."
++msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++"Consulter la page de manuel de <citerefentry> "
++"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
++"manvolnum> </citerefentry> pour plus d'informations sur le greffon de "
++"localisation."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++#, fuzzy
++#| msgid ""
++#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
++#| "more information on the locator plugin."
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++"Consulter la page de manuel de <citerefentry> "
++"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
++"manvolnum> </citerefentry> pour plus d'informations sur le greffon de "
++"localisation."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "Par défaut : 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
+ msgid "krb5_use_enterprise_principal (boolean)"
+ msgstr "krb5_use_enterprise_principal (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:508
++#: sssd-krb5.5.xml:542
+ msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+@@ -13373,12 +13642,12 @@ msgstr ""
+ "principals d'entreprise."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr "Par défaut : false (AD provider : true)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -13386,12 +13655,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr "krb5_map_user (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -13401,7 +13670,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -13411,7 +13680,7 @@ msgstr ""
+ "krb5_map_user = joe:juser,dick:richard\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -13437,7 +13706,7 @@ msgstr ""
+ "\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -13450,7 +13719,7 @@ msgstr ""
+ "et n'inclut aucun fournisseur d'identité."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+@@ -17767,3 +18036,9 @@ msgstr ""
+ #: include/ipa_modified_defaults.xml:118
+ msgid "ldap_group_external_member = ipaExternalMember"
+ msgstr ""
++
++#~ msgid ""
++#~ "You can turn off dereference lookups completely by setting the value to 0."
++#~ msgstr ""
++#~ "Vous pouvez désactiver complètement les recherches de déréférencement  en "
++#~ "affectant la valeur 0."
+diff --git a/src/man/po/ja.po b/src/man/po/ja.po
+index 24810874a..3840c0a99 100644
+--- a/src/man/po/ja.po
++++ b/src/man/po/ja.po
+@@ -10,7 +10,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2014-12-14 11:59+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/"
+@@ -320,10 +320,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr "初期値: true"
+@@ -342,16 +342,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr "初期値: false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -376,8 +376,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr "初期値: 10"
+ 
+@@ -392,7 +392,7 @@ msgid "The [sssd] section"
+ msgstr "[sssd] セクション"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr "セクションのパラメーター"
+ 
+@@ -476,7 +476,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr "re_expression (文字列)"
+ 
+@@ -496,12 +496,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr "full_name_format (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -512,39 +512,39 @@ msgstr ""
+ "manvolnum> </citerefentry> 互換形式。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr "%1$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr "ユーザー名"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr "%2$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr "SSSD 設定ファイルにおいて指定されるドメイン名。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr "%3$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -688,9 +688,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -881,7 +881,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+@@ -1238,7 +1238,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "例: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+@@ -1689,7 +1689,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr "pam_pwd_expiration_warning (整数)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr "パスワードの期限が切れる前に N 日間警告を表示します。"
+ 
+@@ -1704,7 +1704,7 @@ msgstr ""
+ "ことに注意してください。この情報がなければ、sssd は警告を表示します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1718,7 +1718,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr "初期値: 0"
+ 
+@@ -1781,7 +1781,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr "初期値: none"
+ 
+@@ -1846,9 +1846,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr "初期値: 偽"
+ 
+@@ -1946,48 +1946,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2440,7 +2440,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr "FALSE = このドメインに対して列挙しません"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr "初期値: FALSE"
+ 
+@@ -2672,44 +2672,52 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr "初期値: 0 (無効)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr "cache_credentials (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ "ユーザーのクレディンシャルがローカル LDB キャッシュにキャッシュされるかどうか"
+ "を決めます"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ "ユーザーのクレディンシャルが、平文ではなく SHA512 ハッシュで保存されます"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2717,24 +2725,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr "account_cache_expiration (整数)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2746,17 +2754,17 @@ msgstr ""
+ "offline_credentials_expiration と同等以上でなければいけません。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr "初期値: 0 (無制限)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr "pwd_expiration_warning (整数)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2765,17 +2773,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr "初期値: 7 (Kerberos), 0 (LDAP)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr "id_provider (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+@@ -2783,18 +2791,18 @@ msgstr ""
+ "ダーは次のとおりです:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2802,7 +2810,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2813,8 +2821,8 @@ msgstr ""
+ "manvolnum> </citerefentry> を参照してください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2827,8 +2835,8 @@ msgstr ""
+ "い。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2839,12 +2847,12 @@ msgstr ""
+ "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr "use_fully_qualified_names (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+@@ -2853,7 +2861,7 @@ msgstr ""
+ "名形式により整形されたように) を使用します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2866,7 +2874,7 @@ msgstr ""
+ "んが、<command>getent passwd test@LOCAL</command> は見つけられます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2874,22 +2882,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr "ignore_group_members (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2901,7 +2909,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2909,12 +2917,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr "auth_provider (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+@@ -2923,7 +2931,7 @@ msgstr ""
+ "ダーは次のとおりです:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2934,7 +2942,7 @@ msgstr ""
+ "manvolnum> </citerefentry> を参照してください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2945,24 +2953,24 @@ msgstr ""
+ "manvolnum> </citerefentry> を参照してください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ "<quote>proxy</quote> はいくつかの他の PAM ターゲットに認証を中継します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr "<quote>local</quote>: ローカルユーザー向け SSSD 内部プロバイダー"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr "<quote>none</quote> は明示的に認証を無効化します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+@@ -2971,12 +2979,12 @@ msgstr ""
+ "ならば、それが使用されます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr "access_provider (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2987,7 +2995,7 @@ msgstr ""
+ "えます)。内部の特別プロバイダーは次のとおりです:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+@@ -2996,12 +3004,12 @@ msgstr ""
+ "ロバイダーのみアクセスが許可されます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr "<quote>deny</quote> は常にアクセスを拒否します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -3014,7 +3022,7 @@ msgstr ""
+ "citerefentry> を参照してください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -3022,22 +3030,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr "初期値: <quote>permit</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr "chpass_provider (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+@@ -3046,7 +3054,7 @@ msgstr ""
+ "パスワード変更プロバイダーは次のとおりです:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -3054,7 +3062,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3065,7 +3073,7 @@ msgstr ""
+ "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+@@ -3073,12 +3081,12 @@ msgstr ""
+ "します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr "<quote>none</quote> は明示的にパスワードの変更を無効化します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+@@ -3087,19 +3095,19 @@ msgstr ""
+ "うことができるならば、それが使用されます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr "sudo_provider (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ "ドメインに使用される SUDO プロバイダーです。サポートされる SUDO プロバイダー"
+ "は次のとおりです:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3110,33 +3118,33 @@ msgstr ""
+ "<manvolnum>5</manvolnum> </citerefentry> を参照します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr "<quote>none</quote> は SUDO を明示的に無効化します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ "初期値: <quote>id_provider</quote> の値が設定されていると使用されます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -3147,7 +3155,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -3156,12 +3164,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr "selinux_provider (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -3169,7 +3177,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3177,31 +3185,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr "subdomains_provider (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3209,7 +3217,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3218,17 +3226,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr "<quote>none</quote> はサブドメインの取り出しを明示的に無効化します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3236,37 +3244,37 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr "autofs_provider (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+@@ -3274,7 +3282,7 @@ msgstr ""
+ "プロバイダーは次のとおりです:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3285,7 +3293,7 @@ msgstr ""
+ "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3296,7 +3304,7 @@ msgstr ""
+ "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3304,17 +3312,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr "<quote>none</quote> は明示的に autofs を無効にします。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr "hostid_provider (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+@@ -3323,7 +3331,7 @@ msgstr ""
+ "hostid プロバイダーは次のとおりです:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3334,12 +3342,12 @@ msgstr ""
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> を参照してください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr "<quote>none</quote> は明示的に hostid を無効にします。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3349,7 +3357,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3358,29 +3366,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr "username"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr "username@domain.name"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr "domain\\username"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3391,7 +3399,7 @@ msgstr ""
+ "everything after that\" に解釈されます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3401,17 +3409,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr "初期値: <quote>%1$s@%2$s</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr "lookup_family_order (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+@@ -3420,46 +3428,46 @@ msgstr ""
+ "します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr "サポートする値:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ "ipv4_first: IPv4 アドレスの検索を試行します。失敗すると IPv6 を試行します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ "ipv4_only: ホスト名を IPv4 アドレスに名前解決することのみを試行します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ "ipv6_first: IPv6 アドレスの検索を試行します。失敗すると IPv4 を試行します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ "ipv6_only: ホスト名を IPv6 アドレスに名前解決することのみを試行します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr "初期値: ipv4_first"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr "dns_resolver_timeout (整数)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3468,25 +3476,25 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr "初期値: 6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr "dns_discovery_domain (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+@@ -3495,52 +3503,52 @@ msgstr ""
+ "イン部分を指定します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr "初期値: マシンのホスト名のドメイン部分を使用します"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr "override_gid (整数)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr "プライマリー GID の値を指定されたもので上書きします。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3548,7 +3556,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3556,17 +3564,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3574,34 +3582,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3609,32 +3617,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr "subdomain_homedir (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr "%F"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr "サブドメインのフラット (NetBIOS) 名。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3644,48 +3652,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ "値は <emphasis>override_homedir</emphasis> オプションにより上書きできます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr "初期値: <filename>/home/%d/%u</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr "realmd_tags (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3693,41 +3709,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3737,14 +3762,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3752,7 +3777,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ #, fuzzy
+ #| msgid ""
+ #| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+@@ -3765,27 +3790,36 @@ msgstr ""
+ "\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3800,17 +3834,17 @@ msgstr ""
+ "\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr "proxy_pam_target (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr "中継するプロキシターゲット PAM です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+@@ -3819,12 +3853,12 @@ msgstr ""
+ "をここに追加する必要があります。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr "proxy_lib_name (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3835,12 +3869,12 @@ msgstr ""
+ "_nss_files_getpwent です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr "proxy_fast_alias (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3849,12 +3883,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3862,7 +3896,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+@@ -3871,12 +3905,12 @@ msgstr ""
+ "\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3893,7 +3927,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3901,17 +3935,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3920,7 +3954,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3930,7 +3964,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3950,12 +3984,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr "ローカルドメインのセクション"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3966,27 +4000,27 @@ msgstr ""
+ "メインに対する設定を含みます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr "default_shell (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr "SSSD ユーザー空間ツールを用いて作成されたユーザーの初期シェルです。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr "初期値: <filename>/bin/bash</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr "base_directory (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+@@ -3995,17 +4029,17 @@ msgstr ""
+ "ホームディレクトリーとして使用します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr "初期値: <filename>/home</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr "create_homedir (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+@@ -4014,17 +4048,17 @@ msgstr ""
+ "す。コマンドラインにおいて上書きできます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr "初期値: TRUE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr "remove_homedir (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+@@ -4033,12 +4067,12 @@ msgstr ""
+ "す。コマンドラインにおいて上書きできます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr "homedir_umask (整数)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -4049,17 +4083,17 @@ msgstr ""
+ "manvolnum> </citerefentry> により使用されます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr "初期値: 077"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr "skel_dir (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -4072,17 +4106,17 @@ msgstr ""
+ "を含む、スケルトンディレクトリーです。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr "初期値: <filename>/etc/skel</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr "mail_dir (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -4093,17 +4127,17 @@ msgstr ""
+ "が使用されます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr "初期値: <filename>/var/mail</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr "userdel_cmd (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -4114,17 +4148,17 @@ msgstr ""
+ "せん。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr "初期値: なし、コマンドを実行しません"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -4135,64 +4169,194 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++#, fuzzy
++#| msgid "ldap_sasl_mech (string)"
++msgid "ldap_sasl_mech,"
++msgstr "ldap_sasl_mech (文字列)"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++#, fuzzy
++#| msgid "CONFIGURATION OPTIONS"
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr "設定オプション"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++#, fuzzy
++#| msgid "password"
++msgid "password_prompt"
++msgstr "password"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++#, fuzzy
++#| msgid ""
++#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
++#| "\"0\"/>"
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++"プロキシドメインに対して有効なオプションです。 <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++#, fuzzy
++#| msgid ""
++#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
++#| "\"0\"/>"
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++"プロキシドメインに対して有効なオプションです。 <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4246,7 +4410,7 @@ msgstr ""
+ "enumerate = False\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -4255,7 +4419,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -4263,7 +4427,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -5242,7 +5406,7 @@ msgstr "ユーザーの完全名に対応する LDAP 属性です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr "初期値: cn"
+ 
+@@ -5978,7 +6142,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr "初期値: 900 (15 分)"
+ 
+@@ -6092,11 +6256,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -6105,7 +6274,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -6113,12 +6282,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr "ldap_tls_reqcert (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+@@ -6127,7 +6296,7 @@ msgstr ""
+ "クするものを指定します。以下の値のうち 1 つを指定できます:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+@@ -6136,7 +6305,7 @@ msgstr ""
+ "確認しません。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -6147,7 +6316,7 @@ msgstr ""
+ "無視され、セッションが通常通り進められます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -6158,7 +6327,7 @@ msgstr ""
+ "ンが直ちに終了します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -6168,22 +6337,22 @@ msgstr ""
+ "なければ、もしくは不正な証明書が提供されれば、セッションが直ちに終了します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr "<emphasis>hard</emphasis> = <quote>demand</quote> と同じです"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr "初期値: hard"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr "ldap_tls_cacert (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+@@ -6193,7 +6362,7 @@ msgstr ""
+ "書を含むファイルを指定します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+@@ -6202,12 +6371,12 @@ msgstr ""
+ "filename> にあります"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr "ldap_tls_cacertdir (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -6220,32 +6389,32 @@ msgstr ""
+ "ます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr "ldap_tls_cert (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr "クライアントのキーに対する証明書を含むファイルを指定します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr "ldap_tls_key (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr "クライアントのキーを含むファイルを指定します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr "ldap_tls_cipher_suite (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -6253,12 +6422,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr "ldap_id_use_start_tls (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+@@ -6267,12 +6436,12 @@ msgstr ""
+ "用する必要がある id_provider 接続を指定します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr "ldap_id_mapping (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -6280,18 +6449,18 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ "この機能は現在 ActiveDirectory objectSID マッピングのみサポートします。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -6302,31 +6471,46 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr "ldap_sasl_mech (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++#, fuzzy
++#| msgid ""
++#| "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
++#| "supported."
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
+ msgstr ""
+ "使用する SASL メカニズムを指定します。現在 GSSAPI のみがテストされサポートさ"
+ "れます。"
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
++msgid ""
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr "ldap_sasl_authid (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -6339,29 +6523,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr "初期値: host/hostname@REALM"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr "ldap_sasl_realm (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -6369,17 +6553,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr "初期値: krb5_realm の値"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr "ldap_sasl_canonicalize (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+@@ -6388,64 +6572,74 @@ msgstr ""
+ "するために逆引きを実行します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr "初期値: false;"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr "ldap_krb5_keytab (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++#, fuzzy
++#| msgid "Specify the keytab to use when using SASL/GSSAPI."
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr "SASL/GSSAPI を使用するときに使用するキーテーブルを指定します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ "初期値: システムのキーテーブル、通常 <filename>/etc/krb5.keytab</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr "ldap_krb5_init_creds (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
++#, fuzzy
++#| msgid ""
++#| "Specifies that the id_provider should init Kerberos credentials (TGT).  "
++#| "This action is performed only if SASL is used and the mechanism selected "
++#| "is GSSAPI."
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ "Kerberos クレディンシャル (TGT) を初期化する id_provider を指定します。この操"
+ "作は、 SASL が使用され、選択されたメカニズムが GSSAPI である場合のみ実行され"
+ "ます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr "ldap_krb5_ticket_lifetime (整数)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++#, fuzzy
++#| msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr "GSSAPI が使用されている場合、TGT の有効期間を秒単位で指定します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr "初期値: 86400 (24 時間)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr "krb5_server, krb5_backup_server (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6457,7 +6651,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6468,7 +6662,7 @@ msgstr ""
+ "ば _tcp にフォールバックします。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6479,27 +6673,29 @@ msgstr ""
+ "quote> を使用するよう設定ファイルを移行することが推奨されます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr "krb5_realm (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++#, fuzzy
++#| msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr "(SASL/GSSAPI 認証向け) Kerberos レルムを指定します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr "初期値: システムの初期値、<filename>/etc/krb5.conf</filename> 参照。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr "krb5_canonicalize (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+@@ -6508,12 +6704,12 @@ msgstr ""
+ "します。この機能は MIT Kerberos >= 1.7 で利用可能です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr "krb5_use_kdcinfo (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6523,7 +6719,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6534,12 +6730,12 @@ msgstr ""
+ "manvolnum> </citerefentry> マニュアルページを参照ください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr "ldap_pwd_policy (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+@@ -6548,7 +6744,7 @@ msgstr ""
+ "す。以下の値が許容されます:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+@@ -6557,7 +6753,7 @@ msgstr ""
+ "ンはサーバー側のパスワードポリシーを無効にできません。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6568,7 +6764,7 @@ msgstr ""
+ "manvolnum></citerefentry> 形式の属性を使用します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6579,24 +6775,24 @@ msgstr ""
+ "とき、これらの属性を更新するために chpass_provider=krb5 を使用します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr "ldap_referrals (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr "自動参照追跡が有効化されるかを指定します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+@@ -6605,7 +6801,7 @@ msgstr ""
+ "sssd のみが参照追跡をサポートすることに注意してください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6614,28 +6810,28 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr "ldap_dns_service_name (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ "サービス検索が有効にされているときに使用するサービスの名前を指定します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr "初期値: ldap"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr "ldap_chpass_dns_service_name (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+@@ -6644,29 +6840,29 @@ msgstr ""
+ "を検索するために使用するサービスの名前を指定します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr "初期値: 設定されていません、つまりサービス検索が無効にされています"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr "ldap_chpass_update_last_change (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr "ldap_access_filter (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6682,12 +6878,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr "例:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6696,14 +6892,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6712,17 +6908,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr "初期値: 空白"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr "ldap_account_expire_policy (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+@@ -6731,7 +6927,7 @@ msgstr ""
+ "ます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6742,12 +6938,12 @@ msgstr ""
+ "否します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr "以下の値が許可されます:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+@@ -6756,7 +6952,7 @@ msgstr ""
+ "ldap_user_shadow_expire の値を使用します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6765,7 +6961,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6776,7 +6972,7 @@ msgstr ""
+ "ldap_ns_account_lock の値を使用します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6789,7 +6985,7 @@ msgstr ""
+ "クセスが許可されます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6797,23 +6993,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr "ldap_access_order (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ "アクセス制御オプションのカンマ区切り一覧です。許可される値は次のとおりです:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr "<emphasis>filter</emphasis>: ldap_access_filter を使用します"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6823,14 +7019,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6843,12 +7039,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr "<emphasis>expire</emphasis>: ldap_account_expire_policy を使用します"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6858,7 +7054,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6868,20 +7064,20 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+@@ -6890,44 +7086,44 @@ msgstr ""
+ "authorizedService 属性を使用します"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ "<emphasis>host</emphasis>: アクセス権を決めるために host 属性を使用します"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr "初期値: filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr "値が複数使用されていると設定エラーになることに注意してください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6936,22 +7132,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr "ldap_deref (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+@@ -6960,12 +7156,12 @@ msgstr ""
+ "ションが許容されます:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr "<emphasis>never</emphasis>: エイリアスが参照解決されません。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+@@ -6974,7 +7170,7 @@ msgstr ""
+ "決されますが、検索のベースオブジェクトの位置を探すときはされません。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+@@ -6983,7 +7179,7 @@ msgstr ""
+ "すときのみ参照解決されます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+@@ -6992,7 +7188,7 @@ msgstr ""
+ "きも位置を検索するときも参照解決されます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+@@ -7001,19 +7197,19 @@ msgstr ""
+ "して取り扱われます)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr "ldap_rfc2307_fallback_to_local_users (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -7024,7 +7220,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -7032,24 +7228,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -7069,12 +7265,12 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr "SUDO オプション"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -7082,52 +7278,52 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr "ldap_sudorule_object_class (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr "LDAP にある sudo ルールエントリーのオブジェクトクラスです。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr "初期値: sudoRole"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr "ldap_sudorule_name (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr "sudo ルール名に対応する LDAP 属性です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr "ldap_sudorule_command (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr "コマンド名に対応する LDAP 属性です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr "初期値: sudoCommand"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr "ldap_sudorule_host (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+@@ -7136,17 +7332,17 @@ msgstr ""
+ "クグループ)に対応する LDAP 属性です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr "初期値: sudoHost"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr "ldap_sudorule_user (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+@@ -7155,49 +7351,49 @@ msgstr ""
+ "る LDAP 属性です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr "初期値: sudoUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr "ldap_sudorule_option (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr "sudo オプションに対応する LDAP 属性です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr "初期値: sudoOption"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr "ldap_sudorule_runasuser (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr "コマンドを実行するユーザー名に対応する LDAP 属性です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr "初期値: sudoRunAsUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr "ldap_sudorule_runasgroup (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+@@ -7205,34 +7401,34 @@ msgstr ""
+ "コマンドを実行するグループ名またはグループの GID に対応する LDAP 属性です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr "初期値: sudoRunAsGroup"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr "ldap_sudorule_notbefore (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr "sudo ルールが有効になる開始日時に対応する LDAP 属性です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr "初期値: sudoNotBefore"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr "ldap_sudorule_notafter (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+@@ -7241,39 +7437,39 @@ msgstr ""
+ "す。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr "初期値: sudoNotAfter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr "ldap_sudorule_order (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr "ルールの並び替えインデックスに対応する LDAP 属性です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr "初期値: sudoOrder"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr "ldap_sudo_full_refresh_interval (整数)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+@@ -7282,17 +7478,17 @@ msgstr ""
+ "ります"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr "初期値: 21600 (6 時間)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr "ldap_sudo_smart_refresh_interval (整数)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -7300,31 +7496,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr "ldap_sudo_use_host_filter (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr "ldap_sudo_hostnames (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+@@ -7333,15 +7529,15 @@ msgstr ""
+ "区切り一覧です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+@@ -7350,17 +7546,17 @@ msgstr ""
+ "ならば、このオプションは効果を持ちません。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr "初期値: 指定なし"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr "ldap_sudo_ip (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+@@ -7369,7 +7565,7 @@ msgstr ""
+ "アドレスの空白区切り一覧です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+@@ -7377,31 +7573,31 @@ msgstr ""
+ "このオプションが空白ならば、SSSD は自動的にアドレスを検索しようとします。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr "ldap_sudo_include_netgroups (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr "ldap_sudo_include_regexp (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -7413,87 +7609,87 @@ msgstr ""
+ "refentrytitle><manvolnum>5</manvolnum> </citerefentry> を参照してください"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr "AUTOFS オプション"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr "ldap_autofs_map_object_class (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr "LDAP にある automount マップエントリーのオブジェクトクラスです。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr "ldap_autofs_map_name (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr "LDAP における automount のマップエントリーの名前です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr "ldap_autofs_entry_object_class (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr "ldap_autofs_entry_key (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+@@ -7502,24 +7698,24 @@ msgstr ""
+ "ントと対応します。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr "ldap_autofs_entry_value (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7528,32 +7724,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr "高度なオプション"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr "ldap_netgroup_search_base (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr "ldap_user_search_base (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr "ldap_group_search_base (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7562,22 +7758,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr "ldap_sudo_search_base (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr "ldap_autofs_search_base (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7586,14 +7782,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr "例"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7604,7 +7800,7 @@ msgstr ""
+ "す。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7617,27 +7813,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7653,13 +7849,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr "注記"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -9205,7 +9401,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr "dyndns_update (論理値)"
+ 
+@@ -9220,7 +9416,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -9238,12 +9434,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr "dyndns_ttl (整数)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -9264,12 +9460,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr "初期値: 1200 (秒)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr "dyndns_iface (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -9293,17 +9489,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -9311,7 +9507,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -9338,7 +9534,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr "dyndns_refresh_interval (整数)"
+ 
+@@ -9351,12 +9547,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr "dyndns_update_ptr (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -9375,12 +9571,12 @@ msgid "Default: False (disabled)"
+ msgstr "初期値: False (無効)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr "dyndns_force_tcp (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+@@ -9389,38 +9585,38 @@ msgstr ""
+ "どうか。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -9541,26 +9737,26 @@ msgstr ""
+ "めに使用するベース DN に変換されます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -9579,7 +9775,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr "初期値: 5 (秒)"
+ 
+@@ -10478,12 +10674,29 @@ msgid "Default: False (seconds)"
+ msgstr "初期値: 5 (秒)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++#, fuzzy
++#| msgid "ldap_referrals (boolean)"
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr "ldap_referrals (論理値)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -10491,12 +10704,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -10504,14 +10717,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -10519,7 +10732,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10531,42 +10744,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -10574,7 +10787,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -10582,7 +10795,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -10590,7 +10803,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10602,22 +10815,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -10625,7 +10838,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -10633,7 +10846,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10641,7 +10854,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10653,22 +10866,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10676,14 +10889,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10691,7 +10904,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10703,23 +10916,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10727,14 +10940,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10742,7 +10955,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10753,19 +10966,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10773,7 +10986,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10785,29 +10998,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10815,12 +11028,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10833,57 +11046,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10891,17 +11104,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10911,12 +11124,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10927,19 +11140,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr "初期値: 3600 (秒)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10949,12 +11162,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr "初期値: True"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10965,7 +11178,7 @@ msgstr ""
+ "AD プロバイダー固有のオプションのみ示してします。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10989,7 +11202,7 @@ msgstr ""
+ "ad_domain = example.com\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -11001,7 +11214,7 @@ msgstr ""
+ "ldap_account_expire_policy = ad\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -11009,7 +11222,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -11019,7 +11232,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -12635,11 +12848,67 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
++#, fuzzy
++#| msgid "krb5_ccachedir (string)"
++msgid "krb5_kdcinfo_lookahead (string)"
++msgstr "krb5_ccachedir (文字列)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:508
++#, fuzzy
++#| msgid ""
++#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
++#| "more information on the locator plugin."
++msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++"位置情報プラグインの詳細は <citerefentry> "
++"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
++"manvolnum> </citerefentry> マニュアルページを参照ください。"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++#, fuzzy
++#| msgid ""
++#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
++#| "more information on the locator plugin."
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++"位置情報プラグインの詳細は <citerefentry> "
++"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
++"manvolnum> </citerefentry> マニュアルページを参照ください。"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "初期値: 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
+ msgid "krb5_use_enterprise_principal (boolean)"
+ msgstr "krb5_use_enterprise_principal (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:508
++#: sssd-krb5.5.xml:542
+ msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+@@ -12649,12 +12918,12 @@ msgstr ""
+ "してください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -12662,12 +12931,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -12677,7 +12946,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -12685,7 +12954,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -12710,7 +12979,7 @@ msgstr ""
+ "quote> を参照してください。  <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -12722,7 +12991,7 @@ msgstr ""
+ "の設定のみを示し、識別プロバイダーを何も含みません。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/lv.po b/src/man/po/lv.po
+index 9e8a059fc..b02dc0276 100644
+--- a/src/man/po/lv.po
++++ b/src/man/po/lv.po
+@@ -9,7 +9,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2014-12-15 12:00+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Latvian (http://www.transifex.com/projects/p/sssd/language/"
+@@ -296,10 +296,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr ""
+@@ -318,16 +318,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -352,8 +352,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr "Noklusējuma: 10"
+ 
+@@ -368,7 +368,7 @@ msgid "The [sssd] section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr ""
+ 
+@@ -448,7 +448,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr ""
+ 
+@@ -468,12 +468,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -481,39 +481,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -638,9 +638,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -831,7 +831,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+@@ -1153,7 +1153,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -1574,7 +1574,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1587,7 +1587,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1601,7 +1601,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr ""
+ 
+@@ -1664,7 +1664,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr ""
+ 
+@@ -1729,9 +1729,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr ""
+ 
+@@ -1829,48 +1829,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2313,7 +2313,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr ""
+ 
+@@ -2529,41 +2529,49 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2571,24 +2579,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2597,17 +2605,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr "Noklusējuma: 0 (neierobežots)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2616,34 +2624,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2651,7 +2659,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2659,8 +2667,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2669,8 +2677,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2678,19 +2686,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2699,7 +2707,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2707,22 +2715,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2734,7 +2742,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2742,19 +2750,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2762,7 +2770,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2770,35 +2778,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2806,19 +2814,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -2827,7 +2835,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -2835,29 +2843,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr "Noklusējuma: <quote>atļaut</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -2865,7 +2873,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2873,35 +2881,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2909,32 +2917,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -2945,7 +2953,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -2954,12 +2962,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -2967,7 +2975,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -2975,31 +2983,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3007,7 +3015,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3016,17 +3024,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3034,43 +3042,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3078,7 +3086,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3086,7 +3094,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3094,24 +3102,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3119,12 +3127,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3134,7 +3142,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3143,29 +3151,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3173,7 +3181,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3183,59 +3191,59 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr "Noklusējuma: <quote>%1$s@%2$s</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr "Atbalstītās vērtības:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3244,77 +3252,77 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr "Noklusējuma: 6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3322,7 +3330,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3330,17 +3338,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3348,34 +3356,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3383,32 +3391,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3418,47 +3426,55 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3466,41 +3482,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3510,14 +3535,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3525,34 +3550,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3564,29 +3598,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3594,12 +3628,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3608,12 +3642,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3621,19 +3655,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3650,7 +3684,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3658,17 +3692,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3677,7 +3711,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3687,7 +3721,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3707,12 +3741,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3720,73 +3754,73 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr "Noklusējuma: <filename>/bin/bash</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -3794,17 +3828,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr "Noklusējuma: 077"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -3813,17 +3847,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr "Noklusējuma: <filename>/etc/skel</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -3831,17 +3865,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr "Noklusējuma: <filename>/var/mail</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -3849,17 +3883,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -3870,64 +3904,180 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++msgid "ldap_sasl_mech,"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++#, fuzzy
++#| msgid "CONFIGURATION OPTIONS"
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr "KONFIGURĒŠANAS IESPĒJAS"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++#, fuzzy
++#| msgid "password"
++msgid "password_prompt"
++msgstr "parole"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3957,7 +4107,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -3966,7 +4116,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -3974,7 +4124,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -4877,7 +5027,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr ""
+ 
+@@ -5582,7 +5732,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -5685,11 +5835,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -5698,7 +5853,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -5706,26 +5861,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5733,7 +5888,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5741,7 +5896,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -5749,41 +5904,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -5792,32 +5947,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -5825,24 +5980,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -5850,17 +6005,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -5871,29 +6026,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
++msgid ""
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -5906,29 +6072,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -5936,77 +6102,78 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr "Noklusējuma: 86400 (24 stundas)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6018,7 +6185,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6026,7 +6193,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6034,39 +6201,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6076,7 +6243,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6084,26 +6251,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6111,7 +6278,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6119,31 +6286,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6152,56 +6319,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr "Noklusējuma: ldap"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6217,12 +6384,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr "Piemērs:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6231,14 +6398,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6247,24 +6414,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6272,19 +6439,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr "Atļautas šādas vērtības:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6293,7 +6460,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6301,7 +6468,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6310,7 +6477,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6318,22 +6485,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6343,14 +6510,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6363,12 +6530,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6378,7 +6545,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6388,63 +6555,63 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr "Noklusējuma: filtrēt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6453,74 +6620,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6531,7 +6698,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6539,24 +6706,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -6571,12 +6738,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -6584,208 +6751,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -6793,101 +6960,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -6896,111 +7063,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7009,32 +7176,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr "PAPLAŠINĀTĀS IESPĒJAS"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7043,22 +7210,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7067,14 +7234,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr "PIEMĒRS"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7082,7 +7249,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7095,27 +7262,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7131,13 +7298,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr "PIEZĪMES"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -8611,7 +8778,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -8626,7 +8793,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -8641,12 +8808,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -8667,12 +8834,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -8696,17 +8863,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -8714,7 +8881,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -8741,7 +8908,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -8754,12 +8921,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -8778,50 +8945,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -8932,26 +9099,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -8970,7 +9137,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -9853,12 +10020,27 @@ msgid "Default: False (seconds)"
+ msgstr "Noklusējuma: 0 (neierobežots)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -9866,12 +10048,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -9879,14 +10061,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -9894,7 +10076,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9906,42 +10088,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -9949,7 +10131,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -9957,7 +10139,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -9965,7 +10147,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9977,22 +10159,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -10000,7 +10182,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -10008,7 +10190,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10016,7 +10198,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10028,22 +10210,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10051,14 +10233,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10066,7 +10248,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10078,23 +10260,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10102,14 +10284,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10117,7 +10299,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10128,19 +10310,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10148,7 +10330,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10160,29 +10342,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10190,12 +10372,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10208,57 +10390,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10266,17 +10448,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10286,12 +10468,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10302,19 +10484,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10324,12 +10506,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10337,7 +10519,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10352,7 +10534,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10361,7 +10543,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10369,7 +10551,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10379,7 +10561,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -11837,23 +12019,61 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-msgid "krb5_use_enterprise_principal (boolean)"
++msgid "krb5_kdcinfo_lookahead (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+ msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 1"
++msgid "Default: 3:1"
++msgstr "Noklusējuma: 1"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
++msgid "krb5_use_enterprise_principal (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:542
++msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -11861,12 +12081,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -11876,7 +12096,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -11884,7 +12104,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -11904,7 +12124,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -11913,7 +12133,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/nl.po b/src/man/po/nl.po
+index 15afa24b2..34dc83654 100644
+--- a/src/man/po/nl.po
++++ b/src/man/po/nl.po
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2014-12-15 12:02+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Dutch (http://www.transifex.com/projects/p/sssd/language/"
+@@ -319,10 +319,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr "Standaard: true"
+@@ -341,16 +341,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -375,8 +375,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr ""
+ 
+@@ -391,7 +391,7 @@ msgid "The [sssd] section"
+ msgstr "De [sssd] sectie"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr "Sectie parameters"
+ 
+@@ -475,7 +475,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr "re_expression (tekst)"
+ 
+@@ -495,12 +495,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr "full_name_format (tekst)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -508,39 +508,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -679,9 +679,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -872,7 +872,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+@@ -1198,7 +1198,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -1619,7 +1619,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1632,7 +1632,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1646,7 +1646,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr "Standaard: 0"
+ 
+@@ -1709,7 +1709,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr ""
+ 
+@@ -1774,9 +1774,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr ""
+ 
+@@ -1874,48 +1874,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2358,7 +2358,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr ""
+ 
+@@ -2574,41 +2574,49 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2616,24 +2624,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2642,17 +2650,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2661,34 +2669,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2696,7 +2704,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2704,8 +2712,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2714,8 +2722,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2723,19 +2731,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2744,7 +2752,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2752,22 +2760,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2779,7 +2787,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2787,19 +2795,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2807,7 +2815,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2815,35 +2823,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2851,19 +2859,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -2872,7 +2880,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -2880,29 +2888,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -2910,7 +2918,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2918,35 +2926,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2954,32 +2962,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -2990,7 +2998,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -2999,12 +3007,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -3012,7 +3020,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3020,31 +3028,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3052,7 +3060,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3061,17 +3069,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3079,43 +3087,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3123,7 +3131,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3131,7 +3139,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3139,24 +3147,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3164,12 +3172,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3179,7 +3187,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3188,29 +3196,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3221,7 +3229,7 @@ msgstr ""
+ "het domein alles daarna\""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3231,59 +3239,59 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr "Standaard: <quote>%1$s@%2$s</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3292,77 +3300,77 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3370,7 +3378,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3378,17 +3386,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3396,34 +3404,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3431,32 +3439,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3466,47 +3474,55 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3514,41 +3530,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3558,14 +3583,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3573,34 +3598,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3612,29 +3646,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3642,12 +3676,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3656,12 +3690,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3669,19 +3703,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3698,7 +3732,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3706,17 +3740,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3725,7 +3759,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3735,7 +3769,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3755,12 +3789,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3768,73 +3802,73 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -3842,17 +3876,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -3861,17 +3895,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -3879,17 +3913,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -3897,17 +3931,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -3918,64 +3952,176 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++msgid "ldap_sasl_mech,"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++msgid "password_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4005,7 +4151,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -4014,7 +4160,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -4022,7 +4168,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -4923,7 +5069,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr ""
+ 
+@@ -5628,7 +5774,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -5731,11 +5877,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -5744,7 +5895,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -5752,26 +5903,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5779,7 +5930,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5787,7 +5938,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -5795,41 +5946,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -5838,32 +5989,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -5871,24 +6022,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -5896,17 +6047,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -5917,29 +6068,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
++msgid ""
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -5952,29 +6114,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -5982,77 +6144,78 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6064,7 +6227,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6072,7 +6235,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6080,39 +6243,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6122,7 +6285,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6130,26 +6293,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6157,7 +6320,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6165,31 +6328,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6198,56 +6361,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6263,12 +6426,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6277,14 +6440,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6293,24 +6456,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6318,19 +6481,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6339,7 +6502,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6347,7 +6510,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6356,7 +6519,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6364,22 +6527,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6389,14 +6552,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6409,12 +6572,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6424,7 +6587,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6434,63 +6597,63 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6499,74 +6662,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6577,7 +6740,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6585,24 +6748,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -6617,12 +6780,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -6630,208 +6793,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -6839,101 +7002,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -6942,111 +7105,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7055,32 +7218,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7089,22 +7252,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7113,14 +7276,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7128,7 +7291,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7141,27 +7304,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7177,13 +7340,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -8657,7 +8820,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -8672,7 +8835,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -8687,12 +8850,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -8713,12 +8876,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -8742,17 +8905,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -8760,7 +8923,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -8787,7 +8950,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -8800,12 +8963,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -8824,50 +8987,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -8978,26 +9141,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -9016,7 +9179,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -9897,12 +10060,27 @@ msgid "Default: False (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -9910,12 +10088,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -9923,14 +10101,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -9938,7 +10116,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9950,42 +10128,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -9993,7 +10171,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -10001,7 +10179,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -10009,7 +10187,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10021,22 +10199,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -10044,7 +10222,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -10052,7 +10230,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10060,7 +10238,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10072,22 +10250,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10095,14 +10273,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10110,7 +10288,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10122,23 +10300,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10146,14 +10324,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10161,7 +10339,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10172,19 +10350,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10192,7 +10370,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10204,29 +10382,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10234,12 +10412,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10252,57 +10430,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10310,17 +10488,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10330,12 +10508,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10346,19 +10524,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10368,12 +10546,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10381,7 +10559,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10396,7 +10574,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10405,7 +10583,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10413,7 +10591,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10423,7 +10601,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -11881,23 +12059,61 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-msgid "krb5_use_enterprise_principal (boolean)"
++msgid "krb5_kdcinfo_lookahead (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+ msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "Standaard: 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
++msgid "krb5_use_enterprise_principal (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:542
++msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -11905,12 +12121,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -11920,7 +12136,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -11928,7 +12144,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -11948,7 +12164,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -11957,7 +12173,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/pt.po b/src/man/po/pt.po
+index b34e6c902..b92414a33 100644
+--- a/src/man/po/pt.po
++++ b/src/man/po/pt.po
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2014-12-15 12:05+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Portuguese (http://www.transifex.com/projects/p/sssd/language/"
+@@ -314,10 +314,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr ""
+@@ -336,16 +336,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr "Padrão: false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -370,8 +370,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr "Padrão: 10"
+ 
+@@ -386,7 +386,7 @@ msgid "The [sssd] section"
+ msgstr "A seção [SSSD]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr "Parâmetros de secção"
+ 
+@@ -470,7 +470,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr "re_expression (string)"
+ 
+@@ -490,12 +490,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr "full_name_format (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -503,39 +503,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -660,9 +660,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -853,7 +853,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+@@ -1175,7 +1175,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -1596,7 +1596,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr "pam_pwd_expiration_warning (integer)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1609,7 +1609,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1623,7 +1623,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr ""
+ 
+@@ -1686,7 +1686,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr "Padrão: none"
+ 
+@@ -1751,9 +1751,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr ""
+ 
+@@ -1851,48 +1851,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2335,7 +2335,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr "Padrão: FALSE"
+ 
+@@ -2551,41 +2551,49 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr "cache_credentials (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2593,24 +2601,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr "account_cache_expiration (integer)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2619,17 +2627,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr "Padrão: 0 (ilimitado)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2638,34 +2646,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr "id_provider (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2673,7 +2681,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2681,8 +2689,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2691,8 +2699,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2700,19 +2708,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr "use_fully_qualified_names (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2721,7 +2729,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2729,22 +2737,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2756,7 +2764,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2764,19 +2772,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr "auth_provider (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2784,7 +2792,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2792,35 +2800,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr "access_provider (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2828,19 +2836,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -2849,7 +2857,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -2857,29 +2865,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -2887,7 +2895,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2895,35 +2903,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2931,32 +2939,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -2967,7 +2975,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -2976,12 +2984,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -2989,7 +2997,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -2997,31 +3005,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3029,7 +3037,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3038,17 +3046,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3056,43 +3064,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3100,7 +3108,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3108,7 +3116,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3116,24 +3124,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3141,12 +3149,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3156,7 +3164,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3165,29 +3173,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3195,7 +3203,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3205,59 +3213,59 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr "Default: <quote>%1$s@%2$s</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr "Default: ipv4_first"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr "dns_resolver_timeout (integer)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3266,77 +3274,77 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr "Padrão: 6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr "dns_discovery_domain (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr "override_gid (integer)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3344,7 +3352,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3352,17 +3360,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3370,34 +3378,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3405,32 +3413,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3440,47 +3448,55 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3488,41 +3504,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3532,14 +3557,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3547,34 +3572,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3586,29 +3620,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr "proxy_pam_target (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr "proxy_lib_name (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3616,12 +3650,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3630,12 +3664,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3643,19 +3677,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3672,7 +3706,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3680,17 +3714,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3699,7 +3733,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3709,7 +3743,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3729,12 +3763,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr "A secção de domínio local"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3742,73 +3776,73 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr "default_shell (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr "Padrão: <filename>bash/bin/bash</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr "base_directory (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr "Padrão: <filename>/ home</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr "create_homedir (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr "Padrão: TRUE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr "remove_homedir (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr "homedir_umask (integer)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -3816,17 +3850,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr "Padrão: 077"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr "skel_dir (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -3835,17 +3869,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr "Padrão: <filename>skel/etc/skel</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr "mail_dir (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -3853,17 +3887,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr "Padrão: <filename>mail/var/mail</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr "userdel_cmd (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -3871,17 +3905,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr "Padrão: None, nenhum comando é executado"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -3892,64 +3926,180 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++#, fuzzy
++#| msgid "ldap_sasl_mech (string)"
++msgid "ldap_sasl_mech,"
++msgstr "ldap_sasl_mech (string)"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++#, fuzzy
++#| msgid "CONFIGURATION OPTIONS"
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr "OPÇÕES DE CONFIGURAÇÃO"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++msgid "password_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4003,7 +4153,7 @@ msgstr ""
+ "enumerate = False\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -4012,7 +4162,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -4020,7 +4170,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -4927,7 +5077,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr "Padrão: NC"
+ 
+@@ -5632,7 +5782,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -5735,11 +5885,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -5748,7 +5903,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -5756,19 +5911,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr "ldap_tls_reqcert (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+@@ -5777,7 +5932,7 @@ msgstr ""
+ "qualquer certificado de servidor."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5785,7 +5940,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5793,7 +5948,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -5801,41 +5956,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr "Padrão: hard"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr "ldap_tls_cacert (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr "ldap_tls_cacertdir (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -5844,32 +5999,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -5877,24 +6032,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr "ldap_id_use_start_tls (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -5902,17 +6057,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -5923,29 +6078,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr "ldap_sasl_mech (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++msgid ""
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr "ldap_sasl_authid (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -5958,29 +6124,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -5988,78 +6154,79 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr "ldap_sasl_canonicalize (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr "Padrão: false;"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr "ldap_krb5_keytab (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ "Padrão: Sistema keytab, normalmente <filename>/etc/krb5.keytab</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr "ldap_krb5_init_creds (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr "ldap_krb5_ticket_lifetime (integer)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr "Padrão: 86400 (24 horas)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6071,7 +6238,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6079,7 +6246,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6087,39 +6254,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr "krb5_realm (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr "krb5_canonicalize (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6129,7 +6296,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6137,26 +6304,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr "ldap_pwd_policy (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6164,7 +6331,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6172,31 +6339,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6205,56 +6372,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6270,12 +6437,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6284,14 +6451,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6300,24 +6467,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6325,19 +6492,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6346,7 +6513,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6354,7 +6521,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6363,7 +6530,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6371,22 +6538,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6396,14 +6563,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6416,12 +6583,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6431,7 +6598,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6441,63 +6608,63 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr "Padrão: filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6506,74 +6673,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr "ldap_deref (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6584,7 +6751,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6592,24 +6759,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -6624,12 +6791,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -6637,208 +6804,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -6846,101 +7013,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -6949,111 +7116,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7062,32 +7229,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr "OPÇÕES AVANÇADAS"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr "ldap_netgroup_search_base (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr "ldap_user_search_base (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr "ldap_group_search_base (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7096,22 +7263,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7120,14 +7287,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr "EXEMPLO"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7135,7 +7302,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7148,27 +7315,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7184,13 +7351,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr "NOTAS"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -8664,7 +8831,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -8679,7 +8846,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -8694,12 +8861,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -8720,12 +8887,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -8749,17 +8916,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -8767,7 +8934,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -8794,7 +8961,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -8807,12 +8974,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -8831,50 +8998,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -8985,26 +9152,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -9023,7 +9190,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -9906,12 +10073,29 @@ msgid "Default: False (seconds)"
+ msgstr "Padrão: false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++#, fuzzy
++#| msgid "ldap_force_upper_case_realm (boolean)"
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr "ldap_force_upper_case_realm (boolean)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -9919,12 +10103,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -9932,14 +10116,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -9947,7 +10131,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9959,42 +10143,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -10002,7 +10186,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -10010,7 +10194,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -10018,7 +10202,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10030,22 +10214,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -10053,7 +10237,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -10061,7 +10245,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10069,7 +10253,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10081,22 +10265,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10104,14 +10288,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10119,7 +10303,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10131,23 +10315,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10155,14 +10339,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10170,7 +10354,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10181,19 +10365,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10201,7 +10385,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10213,29 +10397,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10243,12 +10427,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10261,57 +10445,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10319,17 +10503,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10339,12 +10523,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10355,19 +10539,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10377,12 +10561,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr "Padrão: TRUE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10390,7 +10574,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10405,7 +10589,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10414,7 +10598,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10422,7 +10606,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10432,7 +10616,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -11900,23 +12084,63 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
++#, fuzzy
++#| msgid "krb5_ccachedir (string)"
++msgid "krb5_kdcinfo_lookahead (string)"
++msgstr "krb5_ccachedir (string)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:508
++msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "Padrão: 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
+ msgid "krb5_use_enterprise_principal (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:508
++#: sssd-krb5.5.xml:542
+ msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -11924,12 +12148,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -11939,7 +12163,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -11947,7 +12171,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -11967,7 +12191,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -11976,7 +12200,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/pt_BR.po b/src/man/po/pt_BR.po
+index a40026400..c86795d95 100644
+--- a/src/man/po/pt_BR.po
++++ b/src/man/po/pt_BR.po
+@@ -4,7 +4,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2017-01-29 10:11+0000\n"
+ "Last-Translator: Rodrigo de Araujo Sousa Fonseca "
+ "<rodrigodearaujo@fedoraproject.org>\n"
+@@ -290,10 +290,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr ""
+@@ -312,16 +312,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -346,8 +346,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr ""
+ 
+@@ -362,7 +362,7 @@ msgid "The [sssd] section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr ""
+ 
+@@ -442,7 +442,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr ""
+ 
+@@ -462,12 +462,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -475,39 +475,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -632,9 +632,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -825,7 +825,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+@@ -1147,7 +1147,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -1568,7 +1568,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1581,7 +1581,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1595,7 +1595,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr ""
+ 
+@@ -1658,7 +1658,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr ""
+ 
+@@ -1723,9 +1723,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr ""
+ 
+@@ -1823,48 +1823,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2307,7 +2307,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr ""
+ 
+@@ -2523,41 +2523,49 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2565,24 +2573,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2591,17 +2599,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2610,34 +2618,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2645,7 +2653,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2653,8 +2661,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2663,8 +2671,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2672,19 +2680,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2693,7 +2701,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2701,22 +2709,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2728,7 +2736,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2736,19 +2744,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2756,7 +2764,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2764,35 +2772,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2800,19 +2808,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -2821,7 +2829,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -2829,29 +2837,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -2859,7 +2867,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2867,35 +2875,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2903,32 +2911,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -2939,7 +2947,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -2948,12 +2956,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -2961,7 +2969,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -2969,31 +2977,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3001,7 +3009,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3010,17 +3018,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3028,43 +3036,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3072,7 +3080,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3080,7 +3088,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3088,24 +3096,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3113,12 +3121,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3128,7 +3136,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3137,29 +3145,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3167,7 +3175,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3177,59 +3185,59 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3238,77 +3246,77 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3316,7 +3324,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3324,17 +3332,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3342,34 +3350,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3377,32 +3385,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3412,47 +3420,55 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3460,41 +3476,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3504,14 +3529,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3519,34 +3544,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3558,29 +3592,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3588,12 +3622,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3602,12 +3636,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3615,19 +3649,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3644,7 +3678,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3652,17 +3686,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3671,7 +3705,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3681,7 +3715,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3701,12 +3735,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3714,73 +3748,73 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -3788,17 +3822,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -3807,17 +3841,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -3825,17 +3859,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -3843,17 +3877,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -3864,64 +3898,176 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++msgid "ldap_sasl_mech,"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++msgid "password_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3951,7 +4097,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -3960,7 +4106,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -3968,7 +4114,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -4867,7 +5013,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr ""
+ 
+@@ -5572,7 +5718,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -5675,11 +5821,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -5688,7 +5839,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -5696,26 +5847,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5723,7 +5874,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5731,7 +5882,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -5739,41 +5890,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -5782,32 +5933,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -5815,24 +5966,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -5840,17 +5991,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -5861,29 +6012,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++msgid ""
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -5896,29 +6058,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -5926,77 +6088,78 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6008,7 +6171,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6016,7 +6179,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6024,39 +6187,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6066,7 +6229,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6074,26 +6237,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6101,7 +6264,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6109,31 +6272,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6142,56 +6305,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6207,12 +6370,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6221,14 +6384,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6237,24 +6400,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6262,19 +6425,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6283,7 +6446,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6291,7 +6454,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6300,7 +6463,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6308,22 +6471,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6333,14 +6496,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6353,12 +6516,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6368,7 +6531,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6378,63 +6541,63 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6443,74 +6606,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6521,7 +6684,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6529,24 +6692,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -6561,12 +6724,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -6574,208 +6737,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -6783,101 +6946,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -6886,111 +7049,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -6999,32 +7162,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7033,22 +7196,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7057,14 +7220,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7072,7 +7235,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7085,27 +7248,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7121,13 +7284,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -8601,7 +8764,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -8616,7 +8779,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -8631,12 +8794,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -8657,12 +8820,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -8686,17 +8849,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -8704,7 +8867,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -8731,7 +8894,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -8744,12 +8907,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -8768,50 +8931,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -8922,26 +9085,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -8960,7 +9123,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -9841,12 +10004,27 @@ msgid "Default: False (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -9854,12 +10032,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -9867,14 +10045,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -9882,7 +10060,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9894,42 +10072,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -9937,7 +10115,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -9945,7 +10123,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -9953,7 +10131,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9965,22 +10143,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -9988,7 +10166,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -9996,7 +10174,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10004,7 +10182,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10016,22 +10194,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10039,14 +10217,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10054,7 +10232,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10066,23 +10244,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10090,14 +10268,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10105,7 +10283,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10116,19 +10294,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10136,7 +10314,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10148,29 +10326,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10178,12 +10356,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10196,57 +10374,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10254,17 +10432,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10274,12 +10452,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10290,19 +10468,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10312,12 +10490,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10325,7 +10503,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10340,7 +10518,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10349,7 +10527,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10357,7 +10535,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10367,7 +10545,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -11825,23 +12003,59 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-msgid "krb5_use_enterprise_principal (boolean)"
++msgid "krb5_kdcinfo_lookahead (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+ msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++msgid "Default: 3:1"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
++msgid "krb5_use_enterprise_principal (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:542
++msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -11849,12 +12063,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -11864,7 +12078,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -11872,7 +12086,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -11892,7 +12106,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -11901,7 +12115,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/ru.po b/src/man/po/ru.po
+index d66bb2b7c..62beb499a 100644
+--- a/src/man/po/ru.po
++++ b/src/man/po/ru.po
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2014-12-15 12:07+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Russian (http://www.transifex.com/projects/p/sssd/language/"
+@@ -295,10 +295,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr ""
+@@ -317,16 +317,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr "По умолчанию: false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -351,8 +351,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr "По умолчанию: 10"
+ 
+@@ -367,7 +367,7 @@ msgid "The [sssd] section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr ""
+ 
+@@ -447,7 +447,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr ""
+ 
+@@ -467,12 +467,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -480,39 +480,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -637,9 +637,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -830,7 +830,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+@@ -1152,7 +1152,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -1573,7 +1573,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1586,7 +1586,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1600,7 +1600,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr ""
+ 
+@@ -1663,7 +1663,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr ""
+ 
+@@ -1728,9 +1728,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr ""
+ 
+@@ -1828,48 +1828,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2312,7 +2312,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr "По умолчанию: FALSE"
+ 
+@@ -2528,41 +2528,49 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2570,24 +2578,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2596,17 +2604,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2615,34 +2623,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2650,7 +2658,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2658,8 +2666,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2668,8 +2676,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2677,19 +2685,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2698,7 +2706,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2706,22 +2714,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2733,7 +2741,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2741,19 +2749,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2761,7 +2769,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2769,35 +2777,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2805,19 +2813,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -2826,7 +2834,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -2834,29 +2842,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -2864,7 +2872,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2872,35 +2880,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2908,32 +2916,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -2944,7 +2952,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -2953,12 +2961,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -2966,7 +2974,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -2974,31 +2982,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3006,7 +3014,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3015,17 +3023,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3033,43 +3041,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3077,7 +3085,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3085,7 +3093,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3093,24 +3101,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3118,12 +3126,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3133,7 +3141,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3142,29 +3150,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3172,7 +3180,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3182,59 +3190,59 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr "По умолчанию: <quote>%1$s@%2$s</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr "Поддерживаемые значения:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3243,77 +3251,77 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr "По умолчанию: использовать доменное имя из hostname"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3321,7 +3329,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3329,17 +3337,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3347,34 +3355,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3382,32 +3390,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3417,47 +3425,55 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3465,41 +3481,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3509,14 +3534,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3524,34 +3549,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3563,29 +3597,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3593,12 +3627,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3607,12 +3641,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3620,19 +3654,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3649,7 +3683,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3657,17 +3691,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3676,7 +3710,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3686,7 +3720,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3706,12 +3740,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3719,73 +3753,73 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr "По умолчанию: <filename>/home</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr "По умолчанию: TRUE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -3793,17 +3827,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr "По умолчанию: 077"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -3812,17 +3846,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr "По умолчанию: <filename>/etc/skel</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -3830,17 +3864,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr "По умолчанию: <filename>/var/mail</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -3848,17 +3882,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -3869,64 +3903,180 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++msgid "ldap_sasl_mech,"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++#, fuzzy
++#| msgid "CONFIGURATION OPTIONS"
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr "ПАРАМЕТРЫ КОНФИГУРАЦИИ"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++#, fuzzy
++#| msgid "password"
++msgid "password_prompt"
++msgstr "пароль"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3956,7 +4106,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -3965,7 +4115,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -3973,7 +4123,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -4874,7 +5024,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr ""
+ 
+@@ -5579,7 +5729,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -5682,11 +5832,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -5695,7 +5850,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -5703,26 +5858,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5730,7 +5885,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5738,7 +5893,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -5746,41 +5901,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -5789,32 +5944,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -5822,24 +5977,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -5847,17 +6002,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -5868,29 +6023,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
++msgid ""
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -5903,29 +6069,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -5933,77 +6099,78 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6015,7 +6182,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6023,7 +6190,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6031,39 +6198,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6073,7 +6240,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6081,26 +6248,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6108,7 +6275,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6116,31 +6283,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6149,56 +6316,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6214,12 +6381,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6228,14 +6395,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6244,24 +6411,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6269,19 +6436,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6290,7 +6457,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6298,7 +6465,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6307,7 +6474,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6315,22 +6482,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6340,14 +6507,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6360,12 +6527,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6375,7 +6542,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6385,63 +6552,63 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6450,74 +6617,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6528,7 +6695,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6536,24 +6703,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -6568,12 +6735,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -6581,208 +6748,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -6790,101 +6957,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -6893,111 +7060,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7006,32 +7173,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7040,22 +7207,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7064,14 +7231,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr "ПРИМЕР"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7079,7 +7246,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7092,27 +7259,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7128,13 +7295,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -8608,7 +8775,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -8623,7 +8790,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -8638,12 +8805,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -8664,12 +8831,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -8693,17 +8860,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -8711,7 +8878,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -8738,7 +8905,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -8751,12 +8918,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -8775,50 +8942,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -8929,26 +9096,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -8967,7 +9134,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -9850,12 +10017,27 @@ msgid "Default: False (seconds)"
+ msgstr "По умолчанию: false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -9863,12 +10045,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -9876,14 +10058,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -9891,7 +10073,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9903,42 +10085,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -9946,7 +10128,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -9954,7 +10136,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -9962,7 +10144,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9974,22 +10156,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -9997,7 +10179,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -10005,7 +10187,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10013,7 +10195,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10025,22 +10207,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10048,14 +10230,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10063,7 +10245,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10075,23 +10257,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10099,14 +10281,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10114,7 +10296,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10125,19 +10307,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10145,7 +10327,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10157,29 +10339,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10187,12 +10369,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10205,57 +10387,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10263,17 +10445,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10283,12 +10465,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10299,19 +10481,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10321,12 +10503,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10334,7 +10516,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10349,7 +10531,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10358,7 +10540,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10366,7 +10548,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10376,7 +10558,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -11834,23 +12016,61 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-msgid "krb5_use_enterprise_principal (boolean)"
++msgid "krb5_kdcinfo_lookahead (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+ msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "По умолчанию: 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
++msgid "krb5_use_enterprise_principal (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:542
++msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -11858,12 +12078,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -11873,7 +12093,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -11881,7 +12101,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -11901,7 +12121,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -11910,7 +12130,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/sssd-docs.pot b/src/man/po/sssd-docs.pot
+index f032188f8..299245fb1 100644
+--- a/src/man/po/sssd-docs.pot
++++ b/src/man/po/sssd-docs.pot
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+ "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+ "Language-Team: LANGUAGE <LL@li.org>\n"
+@@ -254,7 +254,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840 sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889 sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614 sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
++#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840 sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908 sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634 sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr ""
+ 
+@@ -271,12 +271,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746 sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958 sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
++#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746 sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978 sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -299,7 +299,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122 sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145 sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr ""
+ 
+@@ -314,7 +314,7 @@ msgid "The [sssd] section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr ""
+ 
+@@ -395,7 +395,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr ""
+ 
+@@ -415,12 +415,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> "
+ "<manvolnum>3</manvolnum> </citerefentry>-compatible format that describes "
+@@ -429,39 +429,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -585,7 +585,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717 sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723 sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
++#: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717 sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730 sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+ msgid "Default: not set"
+ msgstr ""
+ 
+@@ -772,7 +772,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172 sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195 sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+ 
+@@ -1089,7 +1089,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+-#: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318 sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318 sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -1513,7 +1513,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1526,7 +1526,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be "
+@@ -1541,7 +1541,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr ""
+ 
+@@ -1602,7 +1602,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324 sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324 sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr ""
+ 
+@@ -1667,7 +1667,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110 sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr ""
+ 
+@@ -1765,47 +1765,47 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627 sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646 sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2252,7 +2252,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr ""
+ 
+@@ -2467,41 +2467,48 @@ msgstr ""
+ #: sssd.conf.5.xml:2083
+ msgid ""
+ "The background refresh will process users, groups and netgroups in the "
+-"cache."
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2509,24 +2516,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2535,17 +2542,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2554,34 +2561,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> "
+ "<refentrytitle>sssd-files</refentrytitle> <manvolnum>5</manvolnum> "
+@@ -2590,7 +2597,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+@@ -2598,7 +2605,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364 sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372 sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2607,7 +2614,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373 sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381 sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> "
+@@ -2615,19 +2622,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified "
+ "names. For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2636,7 +2643,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2644,22 +2651,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2671,7 +2678,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2679,19 +2686,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+@@ -2699,7 +2706,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
+@@ -2707,34 +2714,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2742,19 +2749,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> "
+@@ -2763,7 +2770,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> "
+@@ -2772,29 +2779,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
+@@ -2803,7 +2810,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
+@@ -2811,34 +2818,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+@@ -2846,31 +2853,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640 sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648 sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -2881,7 +2888,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -2890,12 +2897,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -2903,7 +2910,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2912,31 +2919,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2945,7 +2952,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -2954,17 +2961,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -2972,41 +2979,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+@@ -3014,7 +3021,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> "
+@@ -3022,7 +3029,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> "
+@@ -3030,24 +3037,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -3056,12 +3063,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3071,7 +3078,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: "
+ "<quote>(((?P&lt;domain&gt;[^\\\\]+)\\\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?P&lt;name&gt;[^@\\\\]+)$))</quote> "
+@@ -3079,29 +3086,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3109,7 +3116,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3119,59 +3126,59 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is "
+@@ -3180,76 +3187,76 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476 sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476 sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3257,7 +3264,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3265,17 +3272,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3283,34 +3290,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3318,32 +3325,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3353,45 +3360,53 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3399,41 +3414,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3443,14 +3467,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3458,34 +3482,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ msgid ""
+ "This option takes any of three available values: <placeholder "
+ "type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
++msgid ""
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3498,29 +3531,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3528,12 +3561,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3542,12 +3575,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3555,19 +3588,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> "
+ "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> "
+@@ -3585,7 +3618,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3593,17 +3626,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3612,7 +3645,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3622,7 +3655,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3642,12 +3675,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3655,73 +3688,73 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -3729,17 +3762,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -3748,17 +3781,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -3766,17 +3799,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -3784,17 +3817,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called "
+@@ -3805,64 +3838,177 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++msgid "ldap_sasl_mech,"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file "
++"(<filename>/var/lib/sss/pubconf/pam_preauth_available</filename>)  exists "
++"SSSD's PAM module pam_sss will ask SSSD to figure out which authentication "
++"methods are available for the user trying to log in.  Based on the results "
++"pam_sss will prompt the user for appropriate credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++msgid "password_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++msgid ""
++"to configure password prompting, allowed options are: <placeholder "
++"type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
++"type=\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" "
++"id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like "
++"e.g. <quote>[prompting/password/sshd]</quote> to individual change the "
++"prompting for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3892,7 +4038,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -3901,7 +4047,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -3909,7 +4055,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -4807,7 +4953,7 @@ msgid "The LDAP attribute that corresponds to the user's full name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273 sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273 sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr ""
+ 
+@@ -5509,7 +5655,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -5612,11 +5758,17 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+-msgid "You can turn off dereference lookups completely by setting the value to 0."
++msgid ""
++"You can turn off dereference lookups completely by setting the value to "
++"0. Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -5625,7 +5777,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -5633,26 +5785,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5660,7 +5812,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5668,7 +5820,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -5676,41 +5828,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in "
+ "<filename>/etc/openldap/ldap.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -5719,32 +5871,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -5752,24 +5904,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem "
+ "class=\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -5777,17 +5929,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -5798,29 +5950,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++msgid ""
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> "
++"<manvolnum>5</manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -5833,29 +5996,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example "
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
+ "host/myhost@EXAMPLE.COM) or just the principal name (for example "
+-"host/myhost). By default, the value is not set and the following principals "
++"host/myhost).  By default, the value is not set and the following principals "
+ "are used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them "
+ "are found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -5863,77 +6026,79 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is "
++"used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of "
+@@ -5945,7 +6110,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -5953,7 +6118,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of "
+ "SSSD. While the legacy name is recognized for the time being, users are "
+@@ -5962,39 +6127,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6004,7 +6169,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> "
+ "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> "
+@@ -6013,26 +6178,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client "
+ "side. The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use "
+ "<citerefentry><refentrytitle>shadow</refentrytitle> "
+@@ -6041,7 +6206,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6049,31 +6214,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6082,56 +6247,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6148,12 +6313,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6162,14 +6327,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6178,24 +6343,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6203,19 +6368,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6224,7 +6389,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, "
+ "<emphasis>389ds</emphasis>: use the value of ldap_ns_account_lock to check "
+@@ -6232,7 +6397,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6241,7 +6406,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option "
+ "<emphasis>must</emphasis> include <quote>expire</quote> in order for the "
+@@ -6249,22 +6414,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6274,7 +6439,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the "
+ "<quote>ppolicy</quote> option and might be removed in a future release.  "
+@@ -6282,7 +6447,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6295,12 +6460,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6310,7 +6475,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6320,38 +6485,38 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control "
+@@ -6359,24 +6524,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6385,74 +6550,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6463,7 +6628,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6471,24 +6636,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -6503,12 +6668,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -6516,208 +6681,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval "
+ "</emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -6725,100 +6890,100 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674 sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694 sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is "
+ "<emphasis>false</emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -6827,112 +6992,112 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise "
+ "automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder "
+ "type=\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" "
+@@ -6942,32 +7107,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -6976,22 +7141,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7000,12 +7165,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 sssd-files.5.xml:103 sssd-session-recording.5.xml:144
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98 sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7013,7 +7178,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7026,24 +7191,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139 sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 sssd-files.5.xml:110 sssd-session-recording.5.xml:150 include/ldap_id_mapping.xml:105
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139 sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613 sssd-files.5.xml:110 sssd-session-recording.5.xml:150 include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7059,12 +7224,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -8542,7 +8707,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -8557,7 +8722,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -8572,12 +8737,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -8598,12 +8763,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -8627,17 +8792,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -8645,7 +8810,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -8673,7 +8838,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -8686,12 +8851,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -8710,50 +8875,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -8864,26 +9029,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+ 
+@@ -8901,7 +9066,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -9782,12 +9947,27 @@ msgid "Default: False (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -9795,12 +9975,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -9808,14 +9988,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -9823,7 +10003,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9835,42 +10015,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -9878,7 +10058,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -9886,7 +10066,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -9894,7 +10074,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9906,22 +10086,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -9929,7 +10109,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -9937,7 +10117,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -9945,7 +10125,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9957,22 +10137,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -9980,14 +10160,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -9995,7 +10175,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10007,22 +10187,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10030,14 +10210,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10045,7 +10225,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using "
+ "<quote>+service_name</quote>.  Since the default set is empty, it is not "
+@@ -10056,19 +10236,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10076,7 +10256,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10088,29 +10268,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10118,12 +10298,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10136,57 +10316,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10194,17 +10374,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal "
+ "task. The option expects 2 integers separated by a colon (':'). The first "
+@@ -10214,12 +10394,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10230,19 +10410,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10252,12 +10432,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and "
+ "example.com is one of the domains in the <replaceable>[sssd]</replaceable> "
+@@ -10265,7 +10445,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10280,7 +10460,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10289,7 +10469,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10297,7 +10477,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10307,7 +10487,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -11769,24 +11949,61 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-msgid "krb5_use_enterprise_principal (boolean)"
++msgid "krb5_kdcinfo_lookahead (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+ msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> "
++"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> "
++"<manvolnum>8</manvolnum> </citerefentry>.  This might be helpful when there "
++"are too many servers discovered using SRV record."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a "
++"colon. The first number represents number of primary servers used and the "
++"second number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> "
++"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> "
++"<manvolnum>8</manvolnum> </citerefentry>.  but no backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++msgid "Default: 3:1"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
++msgid "krb5_use_enterprise_principal (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:542
++msgid ""
+ "Specifies if the user principal should be treated as enterprise "
+ "principal. See section 5 of RFC 6806 for more details about enterprise "
+ "principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -11794,12 +12011,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -11809,7 +12026,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -11817,7 +12034,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -11838,7 +12055,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -11847,7 +12064,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/sv.po b/src/man/po/sv.po
+index cf7494bff..cdab6a630 100644
+--- a/src/man/po/sv.po
++++ b/src/man/po/sv.po
+@@ -3,7 +3,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2018-07-31 12:14+0000\n"
+ "Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n"
+ "Language-Team: Swedish\n"
+@@ -342,10 +342,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr "Standard: true"
+@@ -366,16 +366,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr "Standard: false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -403,8 +403,8 @@ msgstr ""
+ "att efter tre missade hjärtslag kommer processen avsluta sig själv."
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr "Standard: 10"
+ 
+@@ -419,7 +419,7 @@ msgid "The [sssd] section"
+ msgstr "Sektionen [sssd]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr "Sektionsparametrar"
+ 
+@@ -520,7 +520,7 @@ msgstr ""
+ "understrykningstecken."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr "re_expression (sträng)"
+ 
+@@ -545,12 +545,12 @@ msgstr ""
+ "för mer information om dessa reguljära uttryck."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr "full_name_format (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -561,32 +561,32 @@ msgstr ""
+ "samman ett fullständigt kvalificerat namn från namn- och domänkomponenter."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr "%1$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr "användarnamn"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr "%2$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr "domännamn som det anges i SSSD-konfigurationsfilen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr "%3$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+@@ -595,7 +595,7 @@ msgstr ""
+ "både direkt konfigurerade eller hittade via IPA-förtroenden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -762,9 +762,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -1002,7 +1002,7 @@ msgstr ""
+ "användarnamn kan överlappa mellan domäner."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr "Standard: inte satt"
+@@ -1405,7 +1405,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "exempel: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+@@ -1899,7 +1899,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr "pam_pwd_expiration_warning (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr "Visa en varning N dagar före lösenordet går ut."
+ 
+@@ -1914,7 +1914,7 @@ msgstr ""
+ "lösenordet.  Om denna information saknas kan sssd inte visa någon varning."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1932,7 +1932,7 @@ msgstr ""
+ "<emphasis>pwd_expiration_warning</emphasis> för en viss domän."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr "Standard: 0"
+ 
+@@ -2008,7 +2008,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr "Standard: none"
+ 
+@@ -2085,9 +2085,9 @@ msgstr ""
+ "autentiseringsprocessen är detta alternativ avaktiverat som standard."
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr "Default: False"
+ 
+@@ -2191,48 +2191,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2772,7 +2772,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr "FALSE = Inga uppräkningar för denna domän"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr "Standard: FALSE"
+ 
+@@ -3035,43 +3035,49 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+-"Bakgrundsuppdateringen kommer bearbeta användare, grupper och nätgrupper i "
+-"cachen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr "Du kan överväga att sätta detta värde till ¾ · entry_cache_timeout."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr "Standard: 0 (avaktiverat)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr "cache_credentials (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr "Bestämmer om användarkreditiv också cachas i den lokala LDB-cachen"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr "Användarkreditiv sparas i en SHA512-kontrollsumma, inte i klartext"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr "cache_credentials_minimal_first_factor_length (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -3082,7 +3088,7 @@ msgstr ""
+ "lösenord) måste ha för att sparas som en SHA512-kontrollsumma i cachen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+@@ -3092,17 +3098,17 @@ msgstr ""
+ "attacker."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr "Standard: 8"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr "account_cache_expiration (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -3115,17 +3121,17 @@ msgstr ""
+ "offline_credentials_expiration."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr "Standard: 0 (obegränsat)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr "pwd_expiration_warning (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -3137,17 +3143,17 @@ msgstr ""
+ "Dessutom måste en autentiseringsleverantör ha konfigurerats för bakänden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr "Standard: 7 (Kerberos), 0 (LDAP)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr "id_provider (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+@@ -3155,12 +3161,12 @@ msgstr ""
+ "stödjs är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr "<quote>proxy</quote>: Stöd en tidigare NSS-leverantör."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+@@ -3168,7 +3174,7 @@ msgstr ""
+ "(FÖRÅLDRAT)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -3179,7 +3185,7 @@ msgstr ""
+ "information om hur lokala användare och grupper kan speglas in i SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -3190,8 +3196,8 @@ msgstr ""
+ "information om att konfigurera LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -3204,8 +3210,8 @@ msgstr ""
+ "konfigurera FreeIPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3216,12 +3222,12 @@ msgstr ""
+ "citerefentry> för mer information om att konfigurera Active Directory."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr "use_fully_qualified_names (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+@@ -3230,7 +3236,7 @@ msgstr ""
+ "full_name_format) som användarens inloggningsnamn rapporterat till NSS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -3244,7 +3250,7 @@ msgstr ""
+ "command> skulle det."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -3256,22 +3262,22 @@ msgstr ""
+ "namn begärs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr "Standard: FALSE (TRUE om default_domain_suffix används)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr "ignore_group_members (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr "Returnera inte gruppmedlemmar för gruppuppslagningar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -3290,7 +3296,7 @@ msgstr ""
+ "som om den vore tom."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -3301,12 +3307,12 @@ msgstr ""
+ "innehåller många medlemmar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr "auth_provider (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+@@ -3315,7 +3321,7 @@ msgstr ""
+ "är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3326,7 +3332,7 @@ msgstr ""
+ "citerefentry> för mer information om att konfigurera LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3337,7 +3343,7 @@ msgstr ""
+ "citerefentry> för mer information om att konfigurera Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+@@ -3345,17 +3351,17 @@ msgstr ""
+ "PAM-mål."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr "<quote>local</quote>: SSSD:s interna leverantör för lokala användare."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr "<quote>none</quote> avaktiverar explicit autentisering."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+@@ -3364,12 +3370,12 @@ msgstr ""
+ "autentiseringsbegäranden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr "access_provider (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -3380,7 +3386,7 @@ msgstr ""
+ "Interna specialleverantörer är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+@@ -3389,12 +3395,12 @@ msgstr ""
+ "åtkomstleverantören för en lokal domän."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr "<quote>deny</quote> neka alltid åtkomst."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -3407,7 +3413,7 @@ msgstr ""
+ "konfigurera åtkomstmodulen simple."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -3418,24 +3424,24 @@ msgstr ""
+ "citerefentry> för mer information om att konfigurera Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ "<quote>proxy</quote> för att skicka vidare åtkomstkontroll till någon annam "
+ "PAM-modul."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr "Standard: <quote>permit</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr "chpass_provider (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+@@ -3444,7 +3450,7 @@ msgstr ""
+ "av lösenordsändring som stödjs är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -3455,7 +3461,7 @@ msgstr ""
+ "manvolnum> </citerefentry> för mer information om att konfigurera LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3466,7 +3472,7 @@ msgstr ""
+ "citerefentry> för mer information om att konfigurera Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+@@ -3474,12 +3480,12 @@ msgstr ""
+ "annat PAM-mål."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr "<quote>none</quote> tillåter uttryckligen inte lösenordsändringar.."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+@@ -3488,18 +3494,18 @@ msgstr ""
+ "hantera begäranden om ändring av lösenord."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr "sudo_provider (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ "SUDO-leverantören som används för domänen.  SUDO-leverantörer som stödjs är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3510,7 +3516,7 @@ msgstr ""
+ "citerefentry> för mer information om att konfigurera LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+@@ -3519,7 +3525,7 @@ msgstr ""
+ "standandardsinställningar för IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+@@ -3528,18 +3534,18 @@ msgstr ""
+ "standandardsinställningar för AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr "<quote>none</quote> avaktiverar explicit SUDO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr "Standard: värdet på <quote>id_provider</quote> används om det är satt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -3556,7 +3562,7 @@ msgstr ""
+ "<manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -3569,12 +3575,12 @@ msgstr ""
+ "relaterad aktivitet i SSSD om du inte vill använda sudo med SSSD alls."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr "selinux_provider (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -3585,7 +3591,7 @@ msgstr ""
+ "åtkomstleverantören avslutar.  Selinux-leverantörer som stödjs är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3597,14 +3603,14 @@ msgstr ""
+ "konfigurera IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ "<quote>none</quote> tillåter uttryckligen inte att hämta selinux-"
+ "inställningar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+@@ -3613,12 +3619,12 @@ msgstr ""
+ "begäranden om inläsning av selinux."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr "subdomains_provider (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+@@ -3627,7 +3633,7 @@ msgstr ""
+ "alltid vara samma som id_provider.  Underdomänleverantörer som stödjs är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3639,7 +3645,7 @@ msgstr ""
+ "konfigurera IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3652,17 +3658,17 @@ msgstr ""
+ "konfigurera AD-leverantören."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr "<quote>none</quote> tillåter uttryckligen inte att hämta underdomäner."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr "session_provider (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3674,14 +3680,14 @@ msgstr ""
+ "med IPA.  Sessionsleverantörer som stödjs är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ "<quote>ipa</quote> för att utföra uppgifter relaterade till "
+ "användarsessioner."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+@@ -3689,7 +3695,7 @@ msgstr ""
+ "användarsessioner."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+@@ -3698,7 +3704,7 @@ msgstr ""
+ "sessionsrelaterade uppgifter."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+@@ -3708,12 +3714,12 @@ msgstr ""
+ "användaren."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr "autofs_provider (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+@@ -3721,7 +3727,7 @@ msgstr ""
+ "är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3732,7 +3738,7 @@ msgstr ""
+ "citerefentry> för mer information om att konfigurera LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3743,7 +3749,7 @@ msgstr ""
+ "manvolnum> </citerefentry> för mer information om att konfigurera IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3755,17 +3761,17 @@ msgstr ""
+ "leverantören."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr "<quote>none</quote> avaktiverar explicit autofs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr "hostid_provider (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+@@ -3774,7 +3780,7 @@ msgstr ""
+ "leverantörer som stödjs är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3785,12 +3791,12 @@ msgstr ""
+ "manvolnum> </citerefentry> för mer information om att konfigurera IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr "<quote>none</quote> avaktiverar explicit värd-id:n."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3805,7 +3811,7 @@ msgstr ""
+ "(NetBIOS) namnet på domänen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3818,22 +3824,22 @@ msgstr ""
+ "användarnamn:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr "användarnamn"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr "användarnamn@domän.namn"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr "domån\\användarnamn"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+@@ -3842,7 +3848,7 @@ msgstr ""
+ "tredje för att tillåta enkel integration av användare från Windows-domäner."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3853,7 +3859,7 @@ msgstr ""
+ "quote>, sedan är domänen allting efter det”"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3863,17 +3869,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr "Standard: <quote>%1$s@%2$s</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr "lookup_family_order (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+@@ -3882,42 +3888,42 @@ msgstr ""
+ "uppslagningar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr "Värden som stödjs:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr "ipv4_first: Försök slå up IPv4-adresser, om det misslyckas, prova IPv6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr "ipv4_only: Försök endast slå upp värdnamn som IPv4-adresser."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr "ipv6_first: Försök slå up IPv6-adresser, om det misslyckas, prova IPv4"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr "ipv6_only: Försök endast slå upp värdnamn som IPv6-adresser."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr "Standard: ipv4_first"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr "dns_resolver_timeout (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3929,7 +3935,7 @@ msgstr ""
+ "nås kommer domänen fortsätta att fungera i frånkopplat läge."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+@@ -3937,18 +3943,18 @@ msgstr ""
+ "Se avsnittet <quote>RESERVER</quote> för mer information om tjänstevalet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr "Standard: 6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr "dns_discovery_domain (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+@@ -3957,52 +3963,52 @@ msgstr ""
+ "fråga om tjänsteupptäckt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr "Standard: använd domändelen av maskinens värdnamn"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr "override_gid (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr "Ersätt det primära GID-värdet med det angivna."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr "case_sensitive (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr "True"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr "Skiftlägeskänsligt.  Detta värde är inte giltigt för AD-leverantörer."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr "False"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr "Skiftlägesokänsligt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr "Preserving"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -4013,7 +4019,7 @@ msgstr ""
+ "tjänster även protokollnamn) fortfarande skiftas ner i utdata."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ #, fuzzy
+ #| msgid ""
+ #| "With this parameter the certificate verification can be tuned with a "
+@@ -4029,17 +4035,17 @@ msgstr ""
+ "type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr "Standard: True (False för AD-leverantören)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr "subdomain_inherit (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -4050,27 +4056,27 @@ msgstr ""
+ "följande alternativ ärvas:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr "ignore_group_members"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr "ldap_purge_cache_timeout"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr "ldap_use_tokengroups"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr "ldap_user_principal"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+@@ -4079,7 +4085,7 @@ msgstr ""
+ "ldap_krb5_keytab sätts särskilt)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -4089,33 +4095,33 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "Exempel: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ "Observera: detta alternativ fungerar endast med leverantörerna IPA och AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr "subdomain_homedir (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr "%F"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr "platt (NetBIOS) namn på en underdomän."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -4130,52 +4136,65 @@ msgstr ""
+ "\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ "Värdet kan åsidosättas av alternativet <emphasis>override_homedir</emphasis>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr "Standard: <filename>/home/%d/%u</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr "realmd_tags (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ "Diverse taggar lagrade av ralmd-konfigurationstjänsten för denna domän."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr "cached_auth_timeout (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
++#, fuzzy
++#| msgid ""
++#| "Specifies time in seconds since last successful online authentication for "
++#| "which user will be authenticated using cached credentials while SSSD is "
++#| "in the online mode."
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
+ msgstr ""
+ "Anger tiden i sekunder sedan senaste lyckade uppkopplade autentisering under "
+ "vilka användaren kommer autentiseras med cachade kreditiv medan SSSD är i "
+ "uppkopplad läge."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr "Specialvärdet 0 betyder att denna funktion är avaktiverad."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -4186,17 +4205,17 @@ msgstr ""
+ "<quote>initgroups.</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr "auto_private_groups (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ #, fuzzy
+ #| msgid ""
+ #| "If this option is enabled, SSSD will automatically create user private "
+@@ -4209,27 +4228,40 @@ msgstr ""
+ "användargrupper baserat på anvindarens UID-nummer.  GID-numret ignoreras i "
+ "detta fall."
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++"OBSERVERA: Eftersom GID-numret och användarens privata grupp härleds från "
++"UID-numret stödjs det inte att ha flera poster med samma UID- eller GID-"
++"nummer med detta alternativ.  Med andra ord, att aktivera detta alternativ "
++"framtvingar unika nummer över hela ID-rymden."
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ #, fuzzy
+ #| msgid "False"
+ msgid "false"
+ msgstr "False"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -4239,14 +4271,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -4254,7 +4286,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ #, fuzzy
+ #| msgid ""
+ #| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+@@ -4267,37 +4299,37 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+-"För POSIX-underdomäner ärvs detta värde till underdomäner om det sätts i "
+-"huvuddomänen."
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
++msgid ""
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+-"För ID-mappning av underdomäner är auto_private_groups redan aktiverat för "
+-"underdomänerna och att sätta det till falskt kommer inte ha någon effekt för "
+-"underdomänen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+-"OBSERVERA: Eftersom GID-numret och användarens privata grupp härleds från "
+-"UID-numret stödjs det inte att ha flera poster med samma UID- eller GID-"
+-"nummer med detta alternativ.  Med andra ord, att aktivera detta alternativ "
+-"framtvingar unika nummer över hela ID-rymden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:1802
+@@ -4311,17 +4343,17 @@ msgstr ""
+ "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr "proxy_pam_target (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr "Proxymålet PAM är en proxy för."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+@@ -4330,12 +4362,12 @@ msgstr ""
+ "eller skapa en ny och lägga till tjänstenamnet här."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr "proxy_lib_name (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -4346,12 +4378,12 @@ msgstr ""
+ "exempel _nss_files_getpwent."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr "proxy_fast_alias (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -4364,12 +4396,12 @@ msgstr ""
+ "få SSSD att utföra ID-uppslagningen från cachen av prestandaskäl"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr "proxy_max_children (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -4381,7 +4413,7 @@ msgstr ""
+ "begäranden skulle köas upp."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+@@ -4390,12 +4422,12 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr "Programdomäner"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -4424,7 +4456,7 @@ msgstr ""
+ "traditionell SSSD-domän."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -4435,17 +4467,17 @@ msgstr ""
+ "programdomänen och dess POSIX-syskondomän sätts korrekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr "Programdomänparametrar"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr "inherit_from (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -4458,7 +4490,7 @@ msgstr ""
+ "quote>domänens inställningar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -4473,7 +4505,7 @@ msgstr ""
+ "attributet telefon nåbart via D-Bus-gränssnittet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4507,12 +4539,12 @@ msgstr ""
+ "ldap_user_extra_attrs = telefon:telephoneNumber\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr "Den lokala domänsektionen"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -4523,29 +4555,29 @@ msgstr ""
+ "<replaceable>id_provider=local</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr "default_shell (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ "Standardskalet för användare som skapas med SSSD:s verktyg för "
+ "användarrymden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr "Standard: <filename>/bin/bash</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr "base_directory (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+@@ -4554,17 +4586,17 @@ msgstr ""
+ "replaceable> och använder det som hemkatalogen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr "Standard: <filename>/home</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr "create_homedir (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+@@ -4573,17 +4605,17 @@ msgstr ""
+ "åsidosättas på kommandoraden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr "Standard: TRUE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr "remove_homedir (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+@@ -4592,12 +4624,12 @@ msgstr ""
+ "användare.  Kan åsidosättas på kommandoraden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr "homedir_umask (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -4608,17 +4640,17 @@ msgstr ""
+ "på en nyskapad hemkatalog."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr "Standard: 077"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr "skel_dir (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -4631,17 +4663,17 @@ msgstr ""
+ "citerefentry>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr "Standard: <filename>/etc/skel</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr "mail_dir (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -4652,17 +4684,17 @@ msgstr ""
+ "ett standardvärde."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr "Standard: <filename>/var/mail</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr "userdel_cmd (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -4673,17 +4705,17 @@ msgstr ""
+ "Ingen hänsyn tas till returkoden från kommandot."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr "Standard: Inget, inget kommando körs"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr "SEKTIONEN BETRODDA DOMÄNER"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -4700,52 +4732,59 @@ msgstr ""
+ "alternativ i sektionen för betrodda domäner är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr "ldap_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr "ldap_user_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr "ldap_group_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr "ldap_netgroup_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr "ldap_service_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++#, fuzzy
++#| msgid "ldap_search_base,"
++msgid "ldap_sasl_mech,"
++msgstr "ldap_search_base,"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr "ad_server,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr "ad_backup_server,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr "ad_site,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr "use_fully_qualified_names"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+@@ -4754,12 +4793,135 @@ msgstr ""
+ "manualsidan."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++#, fuzzy
++#| msgid "CONFIGURATION OPTIONS"
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr "KONFIGURATIONSALTERNATIV"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++#, fuzzy
++#| msgid "password"
++msgid "password_prompt"
++msgstr "password"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++#, fuzzy
++#| msgid ""
++#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
++#| "\"0\"/>"
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++"Giltiga alternativ för proxy-domäner.  <placeholder type=\"variablelist\" id="
++"\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++#, fuzzy
++#| msgid ""
++#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
++#| "\"0\"/>"
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++"Giltiga alternativ för proxy-domäner.  <placeholder type=\"variablelist\" id="
++"\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr "EXEMPEL"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4813,7 +4975,7 @@ msgstr ""
+ "enumerate = False\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -4825,7 +4987,7 @@ msgstr ""
+ "domäner för fler detaljer. <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -4835,7 +4997,7 @@ msgstr ""
+ "use_fully_qualified_names = false\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -5878,7 +6040,7 @@ msgstr "LDAP-attributet som motsvarar användarens fullständiga namn."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr "Standard: cn"
+ 
+@@ -6613,7 +6775,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -6716,11 +6878,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -6729,7 +6896,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -6737,26 +6904,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -6764,7 +6931,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -6772,7 +6939,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -6780,41 +6947,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -6823,32 +6990,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -6856,24 +7023,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -6881,17 +7048,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -6902,29 +7069,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++msgid ""
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -6937,29 +7115,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -6967,77 +7145,78 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -7055,7 +7234,7 @@ msgstr ""
+ "mer information, se avsnittet <quote>TJÄNSTEUPPTÄCKT</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -7066,7 +7245,7 @@ msgstr ""
+ "hittas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -7074,39 +7253,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -7116,7 +7295,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -7124,26 +7303,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -7151,7 +7330,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -7159,31 +7338,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -7192,28 +7371,28 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ "Anger tjänstenamnet som skall användas när tjänsteupptäckt är aktiverat."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+@@ -7222,29 +7401,29 @@ msgstr ""
+ "lösenordsändringar när tjänsteupptäckte är aktiverat."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr "Standard: inte satt, d.v.s. tjänsteupptäckt är avaktiverat"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -7260,12 +7439,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -7274,14 +7453,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -7290,24 +7469,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -7315,19 +7494,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -7336,7 +7515,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -7344,7 +7523,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -7353,7 +7532,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -7361,22 +7540,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -7386,14 +7565,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -7406,12 +7585,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -7421,7 +7600,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -7431,63 +7610,63 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -7496,74 +7675,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -7574,7 +7753,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -7582,24 +7761,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -7614,12 +7793,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -7627,208 +7806,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -7836,101 +8015,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -7939,111 +8118,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -8052,32 +8231,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -8086,22 +8265,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -8110,14 +8289,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -8125,7 +8304,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -8138,27 +8317,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -8174,13 +8353,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -9659,7 +9838,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -9674,7 +9853,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -9689,12 +9868,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -9715,12 +9894,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -9744,17 +9923,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -9762,7 +9941,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -9796,7 +9975,7 @@ msgstr ""
+ "upptäckten används som backup-servrar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -9809,12 +9988,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -9833,50 +10012,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -9987,26 +10166,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -10025,7 +10204,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -10919,12 +11098,29 @@ msgid "Default: False (seconds)"
+ msgstr "Default: False"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++#, fuzzy
++#| msgid "ldap_force_upper_case_realm (boolean)"
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr "ldap_force_upper_case_realm (boolean)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -10932,12 +11128,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -10945,14 +11141,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -10960,7 +11156,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10972,42 +11168,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -11015,7 +11211,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -11023,7 +11219,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -11031,7 +11227,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11043,22 +11239,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -11066,7 +11262,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -11074,7 +11270,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -11082,7 +11278,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11094,22 +11290,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -11117,14 +11313,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -11132,7 +11328,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11144,23 +11340,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -11168,14 +11364,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -11183,7 +11379,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -11194,19 +11390,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -11214,7 +11410,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -11226,29 +11422,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -11256,12 +11452,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -11274,57 +11470,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -11332,17 +11528,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -11352,12 +11548,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -11368,19 +11564,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -11390,12 +11586,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -11403,7 +11599,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -11418,7 +11614,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -11427,7 +11623,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -11435,7 +11631,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -11445,7 +11641,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -12913,23 +13109,79 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
++#, fuzzy
++#| msgid "krb5_rcache_dir (string)"
++msgid "krb5_kdcinfo_lookahead (string)"
++msgstr "krb5_rcache_dir (sträng)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:508
++#, fuzzy
++#| msgid ""
++#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
++#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
++#| "citerefentry> for more information on configuring Kerberos."
++msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++"<quote>krb5</quote> för att ändra Kerberoslösenordet.  Se <citerefentry> "
++"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry> för mer information om att konfigurera Kerberos."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++#, fuzzy
++#| msgid ""
++#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
++#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
++#| "citerefentry> for more information on configuring Kerberos."
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++"<quote>krb5</quote> för att ändra Kerberoslösenordet.  Se <citerefentry> "
++"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry> för mer information om att konfigurera Kerberos."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "Standard: 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
+ msgid "krb5_use_enterprise_principal (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:508
++#: sssd-krb5.5.xml:542
+ msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -12937,12 +13189,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -12952,7 +13204,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -12960,7 +13212,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -12980,7 +13232,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -12989,7 +13241,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+@@ -17029,3 +17281,26 @@ msgstr ""
+ #: include/ipa_modified_defaults.xml:118
+ msgid "ldap_group_external_member = ipaExternalMember"
+ msgstr ""
++
++#~ msgid ""
++#~ "The background refresh will process users, groups and netgroups in the "
++#~ "cache."
++#~ msgstr ""
++#~ "Bakgrundsuppdateringen kommer bearbeta användare, grupper och nätgrupper "
++#~ "i cachen."
++
++#~ msgid ""
++#~ "For POSIX subdomains, setting the option in the main domain is inherited "
++#~ "in the subdomain."
++#~ msgstr ""
++#~ "För POSIX-underdomäner ärvs detta värde till underdomäner om det sätts i "
++#~ "huvuddomänen."
++
++#~ msgid ""
++#~ "For ID-mapping subdomains, auto_private_groups is already enabled for the "
++#~ "subdomains and setting it to false will not have any effect for the "
++#~ "subdomain."
++#~ msgstr ""
++#~ "För ID-mappning av underdomäner är auto_private_groups redan aktiverat "
++#~ "för underdomänerna och att sätta det till falskt kommer inte ha någon "
++#~ "effekt för underdomänen."
+diff --git a/src/man/po/tg.po b/src/man/po/tg.po
+index 427aef37e..7bee3e513 100644
+--- a/src/man/po/tg.po
++++ b/src/man/po/tg.po
+@@ -7,7 +7,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2014-12-15 12:10+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Tajik (http://www.transifex.com/projects/p/sssd/language/"
+@@ -293,10 +293,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr "Пешфарз: true"
+@@ -315,16 +315,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr "Пешфарз: false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -349,8 +349,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr "Пешфарз: 10"
+ 
+@@ -365,7 +365,7 @@ msgid "The [sssd] section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr ""
+ 
+@@ -445,7 +445,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr ""
+ 
+@@ -465,12 +465,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -478,39 +478,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -635,9 +635,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -828,7 +828,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+@@ -1150,7 +1150,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -1571,7 +1571,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1584,7 +1584,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1598,7 +1598,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr "Пешфарз: 0"
+ 
+@@ -1661,7 +1661,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr ""
+ 
+@@ -1726,9 +1726,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr ""
+ 
+@@ -1826,48 +1826,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2310,7 +2310,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr "Пешфарз: FALSE"
+ 
+@@ -2526,41 +2526,49 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2568,24 +2576,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2594,17 +2602,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr "Пешфарз: 0 (номаҳдуд)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2613,34 +2621,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2648,7 +2656,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2656,8 +2664,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2666,8 +2674,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2675,19 +2683,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2696,7 +2704,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2704,22 +2712,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2731,7 +2739,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2739,19 +2747,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2759,7 +2767,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2767,35 +2775,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2803,19 +2811,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -2824,7 +2832,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -2832,29 +2840,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -2862,7 +2870,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2870,35 +2878,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2906,32 +2914,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -2942,7 +2950,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -2951,12 +2959,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -2964,7 +2972,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -2972,31 +2980,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3004,7 +3012,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3013,17 +3021,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3031,43 +3039,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3075,7 +3083,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3083,7 +3091,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3091,24 +3099,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3116,12 +3124,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3131,7 +3139,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3140,29 +3148,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3170,7 +3178,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3180,59 +3188,59 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3241,77 +3249,77 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr "Пешфарз: 6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3319,7 +3327,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3327,17 +3335,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3345,34 +3353,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3380,32 +3388,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3415,47 +3423,55 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3463,41 +3479,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3507,14 +3532,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3522,34 +3547,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3561,29 +3595,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3591,12 +3625,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3605,12 +3639,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3618,19 +3652,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3647,7 +3681,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3655,17 +3689,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3674,7 +3708,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3684,7 +3718,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3704,12 +3738,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3717,73 +3751,73 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr "Пешфарз: TRUE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -3791,17 +3825,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -3810,17 +3844,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -3828,17 +3862,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -3846,17 +3880,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -3867,64 +3901,178 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++msgid "ldap_sasl_mech,"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++#, fuzzy
++#| msgid "password"
++msgid "password_prompt"
++msgstr "парол"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3954,7 +4102,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -3963,7 +4111,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -3971,7 +4119,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -4872,7 +5020,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr ""
+ 
+@@ -5577,7 +5725,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -5680,11 +5828,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -5693,7 +5846,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -5701,26 +5854,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5728,7 +5881,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5736,7 +5889,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -5744,41 +5897,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -5787,32 +5940,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -5820,24 +5973,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -5845,17 +5998,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -5866,29 +6019,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
++msgid ""
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -5901,29 +6065,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -5931,77 +6095,78 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr "Пешфарз: false;"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6013,7 +6178,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6021,7 +6186,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6029,39 +6194,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6071,7 +6236,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6079,26 +6244,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6106,7 +6271,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6114,31 +6279,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6147,56 +6312,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6212,12 +6377,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr "Намуна:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6226,14 +6391,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6242,24 +6407,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6267,19 +6432,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6288,7 +6453,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6296,7 +6461,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6305,7 +6470,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6313,22 +6478,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6338,14 +6503,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6358,12 +6523,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6373,7 +6538,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6383,63 +6548,63 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6448,74 +6613,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6526,7 +6691,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6534,24 +6699,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -6566,12 +6731,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -6579,208 +6744,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -6788,101 +6953,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -6891,111 +7056,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7004,32 +7169,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7038,22 +7203,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7062,14 +7227,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr "НАМУНА"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7077,7 +7242,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7090,27 +7255,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7126,13 +7291,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr "ЭЗОҲҲО"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -8606,7 +8771,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -8621,7 +8786,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -8636,12 +8801,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -8662,12 +8827,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -8691,17 +8856,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -8709,7 +8874,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -8736,7 +8901,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -8749,12 +8914,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -8773,50 +8938,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -8927,26 +9092,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -8965,7 +9130,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -9848,12 +10013,27 @@ msgid "Default: False (seconds)"
+ msgstr "Пешфарз: false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -9861,12 +10041,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -9874,14 +10054,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -9889,7 +10069,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9901,42 +10081,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -9944,7 +10124,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -9952,7 +10132,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -9960,7 +10140,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9972,22 +10152,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -9995,7 +10175,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -10003,7 +10183,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10011,7 +10191,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10023,22 +10203,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10046,14 +10226,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10061,7 +10241,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10073,23 +10253,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10097,14 +10277,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10112,7 +10292,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10123,19 +10303,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10143,7 +10323,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10155,29 +10335,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10185,12 +10365,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10203,57 +10383,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10261,17 +10441,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10281,12 +10461,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10297,19 +10477,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10319,12 +10499,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10332,7 +10512,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10347,7 +10527,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10356,7 +10536,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10364,7 +10544,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10374,7 +10554,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -11832,23 +12012,61 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-msgid "krb5_use_enterprise_principal (boolean)"
++msgid "krb5_kdcinfo_lookahead (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+ msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "Пешфарз: 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
++msgid "krb5_use_enterprise_principal (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:542
++msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -11856,12 +12074,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -11871,7 +12089,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -11879,7 +12097,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -11899,7 +12117,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -11908,7 +12126,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+diff --git a/src/man/po/uk.po b/src/man/po/uk.po
+index 2751485c1..d6f6d2caa 100644
+--- a/src/man/po/uk.po
++++ b/src/man/po/uk.po
+@@ -14,7 +14,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2019-03-05 05:43+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Ukrainian (http://www.transifex.com/projects/p/sssd/language/"
+@@ -361,10 +361,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr "Типове значення: true"
+@@ -386,16 +386,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr "Типове значення: false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -424,8 +424,8 @@ msgstr ""
+ "самостійно."
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr "Типове значення: 10"
+ 
+@@ -440,7 +440,7 @@ msgid "The [sssd] section"
+ msgstr "Розділ [sssd]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr "Параметри розділу"
+ 
+@@ -542,7 +542,7 @@ msgstr ""
+ "ASCII, дефісів, крапок та знаків підкреслювання."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr "re_expression (рядок)"
+ 
+@@ -568,12 +568,12 @@ msgstr ""
+ "ДОМЕНІВ."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr "full_name_format (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -585,32 +585,32 @@ msgstr ""
+ "домену."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr "%1$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr "ім’я користувача"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr "%2$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr "назва домену у форматі, вказаному у файлі налаштувань SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr "%3$s"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+@@ -619,7 +619,7 @@ msgstr ""
+ "Directory, налаштованих та автоматично виявлених за зв’язками довіри IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -787,9 +787,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -1045,7 +1045,7 @@ msgstr ""
+ "різних доменах можуть бути однаковими."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr "Типове значення: не встановлено"
+@@ -1455,7 +1455,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "приклад: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+@@ -1970,7 +1970,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr "pam_pwd_expiration_warning (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ "Показати попередження за вказану кількість днів перед завершенням дії пароля."
+@@ -1987,7 +1987,7 @@ msgstr ""
+ "попередження."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -2006,7 +2006,7 @@ msgstr ""
+ "<emphasis>pwd_expiration_warning</emphasis> для окремого домену."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr "Типове значення: 0"
+ 
+@@ -2084,7 +2084,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr "Типове значення: none"
+ 
+@@ -2163,9 +2163,9 @@ msgstr ""
+ "розпізнавання, типово таку сертифікацію вимкнено."
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr "Типове значення: False"
+ 
+@@ -2282,49 +2282,49 @@ msgstr ""
+ "type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ "Типове значення: типовий набір назв служб PAM складається з таких значень:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr "login"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr "su"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr "su-l"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr "gdm-smartcard"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr "gdm-password"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr "kdm"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr "sudo"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr "sudo-i"
+ 
+@@ -2870,7 +2870,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr "FALSE = не використовувати нумерацію для цього домену"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr "Типове значення: FALSE"
+ 
+@@ -3137,48 +3137,58 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+-"Під час фонового оновлення виконуватиметься обробка записів користувачів, "
+-"груп та мережевих груп у кеші."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++#, fuzzy
++#| msgid ""
++#| "This option specifies the maximum allowed number of nested containers."
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++"Цей параметр визначає максимальну дозволену кількість вкладених контейнерів."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ "Варто визначити для цього параметра значення 3/4 * entry_cache_timeout."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr "Типове значення: 0 (вимкнено)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr "cache_credentials (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ "Визначає, чи слід також кешувати реєстраційні дані користувача у локальному "
+ "кеші LDB"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ "Реєстраційні дані користувача зберігаються у форматі хешу SHA512, а не у "
+ "форматі звичайного тексту"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr "cache_credentials_minimal_first_factor_length (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -3190,7 +3200,7 @@ msgstr ""
+ "контрольної суми SHA512 у кеші."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+@@ -3200,17 +3210,17 @@ msgstr ""
+ "мішенню атак із перебиранням паролів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr "Типове значення: 8"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr "account_cache_expiration (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -3223,17 +3233,17 @@ msgstr ""
+ "offline_credentials_expiration."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr "Типове значення: 0 (без обмежень)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr "pwd_expiration_warning (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -3246,17 +3256,17 @@ msgstr ""
+ "даних розпізнавання."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr "Типове значення: 7 (Kerberos), 0 (LDAP)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr "id_provider (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+@@ -3264,12 +3274,12 @@ msgstr ""
+ "Серед підтримуваних засобів такі:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr "«proxy»: підтримка застарілого модуля надання даних NSS"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+@@ -3277,7 +3287,7 @@ msgstr ""
+ "(ЗАСТАРІЛИЙ)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -3289,7 +3299,7 @@ msgstr ""
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -3300,8 +3310,8 @@ msgstr ""
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -3314,8 +3324,8 @@ msgstr ""
+ "manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3327,12 +3337,12 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr "use_fully_qualified_names (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+@@ -3342,7 +3352,7 @@ msgstr ""
+ "NSS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -3355,7 +3365,7 @@ msgstr ""
+ "не покаже користувача, а <command>getent passwd test@LOCAL</command> покаже."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -3366,22 +3376,22 @@ msgstr ""
+ "груп, якщо задано неповну назву, буде виконано пошук у всіх доменах."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr "Типове значення: FALSE (TRUE, якщо використано default_domain_suffix)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr "ignore_group_members (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr "Не повертати записи учасників груп для пошуків груп."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -3400,7 +3410,7 @@ msgstr ""
+ "$groupname</quote> поверне запитану групу так, наче вона була порожня."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -3411,12 +3421,12 @@ msgstr ""
+ "учасників."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr "auth_provider (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+@@ -3425,7 +3435,7 @@ msgstr ""
+ "служб розпізнавання:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3437,7 +3447,7 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3449,23 +3459,23 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr "<quote>proxy</quote> — трансльоване розпізнавання у іншій системі PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr "<quote>local</quote>: вбудований засіб SSSD для локальних користувачів"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr "<quote>none</quote> — вимкнути розпізнавання повністю."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+@@ -3474,12 +3484,12 @@ msgstr ""
+ "спосіб встановлено і можлива обробка запитів щодо розпізнавання."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr "access_provider (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -3490,7 +3500,7 @@ msgstr ""
+ "Вбудованими програмами є:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+@@ -3499,12 +3509,12 @@ msgstr ""
+ "доступу для локального домену."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr "<quote>deny</quote> — завжди забороняти доступ."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -3517,7 +3527,7 @@ msgstr ""
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -3529,24 +3539,24 @@ msgstr ""
+ "manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ "<quote>proxy</quote> — для трансляції керування доступом до іншого модуля "
+ "PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr "Типове значення: <quote>permit</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr "chpass_provider (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+@@ -3555,7 +3565,7 @@ msgstr ""
+ "підтримку таких систем зміни паролів:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -3567,7 +3577,7 @@ msgstr ""
+ "manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3579,18 +3589,18 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr "<quote>proxy</quote> — трансльована зміна пароля у іншій системі PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr "<quote>none</quote> — явно вимкнути можливість зміни пароля."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+@@ -3599,19 +3609,19 @@ msgstr ""
+ "цього параметра і якщо система здатна обробляти запити щодо паролів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr "sudo_provider (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ "Служба SUDO, яку використано для цього домену. Серед підтримуваних служб "
+ "SUDO:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3623,7 +3633,7 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+@@ -3632,7 +3642,7 @@ msgstr ""
+ "параметрами IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+@@ -3641,20 +3651,20 @@ msgstr ""
+ "параметрами AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr "<quote>none</quote> явним чином вимикає SUDO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ "Типове значення: використовується значення <quote>id_provider</quote>, якщо "
+ "його встановлено."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -3673,7 +3683,7 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -3687,12 +3697,12 @@ msgstr ""
+ "sudo у SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr "selinux_provider (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -3703,7 +3713,7 @@ msgstr ""
+ "доступу. Передбачено підтримку таких засобів надання даних SELinux:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3715,14 +3725,14 @@ msgstr ""
+ "manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ "<quote>none</quote> явним чином забороняє отримання даних щодо параметрів "
+ "SELinux."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+@@ -3731,12 +3741,12 @@ msgstr ""
+ "спосіб встановлено і можлива обробка запитів щодо завантаження SELinux."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr "subdomains_provider (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+@@ -3746,7 +3756,7 @@ msgstr ""
+ "підтримку таких засобів надання даних піддоменів:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3758,7 +3768,7 @@ msgstr ""
+ "manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3771,17 +3781,17 @@ msgstr ""
+ "налаштовування засобу надання даних AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr "<quote>none</quote> забороняє ячним чином отримання даних піддоменів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr "session_provider (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3793,14 +3803,14 @@ msgstr ""
+ "постачальники даних сеансів:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ "<quote>ipa</quote>, щоб дозволити пов'язані із сеансами користувачів "
+ "завдання."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+@@ -3808,7 +3818,7 @@ msgstr ""
+ "користувачів завдань."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+@@ -3817,7 +3827,7 @@ msgstr ""
+ "його встановлено і дозволено виконувати пов'язані із сеансами завдання."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+@@ -3827,12 +3837,12 @@ msgstr ""
+ "непривілейованого користувача."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr "autofs_provider (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+@@ -3840,7 +3850,7 @@ msgstr ""
+ "autofs:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3852,7 +3862,7 @@ msgstr ""
+ "citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3864,7 +3874,7 @@ msgstr ""
+ "manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3876,17 +3886,17 @@ msgstr ""
+ "надання даних AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr "<quote>none</quote> вимикає autofs повністю."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr "hostid_provider (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+@@ -3895,7 +3905,7 @@ msgstr ""
+ "вузла. Серед підтримуваних засобів надання hostid:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3907,12 +3917,12 @@ msgstr ""
+ "manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr "<quote>none</quote> вимикає hostid повністю."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3926,7 +3936,7 @@ msgstr ""
+ "IPA та доменів Active Directory, простій назві (NetBIOS) домену."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3939,22 +3949,22 @@ msgstr ""
+ "різні стилі запису імен користувачів:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr "користувач"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr "користувач@назва.домену"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr "домен\\користувач"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+@@ -3963,7 +3973,7 @@ msgstr ""
+ "того, щоб полегшити інтеграцію користувачів з доменів Windows."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3974,7 +3984,7 @@ msgstr ""
+ "домену — все після цього символу."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3990,17 +4000,17 @@ msgstr ""
+ "[^@]+$))</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr "Типове значення: <quote>%1$s@%2$s</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr "lookup_family_order (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+@@ -4009,48 +4019,48 @@ msgstr ""
+ "під час виконання пошуків у DNS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr "Передбачено підтримку таких значень:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ "ipv4_first: спробувати визначити адресу у форматі IPv4, у разі невдачі "
+ "спробувати формат IPv6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ "ipv4_only: намагатися визначити назви вузлів лише у форматі адрес IPv4."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ "ipv6_first: спробувати визначити адресу у форматі IPv6, у разі невдачі "
+ "спробувати формат IPv4"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ "ipv6_only: намагатися визначити назви вузлів лише у форматі адрес IPv6."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr "Типове значення: ipv4_first"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr "dns_resolver_timeout (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -4063,7 +4073,7 @@ msgstr ""
+ "роботу у автономному режимі."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+@@ -4072,18 +4082,18 @@ msgstr ""
+ "більше про розв'язування питань, пов'язаних із службами."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr "Типове значення: 6"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr "dns_discovery_domain (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+@@ -4092,54 +4102,54 @@ msgstr ""
+ "частину запиту визначення служб DNS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ "Типова поведінка: використовувати назву домену з назви вузла комп’ютера."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr "override_gid (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr "Замірити значення основного GID на вказане."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr "case_sensitive (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr "True"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ "Враховується регістр. Це значення є некоректним для засобу надання даних AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr "False"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr "Без врахування регістру."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr "Preserving"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -4151,7 +4161,7 @@ msgstr ""
+ "буде переведено у нижній регістр."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ #, fuzzy
+ #| msgid ""
+ #| "Treat user and group names as case sensitive.  <phrase condition="
+@@ -4169,17 +4179,17 @@ msgstr ""
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr "Типове значення: True (False для засобу надання даних AD)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr "subdomain_inherit (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -4191,27 +4201,27 @@ msgstr ""
+ "параметрів:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr "ignore_group_members"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr "ldap_purge_cache_timeout"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr "ldap_use_tokengroups"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr "ldap_user_principal"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+@@ -4220,7 +4230,7 @@ msgstr ""
+ "ldap_krb5_keytab не встановлено явним чином)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -4230,33 +4240,33 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "Приклад: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ "Зауваження: цей параметр працює лише для засобів надання даних IPA і AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr "subdomain_homedir (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr "%F"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr "спрощена (NetBIOS) назва піддомену."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -4271,7 +4281,7 @@ msgstr ""
+ "emphasis>.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+@@ -4279,17 +4289,17 @@ msgstr ""
+ "emphasis>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr "Типове значення: <filename>/home/%d/%u</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr "realmd_tags (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+@@ -4297,28 +4307,41 @@ msgstr ""
+ "домену."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr "cached_auth_timeout (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
++#, fuzzy
++#| msgid ""
++#| "Specifies time in seconds since last successful online authentication for "
++#| "which user will be authenticated using cached credentials while SSSD is "
++#| "in the online mode."
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
+ msgstr ""
+ "Визначає час у секундах з моменту останнього успішного розпізнавання у "
+ "мережі, для якого користувача буде розпізнано за допомогою кешованих "
+ "реєстраційних даних, доки SSSD перебуває у режимі «у мережі»."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr "Спеціальне значення 0 означає, що цю можливість вимкнено."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -4329,17 +4352,17 @@ msgstr ""
+ "обробки <quote>initgroups</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr "auto_private_groups (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ #, fuzzy
+ #| msgid ""
+ #| "If this option is enabled, SSSD will automatically create user private "
+@@ -4352,27 +4375,40 @@ msgstr ""
+ "користувачів на основі номера UID користувача. Номер GID у цьому випадку "
+ "ігноруватиметься."
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++"Зауваження: оскільки номер GID і приватна група користувача успадковуються з "
++"номера UID, підтримки декількох записів із однаковим номером UID або GID у "
++"цьому параметрі не передбачено. Іншими словами, вмикання цього параметра "
++"примусово встановлює унікальність записів у просторі ідентифікаторів."
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ #, fuzzy
+ #| msgid "False"
+ msgid "false"
+ msgstr "False"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -4382,14 +4418,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -4397,7 +4433,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ #, fuzzy
+ #| msgid ""
+ #| "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -4407,37 +4443,37 @@ msgid ""
+ msgstr "Доступні варіанти: <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+-"Для піддоменів POSIX встановлення для цього параметра значення головного "
+-"домену успадковується у піддомені."
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+-"Для піддоменів із прив'язкою за ідентифікатором auto_private_groups вже "
+-"увімкнено для піддоменів, встановлення для нього значення false ніяк не "
+-"впливатиме на піддомен."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+-"Зауваження: оскільки номер GID і приватна група користувача успадковуються з "
+-"номера UID, підтримки декількох записів із однаковим номером UID або GID у "
+-"цьому параметрі не передбачено. Іншими словами, вмикання цього параметра "
+-"примусово встановлює унікальність записів у просторі ідентифікаторів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:1802
+@@ -4451,17 +4487,17 @@ msgstr ""
+ "quote> <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr "proxy_pam_target (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr "Комп’ютер, для якого виконує проксі-сервер PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+@@ -4470,12 +4506,12 @@ msgstr ""
+ "налаштуваннями pam або створити нові і тут додати назву служби."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr "proxy_lib_name (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -4486,12 +4522,12 @@ msgstr ""
+ "наприклад _nss_files_getpwent."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr "proxy_fast_alias (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -4506,12 +4542,12 @@ msgstr ""
+ "у кеші, щоб пришвидшити надання результатів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr "proxy_max_children (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -4523,7 +4559,7 @@ msgstr ""
+ "використання черги запитів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+@@ -4532,12 +4568,12 @@ msgstr ""
+ "\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr "Домени програм (application)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -4565,7 +4601,7 @@ msgstr ""
+ "який може успадковувати параметр з традиційного домену SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -4576,17 +4612,17 @@ msgstr ""
+ "його доменом-близнюком у POSIX має бути встановлено належним чином."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr "Параметри доменів програм"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr "inherit_from (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -4598,7 +4634,7 @@ msgstr ""
+ "розширюють або перевизначають параметри домену-<quote>близнюка</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -4613,7 +4649,7 @@ msgstr ""
+ "у кеші і робить атрибут phone доступним через інтерфейс D-Bus."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4647,12 +4683,12 @@ msgstr ""
+ "ldap_user_extra_attrs = phone:telephoneNumber\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr "Розділ локального домену"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -4663,29 +4699,29 @@ msgstr ""
+ "використовує <replaceable>id_provider=local</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr "default_shell (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ "Типова оболонка для записів користувачів, створених за допомогою "
+ "інструментів простору користувачів SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr "Типове значення: <filename>/bin/bash</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr "base_directory (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+@@ -4694,17 +4730,17 @@ msgstr ""
+ "replaceable> і використовують отриману адресу як адресу домашнього каталогу."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr "Типове значення: <filename>/home</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr "create_homedir (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+@@ -4713,17 +4749,17 @@ msgstr ""
+ "Може бути перевизначено з командного рядка."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr "Типове значення: TRUE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr "remove_homedir (булівське значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+@@ -4732,12 +4768,12 @@ msgstr ""
+ "користувачів. Може бути перевизначено з командного рядка."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr "homedir_umask (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -4748,17 +4784,17 @@ msgstr ""
+ "до щойно створеного домашнього каталогу."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr "Типове значення: 077"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr "skel_dir (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -4771,17 +4807,17 @@ msgstr ""
+ "<manvolnum>8</manvolnum> </citerefentry>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr "Типове значення: <filename>/etc/skel</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr "mail_dir (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -4792,17 +4828,17 @@ msgstr ""
+ "каталог не вказано, буде використано типове значення."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr "Типове значення: <filename>/var/mail</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr "userdel_cmd (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -4813,17 +4849,17 @@ msgstr ""
+ "вилучається. Код виконання, повернутий програмою не обробляється."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr "Типове значення: None, не виконувати жодних команд"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr "РОЗДІЛ ДОВІРЕНИХ ДОМЕНІВ"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -4841,52 +4877,59 @@ msgstr ""
+ "такі параметри:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr "ldap_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr "ldap_user_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr "ldap_group_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr "ldap_netgroup_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr "ldap_service_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++#, fuzzy
++#| msgid "ldap_sasl_mech (string)"
++msgid "ldap_sasl_mech,"
++msgstr "ldap_sasl_mech (рядок)"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr "ad_server,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr "ad_backup_server,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr "ad_site,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr "use_fully_qualified_names"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+@@ -4895,12 +4938,139 @@ msgstr ""
+ "підручника."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++#, fuzzy
++#| msgid "CONFIGURATION OPTIONS"
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr "ПАРАМЕТРИ НАЛАШТУВАННЯ"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++#, fuzzy
++#| msgid "password"
++msgid "password_prompt"
++msgstr "password"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++#, fuzzy
++#| msgid ""
++#| "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>"
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr "Доступні варіанти: <placeholder type=\"variablelist\" id=\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++#, fuzzy
++#| msgid ""
++#| "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>"
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr "Доступні варіанти: <placeholder type=\"variablelist\" id=\"0\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++#, fuzzy
++#| msgid ""
++#| "These options are supported by LDAP domains, but they should be used with "
++#| "caution. Please include them in your configuration only if you know what "
++#| "you are doing.  <placeholder type=\"variablelist\" id=\"0\"/> "
++#| "<placeholder type=\"variablelist\" id=\"1\"/>"
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++"Підтримку цих параметрів передбачено доменами LDAP, але користуватися ними "
++"слід обережно. Будь ласка, використовуйте їх у налаштуваннях, лише якщо вам "
++"відомі наслідки ваших дій. <placeholder type=\"variablelist\" id=\"0\"/> "
++"<placeholder type=\"variablelist\" id=\"1\"/>"
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr "ПРИКЛАДИ"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -4954,7 +5124,7 @@ msgstr ""
+ "enumerate = False\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -4967,7 +5137,7 @@ msgstr ""
+ "\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -4977,7 +5147,7 @@ msgstr ""
+ "use_fully_qualified_names = false\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -6036,7 +6206,7 @@ msgstr "Атрибут LDAP, що відповідає повному імені
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr "Типове значення: cn"
+ 
+@@ -6838,7 +7008,7 @@ msgstr ""
+ "дії TGT)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr "Типове значення: 900 (15 хвилин)"
+ 
+@@ -6968,13 +7138,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+-"Ви можете повністю вимкнути пошуки з отриманням значення об’єкта "
+-"(розіменуванням), якщо вкажете значення 0."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -6987,7 +7160,7 @@ msgstr ""
+ "OpenLDAP та Active Directory."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -6998,12 +7171,12 @@ msgstr ""
+ "незалежно від використання цього параметра."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr "ldap_tls_reqcert (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+@@ -7013,7 +7186,7 @@ msgstr ""
+ "таких значень:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+@@ -7022,7 +7195,7 @@ msgstr ""
+ "жодних сертифікатів сервера."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -7034,7 +7207,7 @@ msgstr ""
+ "режимі."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -7045,7 +7218,7 @@ msgstr ""
+ "надано помилковий сертифікат, негайно перервати сеанс."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -7056,22 +7229,22 @@ msgstr ""
+ "перервати сеанс."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr "<emphasis>hard</emphasis> = те саме, що і <quote>demand</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr "Типове значення: hard"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr "ldap_tls_cacert (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+@@ -7080,7 +7253,7 @@ msgstr ""
+ "розпізнаються <command>sssd</command>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+@@ -7089,12 +7262,12 @@ msgstr ""
+ "у <filename>/etc/openldap/ldap.conf</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr "ldap_tls_cacertdir (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -7107,32 +7280,32 @@ msgstr ""
+ "<command>cacertdir_rehash</command>, якщо ця програма є доступною."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr "ldap_tls_cert (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr "Визначає файл, який містить сертифікат для ключа клієнта."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr "ldap_tls_key (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr "Визначає файл, у якому міститься ключ клієнта."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr "ldap_tls_cipher_suite (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -7144,12 +7317,12 @@ msgstr ""
+ "<manvolnum>5</manvolnum></citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr "ldap_id_use_start_tls (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+@@ -7158,12 +7331,12 @@ msgstr ""
+ "class=\"protocol\">tls</systemitem> для захисту каналу."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr "ldap_id_mapping (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -7175,19 +7348,19 @@ msgstr ""
+ "ldap_group_gid_number."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ "У поточній версії у цій можливості передбачено підтримку лише встановлення "
+ "відповідності objectSID у ActiveDirectory."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr "ldap_min_id, ldap_max_id (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -7207,32 +7380,47 @@ msgstr ""
+ "ідентифікаторів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ "Типове значення: не встановлено (обидва параметри встановлено у значення 0)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr "ldap_sasl_mech (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
++#, fuzzy
++#| msgid ""
++#| "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
++#| "supported."
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
+ msgstr ""
+ "Визначає механізм SASL, який слід використовувати. У поточній версії "
+ "перевірено і підтримується лише механізм GSSAPI."
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
++msgid ""
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr "ldap_sasl_authid (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -7252,15 +7440,24 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
+-msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++#: sssd-ldap.5.xml:1831
++#, fuzzy
++#| msgid ""
++#| "Specify the SASL authorization id to use.  When GSSAPI is used, this "
++#| "represents the Kerberos principal used for authentication to the "
++#| "directory.  This option can either contain the full principal (for "
++#| "example host/myhost@EXAMPLE.COM) or just the principal name (for example "
++#| "host/myhost). By default, the value is not set and the following "
++#| "principals are used: <placeholder type=\"programlisting\" id=\"0\"/> If "
++#| "none of them are found, the first principal in keytab is returned."
++msgid ""
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ "Визначає ідентифікатор уповноваження SASL, яким слід скористатися. Якщо "
+ "використовується GSSAPI, цим ідентифікатором є реєстраційні дані Kerberos, "
+@@ -7272,17 +7469,17 @@ msgstr ""
+ "знайдено, буде повернуто перший реєстраційний запис у таблиці ключів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr "Типове значення: вузол/назва_вузла@ОБЛАСТЬ"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr "ldap_sasl_realm (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -7294,17 +7491,17 @@ msgstr ""
+ "проігноровано."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr "Типове значення: значення krb5_realm."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr "ldap_sasl_canonicalize (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+@@ -7314,65 +7511,75 @@ msgstr ""
+ "SASL."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr "Типове значення: false;"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr "ldap_krb5_keytab (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++#, fuzzy
++#| msgid "Specify the keytab to use when using SASL/GSSAPI."
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr "Визначає таблицю ключів, яку слід використовувати разом з SASL/GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ "Типове значення: системна таблиця ключів, зазвичай <filename>/etc/krb5."
+ "keytab</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr "ldap_krb5_init_creds (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
++#, fuzzy
++#| msgid ""
++#| "Specifies that the id_provider should init Kerberos credentials (TGT).  "
++#| "This action is performed only if SASL is used and the mechanism selected "
++#| "is GSSAPI."
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ "Визначає, що id_provider має ініціалізувати реєстраційні дані Kerberos "
+ "(TGT). Цю дію буде виконано, лише якщо використовується SASL і вибрано "
+ "механізм GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr "ldap_krb5_ticket_lifetime (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++#, fuzzy
++#| msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr "Визначає строк дії (у секундах) TGT, якщо використовується GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr "Типове значення: 86400 (24 години)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr "krb5_server, krb5_backup_server (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -7391,7 +7598,7 @@ msgstr ""
+ "про виявлення служб можна дізнатися з розділу «ПОШУК СЛУЖБ»."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -7403,7 +7610,7 @@ msgstr ""
+ "вдасться знайти."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -7414,29 +7621,31 @@ msgstr ""
+ "варто перейти на використання «krb5_server» у файлах налаштувань."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr "krb5_realm (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++#, fuzzy
++#| msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr "Вказати область Kerberos (для розпізнавання за SASL/GSSAPI)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ "Типове значення: типове значення системи, див. <filename>/etc/krb5.conf</"
+ "filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr "krb5_canonicalize (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+@@ -7446,12 +7655,12 @@ msgstr ""
+ "версії MIT Kerberos >= 1.7"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr "krb5_use_kdcinfo (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -7466,7 +7675,7 @@ msgstr ""
+ "<manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -7477,12 +7686,12 @@ msgstr ""
+ "manvolnum> </citerefentry>, щоб дізнатися більше про додаток пошуку."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr "ldap_pwd_policy (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+@@ -7491,7 +7700,7 @@ msgstr ""
+ "використовувати такі значення:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+@@ -7500,7 +7709,7 @@ msgstr ""
+ "разі використання цього варіанта перевірку на боці сервера вимкнено не буде."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -7511,7 +7720,7 @@ msgstr ""
+ "manvolnum></citerefentry> для визначення того, чи чинним є пароль."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -7522,7 +7731,7 @@ msgstr ""
+ "скористайтеся chpass_provider=krb5 для оновлення цих атрибутів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+@@ -7532,18 +7741,18 @@ msgstr ""
+ "встановленими за допомогою цього параметра."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr "ldap_referrals (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ "Визначає, чи має бути увімкнено автоматичне визначення напрямків пошуку."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+@@ -7552,7 +7761,7 @@ msgstr ""
+ "з версією OpenLDAP 2.4.13 або новішою версією."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -7566,28 +7775,28 @@ msgstr ""
+ "«false» може значно пришвидшити роботу."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr "ldap_dns_service_name (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ "Визначає назву служби, яку буде використано у разі вмикання визначення служб."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr "Типове значення: ldap"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr "ldap_chpass_dns_service_name (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+@@ -7596,17 +7805,17 @@ msgstr ""
+ "уможливлює зміну паролів, у разі вмикання визначення служб."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr "Типове значення: не встановлено, тобто пошук служб вимкнено"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr "ldap_chpass_update_last_change (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+@@ -7615,12 +7824,12 @@ msgstr ""
+ "щодо кількості днів з часу виконання дії зі зміни пароля."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr "ldap_access_filter (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -7649,12 +7858,12 @@ msgstr ""
+ "refentrytitle><manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr "Приклад:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -7666,7 +7875,7 @@ msgstr ""
+ "                        "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+@@ -7675,7 +7884,7 @@ msgstr ""
+ "employeeType встановлено у значення «admin»."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -7689,17 +7898,17 @@ msgstr ""
+ "таких прав не було надано, у автономному режимі їх також не буде надано."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr "Типове значення: порожній рядок"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr "ldap_account_expire_policy (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+@@ -7708,7 +7917,7 @@ msgstr ""
+ "керування доступом на боці клієнта."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -7719,12 +7928,12 @@ msgstr ""
+ "з відповідним кодом помилки, навіть якщо вказано правильний пароль."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr "Можна використовувати такі значення:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+@@ -7733,7 +7942,7 @@ msgstr ""
+ "визначити, чи завершено строк дії облікового запису."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -7746,7 +7955,7 @@ msgstr ""
+ "Також буде перевірено, чи не вичерпано строк дії облікового запису."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -7757,7 +7966,7 @@ msgstr ""
+ "ldap_ns_account_lock."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -7770,7 +7979,7 @@ msgstr ""
+ "атрибутів, надати доступ."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -7781,24 +7990,24 @@ msgstr ""
+ "користуватися параметром ldap_account_expire_policy."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr "ldap_access_order (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ "Список відокремлених комами параметрів керування доступом. Можливі значення "
+ "списку:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr "<emphasis>filter</emphasis>: використовувати ldap_access_filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -7813,7 +8022,7 @@ msgstr ""
+ "для працездатності цієї можливості слід встановити «access_provider = ldap»."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+@@ -7823,7 +8032,7 @@ msgstr ""
+ "emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -7846,13 +8055,13 @@ msgstr ""
+ "параметра слід встановити значення «access_provider = ldap»."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ "<emphasis>expire</emphasis>: використовувати ldap_account_expire_policy"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -7867,7 +8076,7 @@ msgstr ""
+ "наприклад на ключах SSH."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -7882,7 +8091,7 @@ msgstr ""
+ "негайно змінити пароль."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+@@ -7890,7 +8099,7 @@ msgstr ""
+ "від SSSD не надходитиме."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+@@ -7900,7 +8109,7 @@ msgstr ""
+ "параметра «ldap_pwd_policy» відповідні правила поводження із паролями."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+@@ -7909,14 +8118,14 @@ msgstr ""
+ "можливості доступу атрибут authorizedService"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ "<emphasis>host</emphasis>: за допомогою цього атрибута вузла можна визначити "
+ "права доступу"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+@@ -7925,7 +8134,7 @@ msgstr ""
+ "того, чи матиме віддалений вузол доступ"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+@@ -7935,12 +8144,12 @@ msgstr ""
+ "керування доступом."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr "Типове значення: filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+@@ -7949,12 +8158,12 @@ msgstr ""
+ "використано декілька разів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr "ldap_pwdlockout_dn (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -7968,22 +8177,22 @@ msgstr ""
+ "можна буде перевірити належним чином."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr "Приклад: cn=ppolicy,ou=policies,dc=example,dc=com"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr "Типове значення: cn=ppolicy,ou=policies,$ldap_search_base"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr "ldap_deref (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+@@ -7992,13 +8201,13 @@ msgstr ""
+ "пошуку. Можливі такі варіанти:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ "<emphasis>never</emphasis>: ніколи не виконувати розіменування псевдонімів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+@@ -8008,7 +8217,7 @@ msgstr ""
+ "пошуку."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+@@ -8017,7 +8226,7 @@ msgstr ""
+ "під час визначення місця основного об’єкта пошуку."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+@@ -8026,7 +8235,7 @@ msgstr ""
+ "час пошуку, так і під час визначення місця основного об’єкта пошуку."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+@@ -8035,12 +8244,12 @@ msgstr ""
+ "сценарієм <emphasis>never</emphasis>)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr "ldap_rfc2307_fallback_to_local_users (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+@@ -8049,7 +8258,7 @@ msgstr ""
+ "серверів, у яких використовується схема RFC2307."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -8067,7 +8276,7 @@ msgstr ""
+ "користувачів за допомогою виклику getpw*() або initgroups()."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -8079,12 +8288,12 @@ msgstr ""
+ "групами LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr "wildcard_limit (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+@@ -8093,14 +8302,14 @@ msgstr ""
+ "пошуку з використанням символів-замінників."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ "У поточній версії пошук із використанням символів-замінників передбачено "
+ "лише для відповідача InfoPipe."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr "Типове значення: 1000 (часто розмір однієї сторінки)"
+ 
+@@ -8120,12 +8329,12 @@ msgstr ""
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr "ПАРАМЕТРИ SUDO"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -8136,52 +8345,52 @@ msgstr ""
+ "<manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr "ldap_sudorule_object_class (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr "Клас об’єктів запису правила sudo у LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr "Типове значення: sudoRole"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr "ldap_sudorule_name (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr "Атрибут LDAP, що відповідає назві правила sudo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr "ldap_sudorule_command (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr "Атрибут LDAP, що відповідає назві команди."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr "Типове значення: sudoCommand"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr "ldap_sudorule_host (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+@@ -8190,17 +8399,17 @@ msgstr ""
+ "вузла, мережевій групі вузла)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr "Типове значення: sudoHost"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr "ldap_sudorule_user (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+@@ -8209,32 +8418,32 @@ msgstr ""
+ "або назві мережевої групи користувача)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr "Типове значення: sudoUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr "ldap_sudorule_option (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr "Атрибут LDAP, що відповідає параметрам sudo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr "Типове значення: sudoOption"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr "ldap_sudorule_runasuser (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+@@ -8243,17 +8452,17 @@ msgstr ""
+ "команди."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr "Типове значення: sudoRunAsUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr "ldap_sudorule_runasgroup (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+@@ -8262,17 +8471,17 @@ msgstr ""
+ "виконувати команди."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr "Типове значення: sudoRunAsGroup"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr "ldap_sudorule_notbefore (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+@@ -8280,49 +8489,49 @@ msgstr ""
+ "Атрибут LDAP, що відповідає даті і часу набуття чинності правилом sudo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr "Типове значення: sudoNotBefore"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr "ldap_sudorule_notafter (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr "Атрибут LDAP, що відповідає даті і часу втрати чинності правилом sudo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr "Типове значення: sudoNotAfter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr "ldap_sudorule_order (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr "Атрибут LDAP, що відповідає порядковому номеру правила."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr "Типове значення: sudoOrder"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr "ldap_sudo_full_refresh_interval (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+@@ -8332,7 +8541,7 @@ msgstr ""
+ "набір правил, що зберігаються на сервері."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+@@ -8341,17 +8550,17 @@ msgstr ""
+ "<emphasis>ldap_sudo_smart_refresh_interval </emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr "Типове значення: 21600 (6 годин)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr "ldap_sudo_smart_refresh_interval (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -8362,7 +8571,7 @@ msgstr ""
+ "правил, USN яких перевищує найбільше значення USN у кешованих правилах."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+@@ -8371,12 +8580,12 @@ msgstr ""
+ "дані атрибута modifyTimestamp."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr "ldap_sudo_use_host_filter (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+@@ -8386,12 +8595,12 @@ msgstr ""
+ "назв вузлів)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr "ldap_sudo_hostnames (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+@@ -8400,7 +8609,7 @@ msgstr ""
+ "фільтрування списку правил."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+@@ -8409,8 +8618,8 @@ msgstr ""
+ "назву вузла та повну назву комп’ютера у домені у автоматичному режимі."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+@@ -8419,17 +8628,17 @@ msgstr ""
+ "<emphasis>false</emphasis>, цей параметр ні на що не впливатиме."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr "Типове значення: не вказано"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr "ldap_sudo_ip (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+@@ -8438,7 +8647,7 @@ msgstr ""
+ "правил."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+@@ -8447,12 +8656,12 @@ msgstr ""
+ "адресу у автоматичному режимі."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr "ldap_sudo_include_netgroups (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+@@ -8461,12 +8670,12 @@ msgstr ""
+ "мережеву групу (netgroup) у атрибуті sudoHost."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr "ldap_sudo_include_regexp (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+@@ -8475,7 +8684,7 @@ msgstr ""
+ "заміни у атрибуті sudoHost."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -8488,12 +8697,12 @@ msgstr ""
+ "refentrytitle><manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr "ПАРАМЕТРИ AUTOFS"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+@@ -8502,49 +8711,49 @@ msgstr ""
+ "LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr "ldap_autofs_map_master_name (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr "Назва основної карти автоматичного монтування у LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr "Типове значення: auto.master"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr "ldap_autofs_map_object_class (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr "Клас об’єктів запису карти автоматичного монтування у LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ "Типове значення: nisMap (rfc2307, autofs_provider=ad), у інших випадках "
+ "automountMap"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr "ldap_autofs_map_name (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr "Назва запису карти автоматичного монтування у LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+@@ -8552,12 +8761,12 @@ msgstr ""
+ "automountMapName"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr "ldap_autofs_entry_object_class (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+@@ -8566,19 +8775,19 @@ msgstr ""
+ "точні монтування."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ "Типове значення: nisObject (rfc2307, autofs_provider=ad), у інших випадках "
+ "automount"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr "ldap_autofs_entry_key (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+@@ -8587,19 +8796,19 @@ msgstr ""
+ "точні монтування."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ "Типове значення: cn (rfc2307, autofs_provider=ad), у інших випадках "
+ "automountKey"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr "ldap_autofs_entry_value (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+@@ -8608,7 +8817,7 @@ msgstr ""
+ "automountInformation"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -8621,32 +8830,32 @@ msgstr ""
+ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr "ДОДАТКОВІ ПАРАМЕТРИ"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr "ldap_netgroup_search_base (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr "ldap_user_search_base (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr "ldap_group_search_base (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr "<note>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -8659,22 +8868,22 @@ msgstr ""
+ "груп показуються неправильно."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr "</note>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr "ldap_sudo_search_base (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr "ldap_autofs_search_base (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -8687,14 +8896,14 @@ msgstr ""
+ "<placeholder type=\"variablelist\" id=\"1\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr "ПРИКЛАД"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -8705,7 +8914,7 @@ msgstr ""
+ "<replaceable>[domains]</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -8725,20 +8934,20 @@ msgstr ""
+ "cache_credentials = true\n"
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr "ПРИКЛАД ФІЛЬТРА ДОСТУПУ LDAP"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+@@ -8747,7 +8956,7 @@ msgstr ""
+ "чином і використано ldap_access_order=lockout."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -8773,13 +8982,13 @@ msgstr ""
+ "cache_credentials = true\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr "ЗАУВАЖЕННЯ"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -10664,7 +10873,7 @@ msgstr ""
+ "цього вузла. Назву вузла слід вказувати повністю."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr "dyndns_update (булеве значення)"
+ 
+@@ -10684,7 +10893,7 @@ msgstr ""
+ "допомогою параметра «dyndns_iface»."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -10705,12 +10914,12 @@ msgstr ""
+ "назву, <emphasis>dyndns_update</emphasis>, у файлі налаштувань."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr "dyndns_ttl (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -10737,12 +10946,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr "Типове значення: 1200 (секунд)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr "dyndns_iface (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -10775,17 +10984,17 @@ msgstr ""
+ "для з’єднання LDAP IPA"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr "Приклад: dyndns_iface = em1, vnet1, vnet2"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr "dyndns_auth (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -10796,7 +11005,7 @@ msgstr ""
+ "можна надсилати встановленням для цього параметра значення «none»."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr "Типове значення: GSS-TSIG"
+ 
+@@ -10831,7 +11040,7 @@ msgstr ""
+ "вважатимуться резервними серверами."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr "dyndns_refresh_interval (ціле число)"
+ 
+@@ -10848,12 +11057,12 @@ msgstr ""
+ "є обов’язкоми, його застосовують, лише якщо dyndns_update має значення true."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr "dyndns_update_ptr (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -10877,12 +11086,12 @@ msgid "Default: False (disabled)"
+ msgstr "Типове значення: False (вимкнено)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr "dyndns_force_tcp (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+@@ -10891,17 +11100,17 @@ msgstr ""
+ "даними з сервером DNS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr "Типове значення: False (надати змогу nsupdate вибирати протокол)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr "dyndns_server (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+@@ -10911,7 +11120,7 @@ msgstr ""
+ "параметра."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+@@ -10920,7 +11129,7 @@ msgstr ""
+ "DNS відрізняється від сервера профілів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+@@ -10930,7 +11139,7 @@ msgstr ""
+ "невдало."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr "Типове значення: немає (надати nsupdate змогу вибирати сервер)"
+ 
+@@ -11058,12 +11267,12 @@ msgstr ""
+ "перетворено у основний DN для виконання дій LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr "krb5_confd_path (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+@@ -11072,7 +11281,7 @@ msgstr ""
+ "налаштувань Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+@@ -11081,7 +11290,7 @@ msgstr ""
+ "значення «none»."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -11106,7 +11315,7 @@ msgstr ""
+ "щодо профілів станції."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr "Типове значення: 5 (секунд)"
+ 
+@@ -12259,12 +12468,29 @@ msgid "Default: False (seconds)"
+ msgstr "Типове значення: 5 (секунд)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++#, fuzzy
++#| msgid "ad_enable_gc (boolean)"
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr "ad_enable_gc (булеве значення)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr "ad_gpo_cache_timeout (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -12275,12 +12501,12 @@ msgstr ""
+ "короткого періоду часу надходить багато запитів щодо керування доступом."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr "ad_gpo_map_interactive (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -12291,7 +12517,7 @@ msgstr ""
+ "InteractiveLogonRight і DenyInteractiveLogonRight."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+@@ -12301,7 +12527,7 @@ msgstr ""
+ "вхід» («Deny log on locally»)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -12311,7 +12537,7 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -12330,42 +12556,42 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr "gdm-fingerprint"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr "lightdm"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr "lxdm"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr "sddm"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr "unity"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr "xdm"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr "ad_gpo_map_remote_interactive (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -12376,7 +12602,7 @@ msgstr ""
+ "DenyRemoteInteractiveLogonRight."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -12388,7 +12614,7 @@ msgstr ""
+ "служб віддаленої стільниці» («Deny log on through Remote Desktop Services»)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -12398,7 +12624,7 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -12417,22 +12643,22 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr "sshd"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr "cockpit"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr "ad_gpo_map_network (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -12443,7 +12669,7 @@ msgstr ""
+ "DenyNetworkLogonRight."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -12455,7 +12681,7 @@ msgstr ""
+ "мережі» (Deny access to this computer from the network»)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -12465,7 +12691,7 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -12484,22 +12710,22 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr "ftp"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr "samba"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr "ad_gpo_map_batch (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -12510,7 +12736,7 @@ msgstr ""
+ "DenyBatchLogonRight."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+@@ -12520,7 +12746,7 @@ msgstr ""
+ "job») і «Заборонити вхід як пакетне завдання» («Deny log on as a batch job»)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -12530,7 +12756,7 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -12549,24 +12775,24 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ "Зауваження: назва служби cron у різних дистрибутивах Linux може бути різною."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr "crond"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr "ad_gpo_map_service (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -12577,7 +12803,7 @@ msgstr ""
+ "DenyServiceLogonRight."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+@@ -12587,7 +12813,7 @@ msgstr ""
+ "«Заборонити вхід як службу» («Deny log on as a service»)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -12597,7 +12823,7 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -12614,12 +12840,12 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr "ad_gpo_map_permit (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+@@ -12628,7 +12854,7 @@ msgstr ""
+ "основі GPO, незалежно від будь-яких прав входу GPO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -12638,7 +12864,7 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -12657,22 +12883,22 @@ msgstr ""
+ "type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr "polkit-1"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr "systemd-user"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr "ad_gpo_map_deny (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+@@ -12681,7 +12907,7 @@ msgstr ""
+ "на основі GPO, незалежно від будь-яких прав входу GPO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -12691,12 +12917,12 @@ msgstr ""
+ "                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr "ad_gpo_default_right (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -12718,57 +12944,57 @@ msgstr ""
+ "забороняла доступ для непов’язаних назв служб PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr "Передбачені значення для цього параметра:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr "interactive"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr "remote_interactive"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr "network"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr "batch"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr "service"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr "permit"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr "deny"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr "Типове значення: deny"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr "ad_maximum_machine_account_password_age (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -12779,17 +13005,17 @@ msgstr ""
+ "Значення 0 вимкне спроби оновлення."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr "Типове значення: 30 днів"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr "ad_machine_account_password_renewal_opts (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -12804,12 +13030,12 @@ msgstr ""
+ "— визначає початковий час очікування на перший запуск завдання."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr "Типове значення: 86400:750 (24 годин і 15 хвилин)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -12826,12 +13052,12 @@ msgstr ""
+ "якщо цю адресу не було змінено за допомогою параметра «dyndns_iface»."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr "Типове значення: 3600 (секунд)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+@@ -12840,7 +13066,7 @@ msgstr ""
+ "для з’єднання LDAP AD"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -12857,12 +13083,12 @@ msgstr ""
+ "значення."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr "Типове значення: True"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -12873,7 +13099,7 @@ msgstr ""
+ "У прикладі продемонстровано лише параметри доступу, специфічні для засобу AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -12897,7 +13123,7 @@ msgstr ""
+ "ad_domain = example.com\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -12909,7 +13135,7 @@ msgstr ""
+ "ldap_account_expire_policy = ad\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -12921,7 +13147,7 @@ msgstr ""
+ "\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -12936,7 +13162,7 @@ msgstr ""
+ "шифрування) вручну."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -14815,11 +15041,67 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
++#, fuzzy
++#| msgid "krb5_confd_path (string)"
++msgid "krb5_kdcinfo_lookahead (string)"
++msgstr "krb5_confd_path (рядок)"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:508
++#, fuzzy
++#| msgid ""
++#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
++#| "more information on the locator plugin."
++msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++"Див. сторінку підручника (man) <citerefentry> "
++"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
++"manvolnum> </citerefentry>, щоб дізнатися більше про додаток пошуку."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++#, fuzzy
++#| msgid ""
++#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
++#| "more information on the locator plugin."
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++"Див. сторінку підручника (man) <citerefentry> "
++"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
++"manvolnum> </citerefentry>, щоб дізнатися більше про додаток пошуку."
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "Типове значення: 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
+ msgid "krb5_use_enterprise_principal (boolean)"
+ msgstr "krb5_use_enterprise_principal (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:508
++#: sssd-krb5.5.xml:542
+ msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+@@ -14829,12 +15111,12 @@ msgstr ""
+ "реєстраційні дані."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr "Типове значення: false (надається AD: true)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -14845,12 +15127,12 @@ msgstr ""
+ "параметр на встановлено явним чином у файлі налаштувань."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr "krb5_map_user (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -14864,7 +15146,7 @@ msgstr ""
+ "користувач проходить розпізнавання із використанням «auth_provider = krb5»."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -14874,7 +15156,7 @@ msgstr ""
+ "krb5_map_user = joe:juser,dick:richard\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -14904,7 +15186,7 @@ msgstr ""
+ "про налаштування домену SSSD. <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -14917,7 +15199,7 @@ msgstr ""
+ "Kerberos, там не вказано інструменту обробки профілів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+@@ -20101,6 +20383,35 @@ msgstr "ldap_group_objectsid = ipaNTSecurityIdentifier"
+ msgid "ldap_group_external_member = ipaExternalMember"
+ msgstr "ldap_group_external_member = ipaExternalMember"
+ 
++#~ msgid ""
++#~ "The background refresh will process users, groups and netgroups in the "
++#~ "cache."
++#~ msgstr ""
++#~ "Під час фонового оновлення виконуватиметься обробка записів користувачів, "
++#~ "груп та мережевих груп у кеші."
++
++#~ msgid ""
++#~ "For POSIX subdomains, setting the option in the main domain is inherited "
++#~ "in the subdomain."
++#~ msgstr ""
++#~ "Для піддоменів POSIX встановлення для цього параметра значення головного "
++#~ "домену успадковується у піддомені."
++
++#~ msgid ""
++#~ "For ID-mapping subdomains, auto_private_groups is already enabled for the "
++#~ "subdomains and setting it to false will not have any effect for the "
++#~ "subdomain."
++#~ msgstr ""
++#~ "Для піддоменів із прив'язкою за ідентифікатором auto_private_groups вже "
++#~ "увімкнено для піддоменів, встановлення для нього значення false ніяк не "
++#~ "впливатиме на піддомен."
++
++#~ msgid ""
++#~ "You can turn off dereference lookups completely by setting the value to 0."
++#~ msgstr ""
++#~ "Ви можете повністю вимкнути пошуки з отриманням значення об’єкта "
++#~ "(розіменуванням), якщо вкажете значення 0."
++
+ #~ msgid ""
+ #~ "(OpenSSL version) This option is currently ignored. All needed "
+ #~ "certificates must be available in the PEM file given by pam_cert_db_path."
+@@ -20349,7 +20660,8 @@ msgstr "ldap_group_external_member = ipaExternalMember"
+ #~ "priority = 10\n"
+ #~ "\n"
+ #~ "[certmap/files/myname]\n"
+-#~ "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;^CN=User.Name,DC=MY,DC=DOMAIN$\n"
++#~ "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;"
++#~ "^CN=User.Name,DC=MY,DC=DOMAIN$\n"
+ #~ msgstr ""
+ #~ "[certmap/my.domain/rule_name]\n"
+ #~ "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$\n"
+@@ -20358,7 +20670,8 @@ msgstr "ldap_group_external_member = ipaExternalMember"
+ #~ "priority = 10\n"
+ #~ "\n"
+ #~ "[certmap/files/myname]\n"
+-#~ "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;^CN=User.Name,DC=MY,DC=DOMAIN$\n"
++#~ "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;"
++#~ "^CN=User.Name,DC=MY,DC=DOMAIN$\n"
+ 
+ #~ msgid ""
+ #~ "3. The following example shows the configuration for two certificate "
+diff --git a/src/man/po/zh_CN.po b/src/man/po/zh_CN.po
+index 07d077010..3af09c050 100644
+--- a/src/man/po/zh_CN.po
++++ b/src/man/po/zh_CN.po
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 2.0.99\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-03-20 22:06+0100\n"
++"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+ "PO-Revision-Date: 2014-12-15 12:16+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Chinese (China) (http://www.transifex.com/projects/p/sssd/"
+@@ -300,10 +300,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:840
+-#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1889
+-#: sssd-ldap.5.xml:1986 sssd-ldap.5.xml:2048 sssd-ldap.5.xml:2614
+-#: sssd-ldap.5.xml:2679 sssd-ldap.5.xml:2697 sssd-ad.5.xml:227
+-#: sssd-ad.5.xml:341 sssd-ad.5.xml:907 sssd-krb5.5.xml:499
++#: sssd.conf.5.xml:1566 sssd.conf.5.xml:1596 sssd-ldap.5.xml:1908
++#: sssd-ldap.5.xml:2006 sssd-ldap.5.xml:2068 sssd-ldap.5.xml:2634
++#: sssd-ldap.5.xml:2699 sssd-ldap.5.xml:2717 sssd-ad.5.xml:227
++#: sssd-ad.5.xml:341 sssd-ad.5.xml:926 sssd-krb5.5.xml:499
+ #: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
+ msgid "Default: true"
+ msgstr ""
+@@ -322,16 +322,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722
+-#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3106 sssd-ldap.5.xml:746
+-#: sssd-ldap.5.xml:1752 sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1958
+-#: sssd-ldap.5.xml:2384 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
++#: sssd.conf.5.xml:1499 sssd.conf.5.xml:3129 sssd-ldap.5.xml:746
++#: sssd-ldap.5.xml:1759 sssd-ldap.5.xml:1778 sssd-ldap.5.xml:1978
++#: sssd-ldap.5.xml:2404 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
+ #: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
+ #: sssd-krb5.5.xml:471
+ msgid "Default: false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2422
++#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2442
+ #: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
+ #: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
+ msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+@@ -356,8 +356,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3122
+-#: sssd-ldap.5.xml:1623 include/ldap_id_mapping.xml:264
++#: sssd.conf.5.xml:169 sssd.conf.5.xml:1377 sssd.conf.5.xml:3145
++#: sssd-ldap.5.xml:1630 include/ldap_id_mapping.xml:264
+ msgid "Default: 10"
+ msgstr ""
+ 
+@@ -372,7 +372,7 @@ msgid "The [sssd] section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:191 sssd.conf.5.xml:3211
++#: sssd.conf.5.xml:191 sssd.conf.5.xml:3234
+ msgid "Section parameters"
+ msgstr ""
+ 
+@@ -452,7 +452,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:259 sssd.conf.5.xml:2672
++#: sssd.conf.5.xml:259 sssd.conf.5.xml:2680
+ msgid "re_expression (string)"
+ msgstr ""
+ 
+@@ -472,12 +472,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2720
++#: sssd.conf.5.xml:276 sssd.conf.5.xml:2728
+ msgid "full_name_format (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:279 sssd.conf.5.xml:2723
++#: sssd.conf.5.xml:279 sssd.conf.5.xml:2731
+ msgid ""
+ "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
+ "manvolnum> </citerefentry>-compatible format that describes how to compose a "
+@@ -485,39 +485,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:290 sssd.conf.5.xml:2734
++#: sssd.conf.5.xml:290 sssd.conf.5.xml:2742
+ msgid "%1$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:291 sssd.conf.5.xml:2735
++#: sssd.conf.5.xml:291 sssd.conf.5.xml:2743
+ msgid "user name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:294 sssd.conf.5.xml:2738
++#: sssd.conf.5.xml:294 sssd.conf.5.xml:2746
+ msgid "%2$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:297 sssd.conf.5.xml:2741
++#: sssd.conf.5.xml:297 sssd.conf.5.xml:2749
+ msgid "domain name as specified in the SSSD config file."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:303 sssd.conf.5.xml:2747
++#: sssd.conf.5.xml:303 sssd.conf.5.xml:2755
+ msgid "%3$s"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:306 sssd.conf.5.xml:2750
++#: sssd.conf.5.xml:306 sssd.conf.5.xml:2758
+ msgid ""
+ "domain flat name. Mostly usable for Active Directory domains, both directly "
+ "configured or discovered via IPA trusts."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:287 sssd.conf.5.xml:2731
++#: sssd.conf.5.xml:287 sssd.conf.5.xml:2739
+ msgid ""
+ "The following expansions are supported: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+@@ -642,9 +642,9 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:418 sssd.conf.5.xml:1166 sssd-ldap.5.xml:717
+-#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1711 sssd-ldap.5.xml:1723
+-#: sssd-ldap.5.xml:1805 sssd-ad.5.xml:712 sssd-ad.5.xml:787 sssd.8.xml:126
+-#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
++#: sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1718 sssd-ldap.5.xml:1730
++#: sssd-ldap.5.xml:1822 sssd-ad.5.xml:731 sssd-ad.5.xml:806 sssd.8.xml:126
++#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:590 sssd-secrets.5.xml:339
+ #: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
+ #: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
+ #: include/ldap_id_mapping.xml:216
+@@ -835,7 +835,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3172
++#: sssd.conf.5.xml:588 sssd.conf.5.xml:1389 sssd.conf.5.xml:3195
+ #: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316
+ msgid "Default: Not set"
+ msgstr ""
+@@ -1157,7 +1157,7 @@ msgstr ""
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:859 sssd.conf.5.xml:1299 sssd.conf.5.xml:1318
+-#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
++#: sssd-krb5.5.xml:573 include/override_homedir.xml:59
+ msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+@@ -1578,7 +1578,7 @@ msgid "pam_pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2153
++#: sssd.conf.5.xml:1201 sssd.conf.5.xml:2161
+ msgid "Display a warning N days before the password expires."
+ msgstr ""
+ 
+@@ -1591,7 +1591,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2156
++#: sssd.conf.5.xml:1210 sssd.conf.5.xml:2164
+ msgid ""
+ "If zero is set, then this filter is not applied, i.e. if the expiration "
+ "warning was received from backend server, it will automatically be displayed."
+@@ -1605,7 +1605,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2976 sssd.8.xml:79
++#: sssd.conf.5.xml:1220 sssd.conf.5.xml:2991 sssd.8.xml:79
+ msgid "Default: 0"
+ msgstr ""
+ 
+@@ -1668,7 +1668,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+-#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2912 sssd-ldap.5.xml:2017
++#: sssd.conf.5.xml:1950 sssd.conf.5.xml:2920 sssd-ldap.5.xml:2037
+ msgid "Default: none"
+ msgstr ""
+ 
+@@ -1733,9 +1733,9 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1338 sssd.conf.5.xml:3056 sssd-ldap.5.xml:1125
+-#: sssd-ldap.5.xml:1152 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573
+-#: sssd-ldap.5.xml:2090 include/ldap_id_mapping.xml:244
++#: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
++#: sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1573 sssd-ldap.5.xml:2110
++#: sssd-ad.5.xml:453 include/ldap_id_mapping.xml:244
+ msgid "Default: False"
+ msgstr ""
+ 
+@@ -1833,48 +1833,48 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1416 sssd-ad.5.xml:485 sssd-ad.5.xml:581 sssd-ad.5.xml:627
+-#: sssd-ad.5.xml:673 sssd-ad.5.xml:739
++#: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
++#: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1421 sssd-ad.5.xml:489
++#: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1426 sssd-ad.5.xml:494
++#: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1431 sssd-ad.5.xml:499
++#: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1436 sssd-ad.5.xml:514
++#: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1441 sssd-ad.5.xml:509
++#: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1446 sssd-ad.5.xml:519
++#: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1451 sssd-ad.5.xml:748
++#: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:1456 sssd-ad.5.xml:753
++#: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+ msgstr ""
+ 
+@@ -2317,7 +2317,7 @@ msgid "FALSE = No enumerations for this domain"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2108 sssd.conf.5.xml:2283
++#: sssd.conf.5.xml:1886 sssd.conf.5.xml:2116 sssd.conf.5.xml:2291
+ msgid "Default: FALSE"
+ msgstr ""
+ 
+@@ -2533,41 +2533,49 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+ msgid ""
+-"The background refresh will process users, groups and netgroups in the cache."
++"The background refresh will process users, groups and netgroups in the "
++"cache. For users who have performed the initgroups (get group membership for "
++"user, typically ran at login)  operation in the past, both the user entry "
++"and the group membership are updated."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2087
++#: sssd.conf.5.xml:2091
++msgid "This option is automatically inherited for all trusted domains."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2091 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
++#: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2097
++#: sssd.conf.5.xml:2105
+ msgid "cache_credentials (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2100
++#: sssd.conf.5.xml:2108
+ msgid "Determines if user credentials are also cached in the local LDB cache"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2104
++#: sssd.conf.5.xml:2112
+ msgid "User credentials are stored in a SHA512 hash, not in plaintext"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2114
++#: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2117
++#: sssd.conf.5.xml:2125
+ msgid ""
+ "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+ "this value determines the minimal length the first authentication factor "
+@@ -2575,24 +2583,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2124
++#: sssd.conf.5.xml:2132
+ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2129
++#: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2135
++#: sssd.conf.5.xml:2143
+ msgid "account_cache_expiration (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2138
++#: sssd.conf.5.xml:2146
+ msgid ""
+ "Number of days entries are left in cache after last successful login before "
+ "being removed during a cleanup of the cache. 0 means keep forever.  The "
+@@ -2601,17 +2609,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2145
++#: sssd.conf.5.xml:2153
+ msgid "Default: 0 (unlimited)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2150
++#: sssd.conf.5.xml:2158
+ msgid "pwd_expiration_warning (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2161
++#: sssd.conf.5.xml:2169
+ msgid ""
+ "Please note that the backend server has to provide information about the "
+ "expiration time of the password.  If this information is missing, sssd "
+@@ -2620,34 +2628,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2168
++#: sssd.conf.5.xml:2176
+ msgid "Default: 7 (Kerberos), 0 (LDAP)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2174
++#: sssd.conf.5.xml:2182
+ msgid "id_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2177
++#: sssd.conf.5.xml:2185
+ msgid ""
+ "The identification provider used for the domain.  Supported ID providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2181
++#: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2184
++#: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2188
++#: sssd.conf.5.xml:2196
+ msgid ""
+ "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2655,7 +2663,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2196
++#: sssd.conf.5.xml:2204
+ msgid ""
+ "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
+ "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+@@ -2663,8 +2671,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2204 sssd.conf.5.xml:2309 sssd.conf.5.xml:2364
+-#: sssd.conf.5.xml:2427
++#: sssd.conf.5.xml:2212 sssd.conf.5.xml:2317 sssd.conf.5.xml:2372
++#: sssd.conf.5.xml:2435
+ msgid ""
+ "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
+ "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+@@ -2673,8 +2681,8 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2213 sssd.conf.5.xml:2318 sssd.conf.5.xml:2373
+-#: sssd.conf.5.xml:2436
++#: sssd.conf.5.xml:2221 sssd.conf.5.xml:2326 sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2444
+ msgid ""
+ "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2682,19 +2690,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2224
++#: sssd.conf.5.xml:2232
+ msgid "use_fully_qualified_names (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2227
++#: sssd.conf.5.xml:2235
+ msgid ""
+ "Use the full name and domain (as formatted by the domain's full_name_format) "
+ "as the user's login name reported to NSS."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2232
++#: sssd.conf.5.xml:2240
+ msgid ""
+ "If set to TRUE, all requests to this domain must use fully qualified names. "
+ "For example, if used in LOCAL domain that contains a \"test\" user, "
+@@ -2703,7 +2711,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2240
++#: sssd.conf.5.xml:2248
+ msgid ""
+ "NOTE: This option has no effect on netgroup lookups due to their tendency to "
+ "include nested netgroups without qualified names. For netgroups, all domains "
+@@ -2711,22 +2719,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2247
++#: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2253
++#: sssd.conf.5.xml:2261
+ msgid "ignore_group_members (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2256
++#: sssd.conf.5.xml:2264
+ msgid "Do not return group members for group lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2259
++#: sssd.conf.5.xml:2267
+ msgid ""
+ "If set to TRUE, the group membership attribute is not requested from the "
+ "ldap server, and group members are not returned when processing group lookup "
+@@ -2738,7 +2746,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2277
++#: sssd.conf.5.xml:2285
+ msgid ""
+ "Enabling this option can also make access provider checks for group "
+ "membership significantly faster, especially for groups containing many "
+@@ -2746,19 +2754,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2288
++#: sssd.conf.5.xml:2296
+ msgid "auth_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2291
++#: sssd.conf.5.xml:2299
+ msgid ""
+ "The authentication provider used for the domain.  Supported auth providers "
+ "are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2295 sssd.conf.5.xml:2357
++#: sssd.conf.5.xml:2303 sssd.conf.5.xml:2365
+ msgid ""
+ "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2766,7 +2774,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2302
++#: sssd.conf.5.xml:2310
+ msgid ""
+ "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2774,35 +2782,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2326
++#: sssd.conf.5.xml:2334
+ msgid ""
+ "<quote>proxy</quote> for relaying authentication to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2329
++#: sssd.conf.5.xml:2337
+ msgid "<quote>local</quote>: SSSD internal provider for local users"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2333
++#: sssd.conf.5.xml:2341
+ msgid "<quote>none</quote> disables authentication explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2336
++#: sssd.conf.5.xml:2344
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "authentication requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2342
++#: sssd.conf.5.xml:2350
+ msgid "access_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2345
++#: sssd.conf.5.xml:2353
+ msgid ""
+ "The access control provider used for the domain.  There are two built-in "
+ "access providers (in addition to any included in installed backends)  "
+@@ -2810,19 +2818,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2351
++#: sssd.conf.5.xml:2359
+ msgid ""
+ "<quote>permit</quote> always allow access. It's the only permitted access "
+ "provider for a local domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2354
++#: sssd.conf.5.xml:2362
+ msgid "<quote>deny</quote> always deny access."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2381
++#: sssd.conf.5.xml:2389
+ msgid ""
+ "<quote>simple</quote> access control based on access or deny lists. See "
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
+@@ -2831,7 +2839,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2388
++#: sssd.conf.5.xml:2396
+ msgid ""
+ "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+@@ -2839,29 +2847,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2395
++#: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2398
++#: sssd.conf.5.xml:2406
+ msgid "Default: <quote>permit</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2403
++#: sssd.conf.5.xml:2411
+ msgid "chpass_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2406
++#: sssd.conf.5.xml:2414
+ msgid ""
+ "The provider which should handle change password operations for the domain.  "
+ "Supported change password providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2411
++#: sssd.conf.5.xml:2419
+ msgid ""
+ "<quote>ldap</quote> to change a password stored in a LDAP server. See "
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+@@ -2869,7 +2877,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2419
++#: sssd.conf.5.xml:2427
+ msgid ""
+ "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2877,35 +2885,35 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2444
++#: sssd.conf.5.xml:2452
+ msgid ""
+ "<quote>proxy</quote> for relaying password changes to some other PAM target."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2448
++#: sssd.conf.5.xml:2456
+ msgid "<quote>none</quote> disallows password changes explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2451
++#: sssd.conf.5.xml:2459
+ msgid ""
+ "Default: <quote>auth_provider</quote> is used if it is set and can handle "
+ "change password requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2458
++#: sssd.conf.5.xml:2466
+ msgid "sudo_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2461
++#: sssd.conf.5.xml:2469
+ msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2465
++#: sssd.conf.5.xml:2473
+ msgid ""
+ "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -2913,32 +2921,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2473
++#: sssd.conf.5.xml:2481
+ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2477
++#: sssd.conf.5.xml:2485
+ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2481
++#: sssd.conf.5.xml:2489
+ msgid "<quote>none</quote> disables SUDO explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2484 sssd.conf.5.xml:2570 sssd.conf.5.xml:2640
+-#: sssd.conf.5.xml:2665
++#: sssd.conf.5.xml:2492 sssd.conf.5.xml:2578 sssd.conf.5.xml:2648
++#: sssd.conf.5.xml:2673
+ msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2488
++#: sssd.conf.5.xml:2496
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -2949,7 +2957,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2503
++#: sssd.conf.5.xml:2511
+ msgid ""
+ "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+ "background unless the sudo provider is explicitly disabled. Set "
+@@ -2958,12 +2966,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2513
++#: sssd.conf.5.xml:2521
+ msgid "selinux_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2516
++#: sssd.conf.5.xml:2524
+ msgid ""
+ "The provider which should handle loading of selinux settings. Note that this "
+ "provider will be called right after access provider ends.  Supported selinux "
+@@ -2971,7 +2979,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2522
++#: sssd.conf.5.xml:2530
+ msgid ""
+ "<quote>ipa</quote> to load selinux settings from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -2979,31 +2987,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2530
++#: sssd.conf.5.xml:2538
+ msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2533
++#: sssd.conf.5.xml:2541
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can handle "
+ "selinux loading requests."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2539
++#: sssd.conf.5.xml:2547
+ msgid "subdomains_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2542
++#: sssd.conf.5.xml:2550
+ msgid ""
+ "The provider which should handle fetching of subdomains. This value should "
+ "be always the same as id_provider.  Supported subdomain providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2548
++#: sssd.conf.5.xml:2556
+ msgid ""
+ "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3011,7 +3019,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2557
++#: sssd.conf.5.xml:2565
+ msgid ""
+ "<quote>ad</quote> to load a list of subdomains from an Active Directory "
+ "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+@@ -3020,17 +3028,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2566
++#: sssd.conf.5.xml:2574
+ msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2576
++#: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2579
++#: sssd.conf.5.xml:2587
+ msgid ""
+ "The provider which configures and manages user session related tasks. The "
+ "only user session task currently provided is the integration with Fleet "
+@@ -3038,43 +3046,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2586
++#: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2590
++#: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2594
++#: sssd.conf.5.xml:2602
+ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2598
++#: sssd.conf.5.xml:2606
+ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2606
++#: sssd.conf.5.xml:2614
+ msgid "autofs_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2609
++#: sssd.conf.5.xml:2617
+ msgid ""
+ "The autofs provider used for the domain.  Supported autofs providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2613
++#: sssd.conf.5.xml:2621
+ msgid ""
+ "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3082,7 +3090,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2620
++#: sssd.conf.5.xml:2628
+ msgid ""
+ "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+ "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3090,7 +3098,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2628
++#: sssd.conf.5.xml:2636
+ msgid ""
+ "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+@@ -3098,24 +3106,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2637
++#: sssd.conf.5.xml:2645
+ msgid "<quote>none</quote> disables autofs explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2647
++#: sssd.conf.5.xml:2655
+ msgid "hostid_provider (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2650
++#: sssd.conf.5.xml:2658
+ msgid ""
+ "The provider used for retrieving host identity information.  Supported "
+ "hostid providers are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2654
++#: sssd.conf.5.xml:2662
+ msgid ""
+ "<quote>ipa</quote> to load host identity stored in an IPA server. See "
+ "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
+@@ -3123,12 +3131,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2662
++#: sssd.conf.5.xml:2670
+ msgid "<quote>none</quote> disables hostid explicitly."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2675
++#: sssd.conf.5.xml:2683
+ msgid ""
+ "Regular expression for this domain that describes how to parse the string "
+ "containing user name and domain into these components.  The \"domain\" can "
+@@ -3138,7 +3146,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2684
++#: sssd.conf.5.xml:2692
+ msgid ""
+ "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
+ "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
+@@ -3147,29 +3155,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2689
++#: sssd.conf.5.xml:2697
+ msgid "username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2692
++#: sssd.conf.5.xml:2700
+ msgid "username@domain.name"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:2695
++#: sssd.conf.5.xml:2703
+ msgid "domain\\username"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2698
++#: sssd.conf.5.xml:2706
+ msgid ""
+ "While the first two correspond to the general default the third one is "
+ "introduced to allow easy integration of users from Windows domains."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2703
++#: sssd.conf.5.xml:2711
+ msgid ""
+ "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
+ "which translates to \"the name is everything up to the <quote>@</quote> "
+@@ -3177,7 +3185,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2709
++#: sssd.conf.5.xml:2717
+ msgid ""
+ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
+ "contain an <quote>@</quote> sign in the name, which clashes with the default "
+@@ -3187,59 +3195,59 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2760
++#: sssd.conf.5.xml:2768
+ msgid "Default: <quote>%1$s@%2$s</quote>."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2766
++#: sssd.conf.5.xml:2774
+ msgid "lookup_family_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2769
++#: sssd.conf.5.xml:2777
+ msgid ""
+ "Provides the ability to select preferred address family to use when "
+ "performing DNS lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2773
++#: sssd.conf.5.xml:2781
+ msgid "Supported values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2776
++#: sssd.conf.5.xml:2784
+ msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2779
++#: sssd.conf.5.xml:2787
+ msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2782
++#: sssd.conf.5.xml:2790
+ msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2785
++#: sssd.conf.5.xml:2793
+ msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2788
++#: sssd.conf.5.xml:2796
+ msgid "Default: ipv4_first"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2794
++#: sssd.conf.5.xml:2802
+ msgid "dns_resolver_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2797
++#: sssd.conf.5.xml:2805
+ msgid ""
+ "Defines the amount of time (in seconds) to wait for a reply from the "
+ "internal fail over service before assuming that the service is unreachable. "
+@@ -3248,77 +3256,77 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2804
++#: sssd.conf.5.xml:2812
+ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2809 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
++#: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+ #: sssd-ldap.5.xml:1494 sssd-krb5.5.xml:248
+ msgid "Default: 6"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2815
++#: sssd.conf.5.xml:2823
+ msgid "dns_discovery_domain (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2818
++#: sssd.conf.5.xml:2826
+ msgid ""
+ "If service discovery is used in the back end, specifies the domain part of "
+ "the service discovery DNS query."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2822
++#: sssd.conf.5.xml:2830
+ msgid "Default: Use the domain part of machine's hostname"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2828
++#: sssd.conf.5.xml:2836
+ msgid "override_gid (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2831
++#: sssd.conf.5.xml:2839
+ msgid "Override the primary GID value with the one specified."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2837
++#: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2845
++#: sssd.conf.5.xml:2853
+ msgid "True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2848
++#: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2854
++#: sssd.conf.5.xml:2862
+ msgid "False"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2856
++#: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2860
++#: sssd.conf.5.xml:2868
+ msgid "Preserving"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2863
++#: sssd.conf.5.xml:2871
+ msgid ""
+ "Same as False (case insensitive), but does not lowercase names in the result "
+ "of NSS operations. Note that name aliases (and in case of services also "
+@@ -3326,7 +3334,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2840
++#: sssd.conf.5.xml:2848
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+@@ -3334,17 +3342,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2875
++#: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2881
++#: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2884
++#: sssd.conf.5.xml:2892
+ msgid ""
+ "Specifies a list of configuration parameters that should be inherited by a "
+ "subdomain. Please note that only selected parameters can be inherited.  "
+@@ -3352,34 +3360,34 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2890
++#: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2893
++#: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2896 sssd-ldap.5.xml:1158
++#: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2899
++#: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2902
++#: sssd.conf.5.xml:2910
+ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd.conf.5.xml:2908
++#: sssd.conf.5.xml:2916
+ #, no-wrap
+ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+@@ -3387,32 +3395,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2906 sssd-secrets.5.xml:448
++#: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2915
++#: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2922
++#: sssd.conf.5.xml:2930
+ msgid "subdomain_homedir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2933
++#: sssd.conf.5.xml:2941
+ msgid "%F"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2934
++#: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2925
++#: sssd.conf.5.xml:2933
+ msgid ""
+ "Use this homedir as default value for all subdomains within this domain in "
+ "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+@@ -3422,47 +3430,55 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2939
++#: sssd.conf.5.xml:2947
+ msgid ""
+ "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2943
++#: sssd.conf.5.xml:2951
+ msgid "Default: <filename>/home/%d/%u</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2948
++#: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2951
++#: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2957
++#: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2960
++#: sssd.conf.5.xml:2968
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+-"the online mode."
++"the online mode. If the credentials are incorrect, SSSD falls back to online "
++"authentication."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:2976
++msgid ""
++"This option's value is inherited by all trusted domains. At the moment it is "
++"not possible to set a different value per trusted domain."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2966
++#: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2970
++#: sssd.conf.5.xml:2985
+ msgid ""
+ "Please note that if <quote>cached_auth_timeout</quote> is longer than "
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+@@ -3470,41 +3486,50 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2981
++#: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2987
++#: sssd.conf.5.xml:3002
+ msgid "true"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2990
++#: sssd.conf.5.xml:3005
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+ 
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3009
++msgid ""
++"NOTE: Because the GID number and the user private group are inferred from "
++"the UID number, it is not supported to have multiple entries with the same "
++"UID or GID number with this option. In other words, enabling this option "
++"enforces uniqueness across the ID space."
++msgstr ""
++
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:2996
++#: sssd.conf.5.xml:3018
+ msgid "false"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2999
++#: sssd.conf.5.xml:3021
+ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3005
++#: sssd.conf.5.xml:3027
+ msgid "hybrid"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3008
++#: sssd.conf.5.xml:3030
+ msgid ""
+ "A primary group is autogenerated for user entries whose UID and GID numbers "
+ "have the same value and at the same time the GID number does not correspond "
+@@ -3514,14 +3539,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3021
++#: sssd.conf.5.xml:3043
+ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3028
++#: sssd.conf.5.xml:3050
+ msgid ""
+ "This feature is useful for environments that wish to stop maintaining a "
+ "separate group objects for the user private groups, but also wish to retain "
+@@ -3529,34 +3554,43 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:2984
++#: sssd.conf.5.xml:2999
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3040
++#: sssd.conf.5.xml:3062
+ msgid ""
+-"For POSIX subdomains, setting the option in the main domain is inherited in "
+-"the subdomain."
++"For subdomains, the default value is False for subdomains that use assigned "
++"POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
+ 
+-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3044
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3070
++#, no-wrap
++msgid ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
++#: sssd.conf.5.xml:3076
++#, no-wrap
+ msgid ""
+-"For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-"subdomains and setting it to false will not have any effect for the "
+-"subdomain."
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3049
++#: sssd.conf.5.xml:3067
+ msgid ""
+-"NOTE: Because the GID number and the user private group are inferred from "
+-"the UID number, it is not supported to have multiple entries with the same "
+-"UID or GID number with this option. In other words, enabling this option "
+-"enforces uniqueness across the ID space."
++"The value of auto_private_groups can either be set per subdomains in a "
++"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
++"globally for all subdomains in the main domain section using the "
++"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+@@ -3568,29 +3602,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3068
++#: sssd.conf.5.xml:3091
+ msgid "proxy_pam_target (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3071
++#: sssd.conf.5.xml:3094
+ msgid "The proxy target PAM proxies to."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3074
++#: sssd.conf.5.xml:3097
+ msgid ""
+ "Default: not set by default, you have to take an existing pam configuration "
+ "or create a new one and add the service name here."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3082
++#: sssd.conf.5.xml:3105
+ msgid "proxy_lib_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3085
++#: sssd.conf.5.xml:3108
+ msgid ""
+ "The name of the NSS library to use in proxy domains. The NSS functions "
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+@@ -3598,12 +3632,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3095
++#: sssd.conf.5.xml:3118
+ msgid "proxy_fast_alias (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3098
++#: sssd.conf.5.xml:3121
+ msgid ""
+ "When a user or group is looked up by name in the proxy provider, a second "
+ "lookup by ID is performed to \"canonicalize\" the name in case the requested "
+@@ -3612,12 +3646,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3112
++#: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3115
++#: sssd.conf.5.xml:3138
+ msgid ""
+ "This option specifies the number of pre-forked proxy children. It is useful "
+ "for high-load SSSD environments where sssd may run out of available child "
+@@ -3625,19 +3659,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3064
++#: sssd.conf.5.xml:3087
+ msgid ""
+ "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+ "\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3131
++#: sssd.conf.5.xml:3154
+ msgid "Application domains"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3133
++#: sssd.conf.5.xml:3156
+ msgid ""
+ "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
+@@ -3654,7 +3688,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3153
++#: sssd.conf.5.xml:3176
+ msgid ""
+ "Please note that the application domain must still be explicitly enabled in "
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+@@ -3662,17 +3696,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+-#: sssd.conf.5.xml:3159
++#: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3161
++#: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3164
++#: sssd.conf.5.xml:3187
+ msgid ""
+ "The SSSD POSIX-type domain the application domain inherits all settings "
+ "from. The application domain can moreover add its own settings to the "
+@@ -3681,7 +3715,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3178
++#: sssd.conf.5.xml:3201
+ msgid ""
+ "The following example illustrates the use of an application domain. In this "
+ "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+@@ -3691,7 +3725,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+-#: sssd.conf.5.xml:3186
++#: sssd.conf.5.xml:3209
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3711,12 +3745,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+-#: sssd.conf.5.xml:3204
++#: sssd.conf.5.xml:3227
+ msgid "The local domain section"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+-#: sssd.conf.5.xml:3206
++#: sssd.conf.5.xml:3229
+ msgid ""
+ "This section contains settings for domain that stores users and groups in "
+ "SSSD native database, that is, a domain that uses "
+@@ -3724,73 +3758,73 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3213
++#: sssd.conf.5.xml:3236
+ msgid "default_shell (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3216
++#: sssd.conf.5.xml:3239
+ msgid "The default shell for users created with SSSD userspace tools."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3220
++#: sssd.conf.5.xml:3243
+ msgid "Default: <filename>/bin/bash</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3225
++#: sssd.conf.5.xml:3248
+ msgid "base_directory (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3228
++#: sssd.conf.5.xml:3251
+ msgid ""
+ "The tools append the login name to <replaceable>base_directory</replaceable> "
+ "and use that as the home directory."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3233
++#: sssd.conf.5.xml:3256
+ msgid "Default: <filename>/home</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3238
++#: sssd.conf.5.xml:3261
+ msgid "create_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3241
++#: sssd.conf.5.xml:3264
+ msgid ""
+ "Indicate if a home directory should be created by default for new users.  "
+ "Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3245 sssd.conf.5.xml:3257
++#: sssd.conf.5.xml:3268 sssd.conf.5.xml:3280
+ msgid "Default: TRUE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3250
++#: sssd.conf.5.xml:3273
+ msgid "remove_homedir (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3253
++#: sssd.conf.5.xml:3276
+ msgid ""
+ "Indicate if a home directory should be removed by default for deleted "
+ "users.  Can be overridden on command line."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3262
++#: sssd.conf.5.xml:3285
+ msgid "homedir_umask (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3265
++#: sssd.conf.5.xml:3288
+ msgid ""
+ "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
+@@ -3798,17 +3832,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3273
++#: sssd.conf.5.xml:3296
+ msgid "Default: 077"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3278
++#: sssd.conf.5.xml:3301
+ msgid "skel_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3281
++#: sssd.conf.5.xml:3304
+ msgid ""
+ "The skeleton directory, which contains files and directories to be copied in "
+ "the user's home directory, when the home directory is created by "
+@@ -3817,17 +3851,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3291
++#: sssd.conf.5.xml:3314
+ msgid "Default: <filename>/etc/skel</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3296
++#: sssd.conf.5.xml:3319
+ msgid "mail_dir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3299
++#: sssd.conf.5.xml:3322
+ msgid ""
+ "The mail spool directory. This is needed to manipulate the mailbox when its "
+ "corresponding user account is modified or deleted.  If not specified, a "
+@@ -3835,17 +3869,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3306
++#: sssd.conf.5.xml:3329
+ msgid "Default: <filename>/var/mail</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+-#: sssd.conf.5.xml:3311
++#: sssd.conf.5.xml:3334
+ msgid "userdel_cmd (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3314
++#: sssd.conf.5.xml:3337
+ msgid ""
+ "The command that is run after a user is removed.  The command us passed the "
+ "username of the user being removed as the first and only parameter. The "
+@@ -3853,17 +3887,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd.conf.5.xml:3320
++#: sssd.conf.5.xml:3343
+ msgid "Default: None, no command is run"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3330
++#: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3332
++#: sssd.conf.5.xml:3355
+ msgid ""
+ "Some options used in the domain section can also be used in the trusted "
+ "domain section, that is, in a section called <quote>[domain/"
+@@ -3874,64 +3908,176 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3339
++#: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3340
++#: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3341
++#: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3342
++#: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3343
++#: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3344
++#: sssd.conf.5.xml:3367
++msgid "ldap_sasl_mech,"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3345
++#: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3346
++#: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+-#: sssd.conf.5.xml:3347 sssd-ipa.5.xml:782
++#: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3349
++#: sssd.conf.5.xml:3373
+ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd.conf.5.xml:3355 idmap_sss.8.xml:43
++#: sssd.conf.5.xml:3379
++msgid "PROMPTING CONFIGURATION SECTION"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3381
++msgid ""
++"If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
++"which authentication methods are available for the user trying to log in.  "
++"Based on the results pam_sss will prompt the user for appropriate "
++"credentials."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3389
++msgid ""
++"With the growing number of authentication methods and the possibility that "
++"there are multiple ones for a single user the heuristic used by pam_sss to "
++"select the prompting might not be suitable for all use cases. To following "
++"options should provide a better flexibility here."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3401
++msgid "[prompting/password]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3404
++msgid "password_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3405
++msgid "to change the string of the password prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3403
++msgid ""
++"to configure password prompting, allowed options are: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3413
++msgid "[prompting/2fa]"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3417
++msgid "first_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3418
++msgid "to change the string of the prompt for the first factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3421
++msgid "second_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3422
++msgid "to change the string of the prompt for the second factor"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
++#: sssd.conf.5.xml:3425
++msgid "single_prompt"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3426
++msgid ""
++"boolean value, if True there will be only a single prompt using the value of "
++"first_prompt where it is expected that both factor are entered as a single "
++"string"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd.conf.5.xml:3415
++msgid ""
++"to configure two-factor authentication prompting, allowed options are: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3396
++msgid ""
++"Each supported authentication method has it's own configuration sub-section "
++"under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
++"\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para>
++#: sssd.conf.5.xml:3438
++msgid ""
++"It is possible to add a sub-section for specific PAM services like e.g. "
++"<quote>[prompting/password/sshd]</quote> to individual change the prompting "
++"for this service."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><title>
++#: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3361
++#: sssd.conf.5.xml:3451
+ #, no-wrap
+ msgid ""
+ "[sssd]\n"
+@@ -3961,7 +4107,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3357
++#: sssd.conf.5.xml:3447
+ msgid ""
+ "1. The following example shows a typical SSSD config. It does not describe "
+ "configuration of the domains themselves - refer to documentation on "
+@@ -3970,7 +4116,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd.conf.5.xml:3394
++#: sssd.conf.5.xml:3484
+ #, no-wrap
+ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+@@ -3978,7 +4124,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd.conf.5.xml:3388
++#: sssd.conf.5.xml:3478
+ msgid ""
+ "2. The following example shows configuration of IPA AD trust where the AD "
+ "forest consists of two domains in a parent-child structure.  Suppose IPA "
+@@ -4879,7 +5025,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:797 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:1273
+-#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2443 sssd-ipa.5.xml:607
++#: sssd-ldap.5.xml:1382 sssd-ldap.5.xml:2463 sssd-ipa.5.xml:607
+ msgid "Default: cn"
+ msgstr ""
+ 
+@@ -5584,7 +5730,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2600
++#: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+ msgstr ""
+ 
+@@ -5687,11 +5833,16 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+ msgid ""
+-"You can turn off dereference lookups completely by setting the value to 0."
++"You can turn off dereference lookups completely by setting the value to 0. "
++"Please note that there are some codepaths in SSSD, like the IPA HBAC "
++"provider, that are only implemented using the dereference call, so even with "
++"dereference explicitly disabled, those parts will still use dereference if "
++"the server supports it and advertises the dereference control in the rootDSE "
++"object."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1608
++#: sssd-ldap.5.xml:1615
+ msgid ""
+ "A dereference lookup is a means of fetching all group members in a single "
+ "LDAP call.  Different LDAP servers may implement different dereference "
+@@ -5700,7 +5851,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1616
++#: sssd-ldap.5.xml:1623
+ msgid ""
+ "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+ "filter, then the dereference lookup performance enhancement will be disabled "
+@@ -5708,26 +5859,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1629
++#: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1632
++#: sssd-ldap.5.xml:1639
+ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1638
++#: sssd-ldap.5.xml:1645
+ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1642
++#: sssd-ldap.5.xml:1649
+ msgid ""
+ "<emphasis>allow</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5735,7 +5886,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1649
++#: sssd-ldap.5.xml:1656
+ msgid ""
+ "<emphasis>try</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+@@ -5743,7 +5894,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1655
++#: sssd-ldap.5.xml:1662
+ msgid ""
+ "<emphasis>demand</emphasis> = The server certificate is requested. If no "
+ "certificate is provided, or a bad certificate is provided, the session is "
+@@ -5751,41 +5902,41 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1661
++#: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1665
++#: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1671
++#: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1674
++#: sssd-ldap.5.xml:1681
+ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1679 sssd-ldap.5.xml:1697 sssd-ldap.5.xml:1738
++#: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1686
++#: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1689
++#: sssd-ldap.5.xml:1696
+ msgid ""
+ "Specifies the path of a directory that contains Certificate Authority "
+ "certificates in separate individual files. Typically the file names need to "
+@@ -5794,32 +5945,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1704
++#: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1707
++#: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1717
++#: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1720
++#: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1729
++#: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1732
++#: sssd-ldap.5.xml:1739
+ msgid ""
+ "Specifies acceptable cipher suites.  Typically this is a colon separated "
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+@@ -5827,24 +5978,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1745
++#: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1748
++#: sssd-ldap.5.xml:1755
+ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1758
++#: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1761
++#: sssd-ldap.5.xml:1768
+ msgid ""
+ "Specifies that SSSD should attempt to map user and group IDs from the "
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+@@ -5852,17 +6003,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1767
++#: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1777
++#: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1780
++#: sssd-ldap.5.xml:1787
+ msgid ""
+ "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+ "set to true the allowed ID range for ldap_user_uid_number and "
+@@ -5873,29 +6024,40 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1792
++#: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1798
++#: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1801
++#: sssd-ldap.5.xml:1808
+ msgid ""
+-"Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-"supported."
++"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
++"tested and supported."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ldap.5.xml:1812
++msgid ""
++"If the backend supports sub-domains the value of ldap_sasl_mech is "
++"automatically inherited to the sub-domains. If a different value is needed "
++"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
++"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> for details."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1811
++#: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ldap.5.xml:1822
++#: sssd-ldap.5.xml:1840
+ #, no-wrap
+ msgid ""
+ "hostname@REALM\n"
+@@ -5908,29 +6070,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1814
++#: sssd-ldap.5.xml:1831
+ msgid ""
+-"Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-"represents the Kerberos principal used for authentication to the directory.  "
+-"This option can either contain the full principal (for example host/"
+-"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By "
+-"default, the value is not set and the following principals are used: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, "
+-"the first principal in keytab is returned."
++"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
++"this represents the Kerberos principal used for authentication to the "
++"directory.  This option can either contain the full principal (for example "
++"host/myhost@EXAMPLE.COM) or just the principal name (for example host/"
++"myhost).  By default, the value is not set and the following principals are "
++"used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
++"found, the first principal in keytab is returned."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1833
++#: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1839
++#: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1842
++#: sssd-ldap.5.xml:1860
+ msgid ""
+ "Specify the SASL realm to use. When not specified, this option defaults to "
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+@@ -5938,77 +6100,78 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1848
++#: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1854
++#: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1857
++#: sssd-ldap.5.xml:1875
+ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1862
++#: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1868
++#: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1871
+-msgid "Specify the keytab to use when using SASL/GSSAPI."
++#: sssd-ldap.5.xml:1889
++msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1874
++#: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1880
++#: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1883
++#: sssd-ldap.5.xml:1902
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+-"GSSAPI."
++"GSSAPI or GSS-SPNEGO."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1895
++#: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1898
+-msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
++#: sssd-ldap.5.xml:1917
++msgid ""
++"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1902 sssd-ad.5.xml:959
++#: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1908 sssd-krb5.5.xml:74
++#: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1911
++#: sssd-ldap.5.xml:1930
+ msgid ""
+ "Specifies the comma-separated list of IP addresses or hostnames of the "
+ "Kerberos servers to which SSSD should connect in the order of preference. "
+@@ -6020,7 +6183,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1923 sssd-krb5.5.xml:89
++#: sssd-ldap.5.xml:1942 sssd-krb5.5.xml:89
+ msgid ""
+ "When using service discovery for KDC or kpasswd servers, SSSD first searches "
+ "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+@@ -6028,7 +6191,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1928 sssd-krb5.5.xml:94
++#: sssd-ldap.5.xml:1947 sssd-krb5.5.xml:94
+ msgid ""
+ "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
+ "While the legacy name is recognized for the time being, users are advised to "
+@@ -6036,39 +6199,39 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1937 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
++#: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1940
+-msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
++#: sssd-ldap.5.xml:1959
++msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1943
++#: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1949 sssd-krb5.5.xml:462
++#: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1952
++#: sssd-ldap.5.xml:1972
+ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1964 sssd-krb5.5.xml:477
++#: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1967 sssd-krb5.5.xml:480
++#: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+ msgid ""
+ "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+ "which KDCs to use. This option is on by default, if you disable it, you need "
+@@ -6078,7 +6241,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1978 sssd-krb5.5.xml:491
++#: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+ msgid ""
+ "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+@@ -6086,26 +6249,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:1992
++#: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:1995
++#: sssd-ldap.5.xml:2015
+ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2000
++#: sssd-ldap.5.xml:2020
+ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2005
++#: sssd-ldap.5.xml:2025
+ msgid ""
+ "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+@@ -6113,7 +6276,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2011
++#: sssd-ldap.5.xml:2031
+ msgid ""
+ "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+@@ -6121,31 +6284,31 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2020
++#: sssd-ldap.5.xml:2040
+ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2028
++#: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2031
++#: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2035
++#: sssd-ldap.5.xml:2055
+ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2040
++#: sssd-ldap.5.xml:2060
+ msgid ""
+ "Chasing referrals may incur a performance penalty in environments that use "
+ "them heavily, a notable example is Microsoft Active Directory. If your setup "
+@@ -6154,56 +6317,56 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2054
++#: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2057
++#: sssd-ldap.5.xml:2077
+ msgid "Specifies the service name to use when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2061
++#: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2067
++#: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2070
++#: sssd-ldap.5.xml:2090
+ msgid ""
+ "Specifies the service name to use to find an LDAP server which allows "
+ "password changes when service discovery is enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2075
++#: sssd-ldap.5.xml:2095
+ msgid "Default: not set, i.e. service discovery is disabled"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2081
++#: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2084
++#: sssd-ldap.5.xml:2104
+ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2096
++#: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2099
++#: sssd-ldap.5.xml:2119
+ msgid ""
+ "If using access_provider = ldap and ldap_access_order = filter (default), "
+ "this option is mandatory. It specifies an LDAP search filter criteria that "
+@@ -6219,12 +6382,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2119
++#: sssd-ldap.5.xml:2139
+ msgid "Example:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+-#: sssd-ldap.5.xml:2122
++#: sssd-ldap.5.xml:2142
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -6233,14 +6396,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2126
++#: sssd-ldap.5.xml:2146
+ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2131
++#: sssd-ldap.5.xml:2151
+ msgid ""
+ "Offline caching for this feature is limited to determining whether the "
+ "user's last online login was granted access permission. If they were granted "
+@@ -6249,24 +6412,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2139 sssd-ldap.5.xml:2196
++#: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2145
++#: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2148
++#: sssd-ldap.5.xml:2168
+ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2152
++#: sssd-ldap.5.xml:2172
+ msgid ""
+ "Please note that it is always recommended to use server side access control, "
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+@@ -6274,19 +6437,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2159
++#: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2162
++#: sssd-ldap.5.xml:2182
+ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2167
++#: sssd-ldap.5.xml:2187
+ msgid ""
+ "<emphasis>ad</emphasis>: use the value of the 32bit field "
+ "ldap_user_ad_user_account_control and allow access if the second bit is not "
+@@ -6295,7 +6458,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2174
++#: sssd-ldap.5.xml:2194
+ msgid ""
+ "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+@@ -6303,7 +6466,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2180
++#: sssd-ldap.5.xml:2200
+ msgid ""
+ "<emphasis>nds</emphasis>: the values of "
+ "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+@@ -6312,7 +6475,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2189
++#: sssd-ldap.5.xml:2209
+ msgid ""
+ "Please note that the ldap_access_order configuration option <emphasis>must</"
+ "emphasis> include <quote>expire</quote> in order for the "
+@@ -6320,22 +6483,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2202
++#: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2205
++#: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2209
++#: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2212
++#: sssd-ldap.5.xml:2232
+ msgid ""
+ "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6345,14 +6508,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2222
++#: sssd-ldap.5.xml:2242
+ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2229
++#: sssd-ldap.5.xml:2249
+ msgid ""
+ "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+ "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+@@ -6365,12 +6528,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2246
++#: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2250
++#: sssd-ldap.5.xml:2270
+ msgid ""
+ "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+ "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+@@ -6380,7 +6543,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2260
++#: sssd-ldap.5.xml:2280
+ msgid ""
+ "The difference between these options is the action taken if user password is "
+ "expired: pwd_expire_policy_reject - user is denied to log in, "
+@@ -6390,63 +6553,63 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2268
++#: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2272
++#: sssd-ldap.5.xml:2292
+ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2277
++#: sssd-ldap.5.xml:2297
+ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2282
++#: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2286
++#: sssd-ldap.5.xml:2306
+ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2290
++#: sssd-ldap.5.xml:2310
+ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2295
++#: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2298
++#: sssd-ldap.5.xml:2318
+ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2305
++#: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2308
++#: sssd-ldap.5.xml:2328
+ msgid ""
+ "This option specifies the DN of password policy entry on LDAP server. Please "
+ "note that absence of this option in sssd.conf in case of enabled account "
+@@ -6455,74 +6618,74 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2316
++#: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2319
++#: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2325
++#: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2328
++#: sssd-ldap.5.xml:2348
+ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2333
++#: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2337
++#: sssd-ldap.5.xml:2357
+ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2342
++#: sssd-ldap.5.xml:2362
+ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2347
++#: sssd-ldap.5.xml:2367
+ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2352
++#: sssd-ldap.5.xml:2372
+ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2360
++#: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2363
++#: sssd-ldap.5.xml:2383
+ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2367
++#: sssd-ldap.5.xml:2387
+ msgid ""
+ "In some environments where the RFC2307 schema is used, local users are made "
+ "members of LDAP groups by adding their names to the memberUid attribute.  "
+@@ -6533,7 +6696,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2378
++#: sssd-ldap.5.xml:2398
+ msgid ""
+ "This option falls back to checking if local users are referenced, and caches "
+ "them so that later initgroups() calls will augment the local users with the "
+@@ -6541,24 +6704,24 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2390 sssd-ifp.5.xml:136
++#: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2393
++#: sssd-ldap.5.xml:2413
+ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2397
++#: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2401
++#: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+ msgstr ""
+ 
+@@ -6573,12 +6736,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2411
++#: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2413
++#: sssd-ldap.5.xml:2433
+ msgid ""
+ "The detailed instructions for configuration of sudo_provider are in the "
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+@@ -6586,208 +6749,208 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2424
++#: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2427
++#: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2430
++#: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2436
++#: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2439
++#: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2449
++#: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2452
++#: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2456
++#: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2462
++#: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2465
++#: sssd-ldap.5.xml:2485
+ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2470
++#: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2476
++#: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2479
++#: sssd-ldap.5.xml:2499
+ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2483
++#: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2489
++#: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2492
++#: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2496
++#: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2502
++#: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2505
++#: sssd-ldap.5.xml:2525
+ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2509
++#: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2515
++#: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2518
++#: sssd-ldap.5.xml:2538
+ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2522
++#: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2528
++#: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2531
++#: sssd-ldap.5.xml:2551
+ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2535
++#: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2541
++#: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2544
++#: sssd-ldap.5.xml:2564
+ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2549
++#: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2555
++#: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2558
++#: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2562
++#: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2568
++#: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2571
++#: sssd-ldap.5.xml:2591
+ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2576
++#: sssd-ldap.5.xml:2596
+ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2581
++#: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2587
++#: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2590
++#: sssd-ldap.5.xml:2610
+ msgid ""
+ "How many seconds SSSD has to wait before executing a smart refresh of sudo "
+ "rules (which downloads all rules that have USN higher than the highest USN "
+@@ -6795,101 +6958,101 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2596
++#: sssd-ldap.5.xml:2616
+ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2606
++#: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2609
++#: sssd-ldap.5.xml:2629
+ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2620
++#: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2623
++#: sssd-ldap.5.xml:2643
+ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2628
++#: sssd-ldap.5.xml:2648
+ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2633 sssd-ldap.5.xml:2656 sssd-ldap.5.xml:2674
+-#: sssd-ldap.5.xml:2692
++#: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
++#: sssd-ldap.5.xml:2712
+ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2638 sssd-ldap.5.xml:2661
++#: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2644
++#: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2647
++#: sssd-ldap.5.xml:2667
+ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2652
++#: sssd-ldap.5.xml:2672
+ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2667
++#: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2670
++#: sssd-ldap.5.xml:2690
+ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2685
++#: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2688
++#: sssd-ldap.5.xml:2708
+ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2704
++#: sssd-ldap.5.xml:2724
+ msgid ""
+ "This manual page only describes attribute name mapping.  For detailed "
+ "explanation of sudo related attribute semantics, see <citerefentry> "
+@@ -6898,111 +7061,111 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2714
++#: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2716
++#: sssd-ldap.5.xml:2736
+ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2722
++#: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2725
++#: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2728
++#: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2735
++#: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2738
++#: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2741
++#: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2749
++#: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2752
++#: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2755
++#: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2763
++#: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2766
++#: sssd-ldap.5.xml:2786
+ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2771
++#: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2779
++#: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2782 sssd-ldap.5.xml:2797
++#: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2786
++#: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2794
++#: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ldap.5.xml:2801
++#: sssd-ldap.5.xml:2821
+ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2720
++#: sssd-ldap.5.xml:2740
+ msgid ""
+ "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
+@@ -7011,32 +7174,32 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2812
++#: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2819
++#: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2824
++#: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2829
++#: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+-#: sssd-ldap.5.xml:2834
++#: sssd-ldap.5.xml:2854
+ msgid "<note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+-#: sssd-ldap.5.xml:2836
++#: sssd-ldap.5.xml:2856
+ msgid ""
+ "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+ "against Active Directory will not be restricted and return all groups "
+@@ -7045,22 +7208,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+-#: sssd-ldap.5.xml:2843
++#: sssd-ldap.5.xml:2863
+ msgid "</note>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2845
++#: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ldap.5.xml:2850
++#: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2814
++#: sssd-ldap.5.xml:2834
+ msgid ""
+ "These options are supported by LDAP domains, but they should be used with "
+ "caution. Please include them in your configuration only if you know what you "
+@@ -7069,14 +7232,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2865 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+-#: sssd-ad.5.xml:1063 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
++#: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
++#: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2867
++#: sssd-ldap.5.xml:2887
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and LDAP is "
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+@@ -7084,7 +7247,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2873
++#: sssd-ldap.5.xml:2893
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7097,27 +7260,27 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+-#: sssd-ldap.5.xml:2872 sssd-ldap.5.xml:2890 sssd-simple.5.xml:139
+-#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1071 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
++#: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
++#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1090 sssd-sudo.5.xml:56 sssd-krb5.5.xml:613
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2884
++#: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2886
++#: sssd-ldap.5.xml:2906
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ldap.5.xml:2891
++#: sssd-ldap.5.xml:2911
+ #, no-wrap
+ msgid ""
+ "[domain/LDAP]\n"
+@@ -7133,13 +7296,13 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+-#: sssd-ldap.5.xml:2906 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+-#: sssd-ad.5.xml:1086 sssd.8.xml:230 sss_seed.8.xml:163
++#: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
++#: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ldap.5.xml:2908
++#: sssd-ldap.5.xml:2928
+ msgid ""
+ "The descriptions of some of the configuration options in this manual page "
+ "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+@@ -8613,7 +8776,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:888
++#: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+ msgstr ""
+ 
+@@ -8628,7 +8791,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:902
++#: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+@@ -8643,12 +8806,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:913
++#: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:916
++#: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+ msgid ""
+ "The TTL to apply to the client DNS record when updating it.  If "
+ "dyndns_update is false this has no effect. This will override the TTL "
+@@ -8669,12 +8832,12 @@ msgid "Default: 1200 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:927
++#: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:930
++#: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+ msgid ""
+ "Optional. Applicable only when dyndns_update is true. Choose the interface "
+ "or a list of interfaces whose IP addresses should be used for dynamic DNS "
+@@ -8698,17 +8861,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:941
++#: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:992
++#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:995
++#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+ msgid ""
+ "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+ "updates with the DNS server, insecure updates can be sent by setting this "
+@@ -8716,7 +8879,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1001
++#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+ msgstr ""
+ 
+@@ -8743,7 +8906,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:244 sssd-ad.5.xml:947
++#: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+ msgstr ""
+ 
+@@ -8756,12 +8919,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:965
++#: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:263 sssd-ad.5.xml:968
++#: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+@@ -8780,50 +8943,50 @@ msgid "Default: False (disabled)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:280 sssd-ad.5.xml:979
++#: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:283 sssd-ad.5.xml:982
++#: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:287 sssd-ad.5.xml:986
++#: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1007
++#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1010
++#: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1015
++#: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1020
++#: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1025
++#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+ msgstr ""
+ 
+@@ -8934,26 +9097,26 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1034
++#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1037
++#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1041
++#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1045
++#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
+@@ -8972,7 +9135,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:452
++#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+ msgstr ""
+ 
+@@ -9853,12 +10016,27 @@ msgid "Default: False (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:442
++#: sssd-ad.5.xml:441
++msgid "ad_gpo_ignore_unreadable (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-ad.5.xml:444
++msgid ""
++"Normally when some group policy containers (AD object) of applicable group "
++"policy objects are not readable by SSSD then users are denied access.  This "
++"option allows to ignore group policy containers and with them associated "
++"policies if their attributes in group policy containers are not readable for "
++"SSSD."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:445
++#: sssd-ad.5.xml:464
+ msgid ""
+ "The amount of time between lookups of GPO policy files against the AD "
+ "server. This will reduce the latency and load on the AD server if there are "
+@@ -9866,12 +10044,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:458
++#: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:461
++#: sssd-ad.5.xml:480
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the InteractiveLogonRight and "
+@@ -9879,14 +10057,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:467
++#: sssd-ad.5.xml:486
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:481
++#: sssd-ad.5.xml:500
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+@@ -9894,7 +10072,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:472
++#: sssd-ad.5.xml:491
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9906,42 +10084,42 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:504
++#: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:524
++#: sssd-ad.5.xml:543
+ msgid "lightdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:529
++#: sssd-ad.5.xml:548
+ msgid "lxdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:534
++#: sssd-ad.5.xml:553
+ msgid "sddm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:539
++#: sssd-ad.5.xml:558
+ msgid "unity"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:544
++#: sssd-ad.5.xml:563
+ msgid "xdm"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:553
++#: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:556
++#: sssd-ad.5.xml:575
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+@@ -9949,7 +10127,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:562
++#: sssd-ad.5.xml:581
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+@@ -9957,7 +10135,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:577
++#: sssd-ad.5.xml:596
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+@@ -9965,7 +10143,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:568
++#: sssd-ad.5.xml:587
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -9977,22 +10155,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:585
++#: sssd-ad.5.xml:604
+ msgid "sshd"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:590
++#: sssd-ad.5.xml:609
+ msgid "cockpit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:599
++#: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:602
++#: sssd-ad.5.xml:621
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the NetworkLogonRight and "
+@@ -10000,7 +10178,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:608
++#: sssd-ad.5.xml:627
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Access "
+ "this computer from the network\" and \"Deny access to this computer from the "
+@@ -10008,7 +10186,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:623
++#: sssd-ad.5.xml:642
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+@@ -10016,7 +10194,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:614
++#: sssd-ad.5.xml:633
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10028,22 +10206,22 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:631
++#: sssd-ad.5.xml:650
+ msgid "ftp"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:636
++#: sssd-ad.5.xml:655
+ msgid "samba"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:645
++#: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:648
++#: sssd-ad.5.xml:667
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+@@ -10051,14 +10229,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:654
++#: sssd-ad.5.xml:673
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:668
++#: sssd-ad.5.xml:687
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+@@ -10066,7 +10244,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:659
++#: sssd-ad.5.xml:678
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10078,23 +10256,23 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:671
++#: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:677
++#: sssd-ad.5.xml:696
+ msgid "crond"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:686
++#: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:689
++#: sssd-ad.5.xml:708
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access "
+ "control is evaluated based on the ServiceLogonRight and "
+@@ -10102,14 +10280,14 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:695
++#: sssd-ad.5.xml:714
+ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:708
++#: sssd-ad.5.xml:727
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+@@ -10117,7 +10295,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:700 sssd-ad.5.xml:775
++#: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+ msgid ""
+ "It is possible to add a PAM service name to the default set by using <quote>"
+ "+service_name</quote>.  Since the default set is empty, it is not possible "
+@@ -10128,19 +10306,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:718
++#: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:721
++#: sssd-ad.5.xml:740
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:735
++#: sssd-ad.5.xml:754
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+@@ -10148,7 +10326,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:726
++#: sssd-ad.5.xml:745
+ msgid ""
+ "It is possible to add another PAM service name to the default set by using "
+ "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+@@ -10160,29 +10338,29 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:743
++#: sssd-ad.5.xml:762
+ msgid "polkit-1"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:758
++#: sssd-ad.5.xml:777
+ msgid "systemd-user"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:767
++#: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:770
++#: sssd-ad.5.xml:789
+ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-ad.5.xml:783
++#: sssd-ad.5.xml:802
+ #, no-wrap
+ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+@@ -10190,12 +10368,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:793
++#: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:796
++#: sssd-ad.5.xml:815
+ msgid ""
+ "This option defines how access control is evaluated for PAM service names "
+ "that are not explicitly listed in one of the ad_gpo_map_* options. This "
+@@ -10208,57 +10386,57 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:809
++#: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:813
++#: sssd-ad.5.xml:832
+ msgid "interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:818
++#: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:823
++#: sssd-ad.5.xml:842
+ msgid "network"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:828
++#: sssd-ad.5.xml:847
+ msgid "batch"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:833
++#: sssd-ad.5.xml:852
+ msgid "service"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:838
++#: sssd-ad.5.xml:857
+ msgid "permit"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+-#: sssd-ad.5.xml:843
++#: sssd-ad.5.xml:862
+ msgid "deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:849
++#: sssd-ad.5.xml:868
+ msgid "Default: deny"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:855
++#: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:858
++#: sssd-ad.5.xml:877
+ msgid ""
+ "SSSD will check once a day if the machine account password is older than the "
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+@@ -10266,17 +10444,17 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:864
++#: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-ad.5.xml:870
++#: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:873
++#: sssd-ad.5.xml:892
+ msgid ""
+ "This option should only be used to test the machine account renewal task. "
+ "The option expects 2 integers separated by a colon (':'). The first integer "
+@@ -10286,12 +10464,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:882
++#: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:891
++#: sssd-ad.5.xml:910
+ msgid ""
+ "Optional. This option tells SSSD to automatically update the Active "
+ "Directory DNS server with the IP address of this client. The update is "
+@@ -10302,19 +10480,19 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:921
++#: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:937
++#: sssd-ad.5.xml:956
+ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:950
++#: sssd-ad.5.xml:969
+ msgid ""
+ "How often should the back end perform periodic DNS update in addition to the "
+ "automatic update performed when the back end goes online.  This option is "
+@@ -10324,12 +10502,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+-#: sssd-ad.5.xml:973 sss_rpcidmapd.5.xml:76
++#: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1065
++#: sssd-ad.5.xml:1084
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and example."
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+@@ -10337,7 +10515,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1072
++#: sssd-ad.5.xml:1091
+ #, no-wrap
+ msgid ""
+ "[domain/EXAMPLE]\n"
+@@ -10352,7 +10530,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-ad.5.xml:1092
++#: sssd-ad.5.xml:1111
+ #, no-wrap
+ msgid ""
+ "access_provider = ldap\n"
+@@ -10361,7 +10539,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1088
++#: sssd-ad.5.xml:1107
+ msgid ""
+ "The AD access control provider checks if the account is expired.  It has the "
+ "same effect as the following configuration of the LDAP provider: "
+@@ -10369,7 +10547,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1098
++#: sssd-ad.5.xml:1117
+ msgid ""
+ "However, unless the <quote>ad</quote> access control provider is explicitly "
+ "configured, the default access provider is <quote>permit</quote>. Please "
+@@ -10379,7 +10557,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-ad.5.xml:1106
++#: sssd-ad.5.xml:1125
+ msgid ""
+ "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+@@ -11837,23 +12015,61 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-msgid "krb5_use_enterprise_principal (boolean)"
++msgid "krb5_kdcinfo_lookahead (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+ msgid ""
++"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
++"handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
++"helpful when there are too many servers discovered using SRV record."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:518
++msgid ""
++"The krb5_kdcinfo_lookahead option contains two numbers seperated by a colon. "
++"The first number represents number of primary servers used and the second "
++"number specifies the number of backup servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:524
++msgid ""
++"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
++"will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
++"servers."
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:533
++#, fuzzy
++#| msgid "Default: 3"
++msgid "Default: 3:1"
++msgstr "默认: 3"
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
++#: sssd-krb5.5.xml:539
++msgid "krb5_use_enterprise_principal (boolean)"
++msgstr ""
++
++#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
++#: sssd-krb5.5.xml:542
++msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:514
++#: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:517
++#: sssd-krb5.5.xml:551
+ msgid ""
+ "The IPA provider will set to option to 'true' if it detects that the server "
+ "is capable of handling enterprise principals and the option is not set "
+@@ -11861,12 +12077,12 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+-#: sssd-krb5.5.xml:526
++#: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:529
++#: sssd-krb5.5.xml:563
+ msgid ""
+ "The list of mappings is given as a comma-separated list of pairs "
+ "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+@@ -11876,7 +12092,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+-#: sssd-krb5.5.xml:541
++#: sssd-krb5.5.xml:575
+ #, no-wrap
+ msgid ""
+ "krb5_realm = REALM\n"
+@@ -11884,7 +12100,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+-#: sssd-krb5.5.xml:546
++#: sssd-krb5.5.xml:580
+ msgid ""
+ "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+ "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+@@ -11904,7 +12120,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+-#: sssd-krb5.5.xml:572
++#: sssd-krb5.5.xml:606
+ msgid ""
+ "The following example assumes that SSSD is correctly configured and FOO is "
+ "one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+@@ -11913,7 +12129,7 @@ msgid ""
+ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+-#: sssd-krb5.5.xml:580
++#: sssd-krb5.5.xml:614
+ #, no-wrap
+ msgid ""
+ "[domain/FOO]\n"
+-- 
+2.20.1
+
diff --git a/SOURCES/0101-zanata-Pull-new-translations-for-7.8-branch.patch b/SOURCES/0101-zanata-Pull-new-translations-for-7.8-branch.patch
new file mode 100644
index 0000000..148ff27
--- /dev/null
+++ b/SOURCES/0101-zanata-Pull-new-translations-for-7.8-branch.patch
@@ -0,0 +1,20866 @@
+From db0d85d77c7427273bb77264d23e994803f74ad6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
+Date: Thu, 7 Nov 2019 14:43:54 +0100
+Subject: [PATCH] zanata: Pull new translations for 7.8 branch
+
+Also fixed issues with missing '\n' in French
+and Japanese translations. The po.cs changes were
+not included.
+---
+ po/bg.po                 |    3 +-
+ po/ca.po                 |    9 +-
+ po/de.po                 |    9 +-
+ po/es.po                 |   28 +-
+ po/eu.po                 |    3 +-
+ po/fr.po                 |  398 +++--
+ po/hu.po                 |    3 +-
+ po/it.po                 |    3 +-
+ po/ja.po                 |   43 +-
+ po/nl.po                 |    9 +-
+ po/pl.po                 |   68 +-
+ po/pt.po                 |    3 +-
+ po/ru.po                 |    3 +-
+ po/sv.po                 |   28 +-
+ po/uk.po                 |   43 +-
+ po/zh_TW.po              |    3 +-
+ src/man/po/br.po         |   12 +-
+ src/man/po/ca.po         |  118 +-
+ src/man/po/cs.po         |  215 +--
+ src/man/po/de.po         |  122 +-
+ src/man/po/es.po         | 1463 ++++++++++++-----
+ src/man/po/eu.po         |    4 +-
+ src/man/po/fi.po         |   28 +-
+ src/man/po/fr.po         |  130 +-
+ src/man/po/ja.po         |  139 +-
+ src/man/po/lv.po         |   28 +-
+ src/man/po/nl.po         |   12 +-
+ src/man/po/pt.po         |   36 +-
+ src/man/po/pt_BR.po      |    4 +-
+ src/man/po/ru.po         |   24 +-
+ src/man/po/sssd-docs.pot |    2 +-
+ src/man/po/sv.po         | 3262 +++++++++++++++++++++++++++++---------
+ src/man/po/tg.po         |   20 +-
+ src/man/po/uk.po         | 1113 +++----------
+ src/man/po/zh_CN.po      |   12 +-
+ 35 files changed, 4366 insertions(+), 3034 deletions(-)
+
+diff --git a/po/bg.po b/po/bg.po
+index 8c6f24937..375cbb618 100644
+--- a/po/bg.po
++++ b/po/bg.po
+@@ -844,9 +844,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "Използваният тип схема на LDAP сървъра, rfc2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "Паролата Ви е остаряла. Сменете я сега."
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+diff --git a/po/ca.po b/po/ca.po
+index b982b4c65..0fe1da34e 100644
+--- a/po/ca.po
++++ b/po/ca.po
+@@ -932,9 +932,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "El tipus d'esquema en ús al servidor LDAP, rfc2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "La contrasenya ha vençut. Canvieu ara la vostra contrasenya."
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+@@ -1381,14 +1380,12 @@ msgid "Number of secondary slices"
+ msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:410
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups"
+-msgstr "DN base per a la recerca del grup"
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:411
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups"
+-msgstr "DN base per a la recerca del grup de xarxa"
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:412
+ msgid "Whether to use Token-Groups"
+diff --git a/po/de.po b/po/de.po
+index 3768e164c..8e979e0f8 100644
+--- a/po/de.po
++++ b/po/de.po
+@@ -900,9 +900,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "Der vom LDAP-Server verwendete Schema-Typ gemäß RFC2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "Passwort ist abgelaufen. Ändern Sie Ihr Passwort jetzt."
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+@@ -1346,14 +1345,12 @@ msgid "Number of secondary slices"
+ msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:410
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups"
+-msgstr "Basis-DN für Gruppen-Suchanfragen"
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:411
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups"
+-msgstr "Basis-DN für Netzgruppen-Suchanfragen"
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:412
+ msgid "Whether to use Token-Groups"
+diff --git a/po/es.po b/po/es.po
+index 6171a51fb..5578c0c78 100644
+--- a/po/es.po
++++ b/po/es.po
+@@ -13,12 +13,13 @@
+ # sgallagh <sgallagh@redhat.com>, 2011
+ # vareli <ehespinosa@ya.com>, 2013
+ # Emilio Herrera <ehespinosa57@gmail.com>, 2018. #zanata
++# Emilio Herrera <ehespinosa57@gmail.com>, 2019. #zanata
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+ "POT-Creation-Date: 2019-10-07 11:34+0200\n"
+-"PO-Revision-Date: 2018-09-10 10:06+0000\n"
++"PO-Revision-Date: 2019-08-26 09:14+0000\n"
+ "Last-Translator: Emilio Herrera <ehespinosa57@gmail.com>\n"
+ "Language-Team: Spanish (http://www.transifex.com/projects/p/sssd/language/"
+ "es/)\n"
+@@ -299,7 +300,7 @@ msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:106
+ msgid "Allowed services for using smartcards"
+-msgstr ""
++msgstr "Servicios permitidos usando smartcards"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:109
+ msgid "Whether to evaluate the time-based attributes in sudo rules"
+@@ -956,9 +957,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "El Tipo de Esquema a usar en el servidor LDAP, rfc2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "La contraseña ha expirado. Modifíquela en este preciso momento."
++msgstr "Modo usado para cambiar la contraseña de usuario"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+@@ -1401,14 +1401,12 @@ msgid "Number of secondary slices"
+ msgstr "Número de trozos secundarios"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:410
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups"
+-msgstr "DN base para busqueda de grupos"
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:411
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups"
+-msgstr "DN base para búsquedas de grupos de red"
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:412
+ msgid "Whether to use Token-Groups"
+@@ -1863,7 +1861,7 @@ msgstr "El puerto a usar para conectar al host"
+ 
+ #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210
+ msgid "Print the host ssh public keys"
+-msgstr ""
++msgstr "Imprimir las claves públicas ssh del host"
+ 
+ #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252
+ msgid "Invalid port\n"
+@@ -2765,14 +2763,14 @@ msgid ""
+ msgstr ""
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:91
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to connect to the InfoPipe"
+-msgstr "Incapaz de truncar los ficheros de registro\n"
++msgstr ""
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:97
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to get user object"
+-msgstr "Incapaz de obtener la lista de servidores\n"
++msgstr ""
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:101
+ #, c-format
+@@ -2780,9 +2778,9 @@ msgid "SSSD InfoPipe user lookup result:\n"
+ msgstr "SSSD InfoPipe resultado de la búsqueda de usuario:\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:113
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to get user name attr"
+-msgstr "Incapaz de obtener la lista de servidores\n"
++msgstr ""
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:146
+ #, c-format
+diff --git a/po/eu.po b/po/eu.po
+index 0d2fea3e2..ad8137ee9 100644
+--- a/po/eu.po
++++ b/po/eu.po
+@@ -840,9 +840,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "Pasahitza iraungita. Aldatu zure pasahitza orain."
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+diff --git a/po/fr.po b/po/fr.po
+index 607e1f99b..b1a02aafd 100644
+--- a/po/fr.po
++++ b/po/fr.po
+@@ -9,13 +9,14 @@
+ # Mariko Vincent <dweu60@gmail.com>, 2012
+ # Jérôme Fenal <jfenal@gmail.com>, 2015. #zanata
+ # Jérôme Fenal <jfenal@gmail.com>, 2016. #zanata
++# corina roe <croe@redhat.com>, 2019. #zanata
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+ "POT-Creation-Date: 2019-10-07 11:34+0200\n"
+-"PO-Revision-Date: 2016-02-24 03:43+0000\n"
+-"Last-Translator: Jérôme Fenal <jfenal@gmail.com>\n"
++"PO-Revision-Date: 2019-10-09 01:48+0000\n"
++"Last-Translator: corina roe <croe@redhat.com>\n"
+ "Language-Team: French (http://www.transifex.com/projects/p/sssd/language/"
+ "fr/)\n"
+ "Language: fr\n"
+@@ -45,7 +46,7 @@ msgstr "Écrire les messages de débogage dans les journaux"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:48
+ msgid "Watchdog timeout before restarting service"
+-msgstr ""
++msgstr "Délai d'attente de réponse avant de redémarrer le service"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:49
+ msgid "Command to start service"
+@@ -59,7 +60,7 @@ msgstr "Nombre d'essais pour tenter de se connecter au fournisseur de données"
+ msgid "The number of file descriptors that may be opened by this responder"
+ msgstr ""
+ "Le nombre de descripteurs de fichiers qui peuvent être ouverts par ce "
+-"répondeur"
++"répondant"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:52
+ msgid "Idle time before automatic disconnection of a client"
+@@ -67,11 +68,12 @@ msgstr "durée d'inactivité avant la déconnexion automatique d'un client"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:53
+ msgid "Idle time before automatic shutdown of the responder"
+-msgstr ""
++msgstr "durée d'inactivité avant la déconnexion automatique d'un répondant"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:54
+ msgid "Always query all the caches before querying the Data Providers"
+ msgstr ""
++"Recherchez tous les caches avant d'interroger les Fournisseurs de données"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:57
+ msgid "SSSD Services to start"
+@@ -113,7 +115,7 @@ msgstr "L'utilisation vers lequel abandonner les privilèges"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:65
+ msgid "Tune certificate verification"
+-msgstr ""
++msgstr "Ajuster la vérification des certificats"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:66
+ msgid "All spaces in group or user names will be replaced with this character"
+@@ -124,14 +126,15 @@ msgstr ""
+ #: src/config/SSSDConfig/__init__.py.in:67
+ msgid "Tune sssd to honor or ignore netlink state changes"
+ msgstr ""
++"Ajuster sssd pour honnorer ou ignorer les modifications d'état de netlink"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:68
+ msgid "Enable or disable the implicit files domain"
+-msgstr ""
++msgstr "Activer ou désactiver le domaine des fichiers implicites"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:69
+ msgid "A specific order of the domains to be looked up"
+-msgstr ""
++msgstr "Ordre spécifique des domaines à interroger"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:72
+ msgid "Enumeration cache timeout length (seconds)"
+@@ -150,7 +153,7 @@ msgstr "Délai d'attente du cache négatif (en secondes)"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:75
+ msgid "Files negative cache timeout length (seconds)"
+-msgstr ""
++msgstr "Délai d'attente du cache négatif (en secondes)"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:76
+ msgid "Users that SSSD should explicitly ignore"
+@@ -215,6 +218,7 @@ msgstr "Durée de maintien en cache des enregistrements valides"
+ #: src/config/SSSDConfig/__init__.py.in:88
+ msgid "List of user attributes the NSS responder is allowed to publish"
+ msgstr ""
++"Liste des attributs utilisateur que le répondant NSS est autorisé à publier"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:91
+ msgid "How long to allow cached logins between online logins (days)"
+@@ -242,7 +246,7 @@ msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:95
+ msgid "Filter PAM responses sent to the pam_sss"
+-msgstr ""
++msgstr "Filtrer les réponses PAM envoyées à pam_sss"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:96
+ msgid "How many seconds to keep identity information cached for PAM requests"
+@@ -272,27 +276,29 @@ msgstr "Message affiché lorsque le compte a expiré"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:101
+ msgid "Message printed when user account is locked."
+-msgstr ""
++msgstr "Message affiché lorsque le compte utilsateur est verrouillé."
+ 
+ #: src/config/SSSDConfig/__init__.py.in:102
+ msgid "Allow certificate based/Smartcard authentication."
+-msgstr ""
++msgstr "Autoriser l’authentification Smartcard/basée certificat."
+ 
+ #: src/config/SSSDConfig/__init__.py.in:103
+ msgid "Path to certificate database with PKCS#11 modules."
+ msgstr ""
++"Chemin d'accès à la base de données certificat avec les modules PKCS#11."
+ 
+ #: src/config/SSSDConfig/__init__.py.in:104
+ msgid "How many seconds will pam_sss wait for p11_child to finish"
+ msgstr ""
++"Durée en secondes durant laquelle pam_sss attend que p11_child se termine"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:105
+ msgid "Which PAM services are permitted to contact application domains"
+-msgstr ""
++msgstr "Services PAM pouvant contacter les domaines d'application"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:106
+ msgid "Allowed services for using smartcards"
+-msgstr ""
++msgstr "Services autorisés à utiliser les smartcards"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:109
+ msgid "Whether to evaluate the time-based attributes in sudo rules"
+@@ -301,12 +307,16 @@ msgstr "Faut-il évaluer les attributs dépendants du temps dans les règles sud
+ #: src/config/SSSDConfig/__init__.py.in:110
+ msgid "If true, SSSD will switch back to lower-wins ordering logic"
+ msgstr ""
++"Si positionnée à true, SSSD retournera à la logique d'ordonnancement lower-"
++"wins (plus faibles gagnant)"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:111
+ msgid ""
+ "Maximum number of rules that can be refreshed at once. If this is exceeded, "
+ "full refresh is performed."
+ msgstr ""
++"Nombre maximum de règles pouvant être rafraîchies d'un seul coup. Si ce "
++"nombre est dépassé, un rafraîchissement total sera effectué."
+ 
+ #: src/config/SSSDConfig/__init__.py.in:117
+ msgid "Whether to hash host names and addresses in the known_hosts file"
+@@ -323,21 +333,21 @@ msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:119
+ msgid "Path to storage of trusted CA certificates"
+-msgstr ""
++msgstr "Chemin du fichier contenant les certificats CA"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:122
+ msgid "List of UIDs or user names allowed to access the PAC responder"
+ msgstr ""
+-"Listes des UID ou nom d'utilisateurs autorisés à accéder le répondeur PAC"
++"Listes des UID ou nom d'utilisateurs autorisés à accéder le répondant PAC"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:123
+ msgid "How long the PAC data is considered valid"
+-msgstr ""
++msgstr "Durée pendant laquelle les données PAC sont considérées valides"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:126
+ msgid "List of UIDs or user names allowed to access the InfoPipe responder"
+ msgstr ""
+-"Listes des UID ou nom d'utilisateurs autorisés à accéder le répondeur "
++"Listes des UID ou nom d'utilisateurs autorisés à accéder le répondant "
+ "InfoPipe"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:127
+@@ -346,83 +356,93 @@ msgstr "Liste des attributs utilisateur que l'InfoPipe est autorisé à publier"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:130
+ msgid "The provider where the secrets will be stored in"
+-msgstr ""
++msgstr "Fournisseur détenant les secrets"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:131
+ msgid "The maximum allowed number of nested containers"
+-msgstr ""
++msgstr "Le nombre maximum de conteneurs imbriqués autorisé"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:132
+ msgid "The maximum number of secrets that can be stored"
+-msgstr ""
++msgstr "Le nombre maximum de secrets pouvant être stockés"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:133
+ msgid "The maximum number of secrets that can be stored per UID"
+-msgstr ""
++msgstr "Le nombre maximum de secrets pouvant être stockés par UID"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:134
+ msgid "The maximum payload size of a secret in kilobytes"
+-msgstr ""
++msgstr "La taille de charge utile maximum d'un secret en kilobytes"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:136
+ msgid "The URL Custodia server is listening on"
+-msgstr ""
++msgstr "L'URL que le serveur Custodia écoute"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:137
+ msgid "The method to use when authenticating to a Custodia server"
+-msgstr ""
++msgstr "La méthode à utiliser pour l'authentification à un serveur Custodia"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:138
+ msgid ""
+ "The name of the headers that will be added into a HTTP request with the "
+ "value defined in auth_header_value"
+ msgstr ""
++"Le nom des en-têtes qui seront ajoutés à la demande HTTP avec une valeur "
++"définie dans auth_header_value"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:139
+ msgid "The value sssd-secrets would use for auth_header_name"
+-msgstr ""
++msgstr "La valeur que sssd-secrets utilisent pour auth_header_name"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:140
+ msgid ""
+ "The list of the headers to forward to the Custodia server together with the "
+ "request"
+-msgstr ""
++msgstr "Liste des en-têtes à envoyer au serveur Custodia avec la demande"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:141
+ msgid ""
+ "The username to use when authenticating to a Custodia server using basic_auth"
+ msgstr ""
++"Le nom d'utilisateur à utiliser lors de l'authentification à un serveur "
++"Custodia quand on utilise basic_auth"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:142
+ msgid ""
+ "The password to use when authenticating to a Custodia server using basic_auth"
+ msgstr ""
++"Le mot de passe à utiliser quand on authentifie un serveur Custodia avec "
++"basic_auth"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:143
+ msgid "If true peer's certificate is verified if proxy_url uses https protocol"
+ msgstr ""
++"Si défini sur true, le certificat du pair sera vérifié si proxy_url utilise "
++"le protocole https"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:144
+ msgid ""
+ "If false peer's certificate may contain different hostname than proxy_url "
+ "when https protocol is used"
+ msgstr ""
++"Si défini sur false, le certificat du pair peut contenir un nom d'hôte "
++"différent que celui du proxy-url quand le protocole https est utilisé."
+ 
+ #: src/config/SSSDConfig/__init__.py.in:145
+ msgid "Path to directory where certificate authority certificates are stored"
+-msgstr ""
++msgstr "Chemin du répertoire où les certificats CA sont stockés"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:146
+ msgid "Path to file containing server's CA certificate"
+-msgstr ""
++msgstr "Chemin d'accès au fichier contenant le certificat CA du serveur"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:147
+ msgid "Path to file containing client's certificate"
+-msgstr ""
++msgstr "Chemin d'accès au fichier contenant le certificat du client"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:148
+ msgid "Path to file containing client's private key"
+-msgstr ""
++msgstr "Chemin d'accès au fichier contenant la clé privée du client"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:151
+ msgid "Identity provider"
+@@ -454,15 +474,15 @@ msgstr "Fournisseur d'identité de l'hôte"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:158
+ msgid "SELinux provider"
+-msgstr ""
++msgstr "Fournisseur SELinux"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:159
+ msgid "Session management provider"
+-msgstr ""
++msgstr "Fournisseur de gestion des sessions"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:162
+ msgid "Whether the domain is usable by the OS or by applications"
+-msgstr ""
++msgstr "Indique si le domaine est utilisable par le SE ou par les applications"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:163
+ msgid "Minimum user ID"
+@@ -482,7 +502,7 @@ msgstr "Mettre en cache les crédits pour une connexion hors-ligne"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:167
+ msgid "Store password hashes"
+-msgstr ""
++msgstr "Stocke les hâchages de mots de passe"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:168
+ msgid "Display users/groups in fully-qualified form"
+@@ -573,7 +593,7 @@ msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:191
+ msgid "Override the DNS server used to perform the DNS update"
+-msgstr ""
++msgstr "Remplace le serveur DNS utilisé pour la mise à jour DNS"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:192
+ msgid "Control enumeration of trusted domains"
+@@ -589,15 +609,17 @@ msgstr "Listes des options qui doivent être héritées dans le sous-domaine"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:195
+ msgid "Default subdomain homedir value"
+-msgstr ""
++msgstr "Valeur par défaut du sous-domaine homedir"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:196
+ msgid "How long can cached credentials be used for cached authentication"
+ msgstr ""
++"Durée pendant laquelle les identifiants cache peuvent être utilisés pour "
++"l'authentification cache."
+ 
+ #: src/config/SSSDConfig/__init__.py.in:199
+ msgid "Whether to automatically create private groups for users"
+-msgstr ""
++msgstr "Indique si on doit utiliser des groupes privés pour les utilisateurs"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:202
+ msgid "IPA domain"
+@@ -691,19 +713,23 @@ msgstr "Classe d'objet surchargeant les groupes"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:224
+ msgid "Search base for Desktop Profile related objects"
+-msgstr ""
++msgstr "Base de recherche pour les objets liés au profile de bureau"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:225
+ msgid ""
+ "The amount of time in seconds between lookups of the Desktop Profile rules "
+ "against the IPA server"
+ msgstr ""
++"Durée en secondes entre les recherches de règles de profils de bureau dans "
++"le serveur IPA"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:226
+ msgid ""
+ "The amount of time in minutes between lookups of Desktop Profiles rules "
+ "against the IPA server when the last request did not find any rule"
+ msgstr ""
++"Durée en minutes entre les recherches de règles de profils de bureau dans le "
++"serveur IPA quand la dernière recherche n'a trouvé aucune règle"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:229
+ msgid "Active Directory domain"
+@@ -711,7 +737,7 @@ msgstr "Domaine Active Directory"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:230
+ msgid "Enabled Active Directory domains"
+-msgstr ""
++msgstr "Domaines Actice Directory autorisés"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:231
+ msgid "Active Directory server address"
+@@ -809,11 +835,11 @@ msgstr "un site particulier utilisé par le client"
+ #: src/config/SSSDConfig/__init__.py.in:248
+ msgid ""
+ "Maximum age in days before the machine account password should be renewed"
+-msgstr ""
++msgstr "Nombre de jours précédent l'expiration du mot de passe "
+ 
+ #: src/config/SSSDConfig/__init__.py.in:249
+ msgid "Option for tuning the machine account renewal task"
+-msgstr ""
++msgstr "Option de renouvellement automatique du compte de la machine"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:252
+ #: src/config/SSSDConfig/__init__.py.in:253
+@@ -893,6 +919,8 @@ msgstr "Active les principals d'entreprise"
+ #: src/config/SSSDConfig/__init__.py.in:273
+ msgid "A mapping from user names to Kerberos principal names"
+ msgstr ""
++"Une liste de correspondances entre noms d'utilisateurs et noms de principaux "
++"kerberos"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:276
+ #: src/config/SSSDConfig/__init__.py.in:277
+@@ -918,9 +946,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "Le type de schéma utilisé sur le serveur LDAP, rfc2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "Mot de passe expiré. Changez votre mot de passe maintenant."
++msgstr "Mode utilisé pour modifier le mot de passe utilisateur"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+@@ -1187,7 +1214,7 @@ msgstr "Attribut listant les systèmes serveurs autorisés"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:355
+ msgid "Attribute listing authorized server rhosts"
+-msgstr ""
++msgstr "Attribut répertoriant les rhosts de serveur autorisés"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:356
+ msgid "krbLastPwdChange attribute"
+@@ -1241,7 +1268,7 @@ msgstr "attribut contenant le certificat X509 de l'utilisateur"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:368
+ msgid "attribute containing the email address of the user"
+-msgstr ""
++msgstr "attribut contenant l'adresse email de l'utilisateur"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:370
+ msgid "A list of extra attributes to download along with the user entry"
+@@ -1287,11 +1314,11 @@ msgstr "Type de groupe et autres indicateurs"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:384
+ msgid "The LDAP group external member attribute"
+-msgstr ""
++msgstr "L'attribut du membre externe du groupe LDAP"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:386
+ msgid "Maximum nesting level SSSD will follow"
+-msgstr ""
++msgstr "Le nombre de niveaux d'imbrication que SSSD suivra"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:388
+ msgid "Base DN for netgroup lookups"
+@@ -1364,17 +1391,15 @@ msgstr "SID du domaine par défaut pour la correspondance d'ID"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:408
+ msgid "Number of secondary slices"
+-msgstr ""
++msgstr "Nombre de tranches secondaires"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:410
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups"
+-msgstr "DN de base pour les recherches de groupes"
++msgstr "Utiliser LDAP_MATCHING_RULE_IN_CHAIN pour les recherches de groupes"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:411
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups"
+-msgstr "DN de base pour les recherches de netgroup"
++msgstr "Utiliser LDAP_MATCHING_RULE_IN_CHAIN pour les recherches initgroup"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:412
+ msgid "Whether to use Token-Groups"
+@@ -1397,6 +1422,8 @@ msgstr "DN pour les requêtes sur ppolicy"
+ #: src/config/SSSDConfig/__init__.py.in:416
+ msgid "How many maximum entries to fetch during a wildcard request"
+ msgstr ""
++"Nombre d'entrées maximum à récupérer suite à une demande wildcard (caractère "
++"générique)"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:419
+ msgid "Policy to evaluate the password expiration"
+@@ -1564,7 +1591,7 @@ msgstr "Base pour les répertoires utilisateur"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:471
+ msgid "The number of preforked proxy children."
+-msgstr ""
++msgstr "Le nombre de dépendants proxy avant division"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:474
+ msgid "The name of the NSS library to use"
+@@ -1580,11 +1607,11 @@ msgstr "Pile PAM à utiliser"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:481
+ msgid "Path of passwd file sources."
+-msgstr ""
++msgstr "Chemin sources fichiers passwd"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:482
+ msgid "Path of group file sources."
+-msgstr ""
++msgstr "Chemin sources fichiers group"
+ 
+ #: src/monitor/monitor.c:2452
+ msgid "Become a daemon (default)"
+@@ -1596,7 +1623,7 @@ msgstr "Fonctionner en interactif (non démon)"
+ 
+ #: src/monitor/monitor.c:2457
+ msgid "Disable netlink interface"
+-msgstr ""
++msgstr "Désactiver l'interface netlink"
+ 
+ #: src/monitor/monitor.c:2459 src/tools/sssctl/sssctl_logs.c:311
+ msgid "Specify a non-default config file"
+@@ -1605,6 +1632,8 @@ msgstr "Définir un fichier de configuration différent de celui par défaut"
+ #: src/monitor/monitor.c:2461
+ msgid "Refresh the configuration database, then exit"
+ msgstr ""
++"Rafraichissez la configuration de la base de données de configuration, puis "
++"sortir :"
+ 
+ #: src/monitor/monitor.c:2464
+ msgid "Print version number and exit"
+@@ -1612,7 +1641,7 @@ msgstr "Afficher le numéro de version et quitte"
+ 
+ #: src/monitor/monitor.c:2630
+ msgid "SSSD is already running\n"
+-msgstr ""
++msgstr "SSSD déjà en cours d'exécution\n"
+ 
+ #: src/providers/krb5/krb5_child.c:3229 src/providers/ldap/ldap_child.c:605
+ msgid "Debug level"
+@@ -1644,31 +1673,31 @@ msgstr "Le groupe à utiliser pour la création du ccache FAST"
+ 
+ #: src/providers/krb5/krb5_child.c:3245
+ msgid "Kerberos realm to use"
+-msgstr ""
++msgstr "Domaine Kerberos à utiliser"
+ 
+ #: src/providers/krb5/krb5_child.c:3247
+ msgid "Requested lifetime of the ticket"
+-msgstr ""
++msgstr "Durée de vie du ticket demandée"
+ 
+ #: src/providers/krb5/krb5_child.c:3249
+ msgid "Requested renewable lifetime of the ticket"
+-msgstr ""
++msgstr "Durée de vie renouvelable du ticket demandée"
+ 
+ #: src/providers/krb5/krb5_child.c:3251
+ msgid "FAST options ('never', 'try', 'demand')"
+-msgstr ""
++msgstr "Options FAST ('jamais', 'tentative', 'exiger')"
+ 
+ #: src/providers/krb5/krb5_child.c:3254
+ msgid "Specifies the server principal to use for FAST"
+-msgstr ""
++msgstr "Spécifie le nom principal du serveur afin d'utiliser FAST."
+ 
+ #: src/providers/krb5/krb5_child.c:3256
+ msgid "Requests canonicalization of the principal name"
+-msgstr ""
++msgstr "Canonicalisation des demandes du nom principal du serveur"
+ 
+ #: src/providers/krb5/krb5_child.c:3258
+ msgid "Use custom version of krb5_get_init_creds_password"
+-msgstr ""
++msgstr "Utiliser la version personnalisée de krb5_get_init_creds_password"
+ 
+ #: src/providers/data_provider_be.c:582
+ msgid "Domain of the information provider (mandatory)"
+@@ -1772,7 +1801,7 @@ msgstr "Premier facteur :"
+ 
+ #: src/sss_client/pam_sss.c:2131 src/sss_client/pam_sss.c:2294
+ msgid "Second Factor (optional): "
+-msgstr ""
++msgstr "Second facteur (optionnel) :"
+ 
+ #: src/sss_client/pam_sss.c:2134 src/sss_client/pam_sss.c:2297
+ msgid "Second Factor: "
+@@ -1784,7 +1813,7 @@ msgstr "Mot de passe : "
+ 
+ #: src/sss_client/pam_sss.c:2293 src/sss_client/pam_sss.c:2296
+ msgid "First Factor (Current Password): "
+-msgstr ""
++msgstr "Premier facteur (mot de passe actuel) :"
+ 
+ #: src/sss_client/pam_sss.c:2300
+ msgid "Current Password: "
+@@ -1834,7 +1863,7 @@ msgstr "Le port à utiliser pour se connecter à l'hôte"
+ 
+ #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210
+ msgid "Print the host ssh public keys"
+-msgstr ""
++msgstr "Afficher les clés publiques SSH hôtes"
+ 
+ #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252
+ msgid "Invalid port\n"
+@@ -2307,7 +2336,7 @@ msgstr "Impossible d'invalider %1$s %2$s\n"
+ 
+ #: src/tools/sss_cache.c:704
+ msgid "Invalidate all cached entries"
+-msgstr ""
++msgstr "Invalider toutes les entrées en cache"
+ 
+ #: src/tools/sss_cache.c:706
+ msgid "Invalidate particular user"
+@@ -2355,15 +2384,15 @@ msgstr "Invalider un hôte SSH particulier"
+ 
+ #: src/tools/sss_cache.c:731
+ msgid "Invalidate all SSH hosts"
+-msgstr "Invalider tous les hôtes SSH"
++msgstr "Invalidate all SSH host"
+ 
+ #: src/tools/sss_cache.c:735
+ msgid "Invalidate particular sudo rule"
+-msgstr ""
++msgstr "Annuler règle sudo particulière"
+ 
+ #: src/tools/sss_cache.c:737
+ msgid "Invalidate all cached sudo rules"
+-msgstr ""
++msgstr "Invalider toutes les règles sudo mises en cache"
+ 
+ #: src/tools/sss_cache.c:740
+ msgid "Only invalidate entries from a particular domain"
+@@ -2374,6 +2403,8 @@ msgid ""
+ "Unexpected argument(s) provided, options that invalidate a single object "
+ "only accept a single provided argument.\n"
+ msgstr ""
++"Argument(s) fournis non attendus, options invalidant un objet simple "
++"n'acceptent qu'un seul argument fourni.\n"
+ 
+ #: src/tools/sss_cache.c:804
+ msgid "Please select at least one object to invalidate\n"
+@@ -2410,106 +2441,110 @@ msgstr "%1$s doit être lancé en tant que root\n"
+ 
+ #: src/tools/sssctl/sssctl.c:35
+ msgid "yes"
+-msgstr ""
++msgstr "oui"
+ 
+ #: src/tools/sssctl/sssctl.c:37
+ msgid "no"
+-msgstr ""
++msgstr "non"
+ 
+ #: src/tools/sssctl/sssctl.c:39
+ msgid "error"
+-msgstr ""
++msgstr "erreur"
+ 
+ #: src/tools/sssctl/sssctl.c:42
+ msgid "Invalid result."
+-msgstr ""
++msgstr "résultat non valide"
+ 
+ #: src/tools/sssctl/sssctl.c:78
+ #, c-format
+ msgid "Unable to read user input\n"
+-msgstr ""
++msgstr "Impossible de lire les données de l'utilisateur\n"
+ 
+ #: src/tools/sssctl/sssctl.c:91
+ #, c-format
+ msgid "Invalid input, please provide either '%s' or '%s'.\n"
+-msgstr ""
++msgstr "Données non valides, veuillez fournir « %s » ou « %s ».\n"
+ 
+ #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114
+ #, c-format
+ msgid "Error while executing external command\n"
+-msgstr ""
++msgstr "Erreur lors de l'exécution de la commande externe\n"
+ 
+ #: src/tools/sssctl/sssctl.c:156
+ msgid "SSSD needs to be running. Start SSSD now?"
+ msgstr ""
++"SSSD déjà en cours d'exécution. Souhaitez-vous démarrer SSSD maintenant ?"
+ 
+ #: src/tools/sssctl/sssctl.c:195
+ msgid "SSSD must not be running. Stop SSSD now?"
+ msgstr ""
++"SSSD n'est sans doute pas en cours d'exécution. Souhaitez-vous arrêter SSSD "
++"maintenant ?"
+ 
+ #: src/tools/sssctl/sssctl.c:231
+ msgid "SSSD needs to be restarted. Restart SSSD now?"
+ msgstr ""
++"SSSD doit être démarré à nouveau. Souhaitez-vous redémarrer SSSD maintenant ?"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:31
+ #, c-format
+ msgid " %s is not present in cache.\n"
+-msgstr ""
++msgstr " %s non spécifié dans le cache.\n"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:33
+ msgid "Name"
+-msgstr ""
++msgstr "Nom"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:34
+ msgid "Cache entry creation date"
+-msgstr ""
++msgstr "Date de création de l'entrée cache"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:35
+ msgid "Cache entry last update time"
+-msgstr ""
++msgstr "Mise à jour de l'heure de la dernière entrée cache"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:36
+ msgid "Cache entry expiration time"
+-msgstr ""
++msgstr "Date d'expiration de l'entrée cache"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:37
+ msgid "Cached in InfoPipe"
+-msgstr ""
++msgstr "Mise en cache dans InfoPipe"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:512
+ #, c-format
+ msgid "Error: Unable to get object [%d]: %s\n"
+-msgstr ""
++msgstr "Erreur : impossible d'obtenir l'objet  [%d]: %s\n"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:528
+ #, c-format
+ msgid "%s: Unable to read value [%d]: %s\n"
+-msgstr ""
++msgstr "%s: Impossible de lire la valeur [%d]: %s\n"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:556
+ msgid "Specify name."
+-msgstr ""
++msgstr "Spécifier le nom"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:566
+ #, c-format
+ msgid "Unable to parse name %s.\n"
+-msgstr ""
++msgstr "Impossible d'analyser le nom : %s\n"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639
+ msgid "Search by SID"
+-msgstr ""
++msgstr "Rechercher par SID"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:593
+ msgid "Search by user ID"
+-msgstr ""
++msgstr "Rechercher par Nom d'utilisateur"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:602
+ msgid "Initgroups expiration time"
+-msgstr ""
++msgstr "Date d'expiration initgroups"
+ 
+ #: src/tools/sssctl/sssctl_cache.c:640
+ msgid "Search by group ID"
+-msgstr ""
++msgstr "Rechercher par ID de groupe"
+ 
+ #: src/tools/sssctl/sssctl_config.c:67
+ #, c-format
+@@ -2517,172 +2552,182 @@ msgid ""
+ "File %1$s does not exist. SSSD will use default configuration with files "
+ "provider.\n"
+ msgstr ""
++"Le fichier %1$s n'existe pas. SSSD utilisera la configuration par défaut "
++"pour les fournisseurs de fichiers.\n"
+ 
+ #: src/tools/sssctl/sssctl_config.c:81
+ #, c-format
+ msgid ""
+ "File ownership and permissions check failed. Expected root:root and 0600.\n"
+ msgstr ""
++"La vérification de la propriété et des permissions des fichiers ont échoué. "
++"Résultat attendu root:root et 0600.\n"
+ 
+ #: src/tools/sssctl/sssctl_config.c:104
+ #, c-format
+ msgid "Issues identified by validators: %zu\n"
+-msgstr ""
++msgstr "Problèmes identifiés par les validateurs: %zu\n"
+ 
+ #: src/tools/sssctl/sssctl_config.c:114
+ #, c-format
+ msgid "Messages generated during configuration merging: %zu\n"
+-msgstr ""
++msgstr "Messages générés lors du regroupement de configuration : %zu\n"
+ 
+ #: src/tools/sssctl/sssctl_config.c:127
+ #, c-format
+ msgid "Used configuration snippet files: %u\n"
+-msgstr ""
++msgstr "Fichiers snippet de configuration utilisés : %u\n"
+ 
+ #: src/tools/sssctl/sssctl_data.c:89
+ #, c-format
+ msgid "Unable to create backup directory [%d]: %s"
+-msgstr ""
++msgstr "Impossible de créer un répertoire de sauvegarde [%d] : %s"
+ 
+ #: src/tools/sssctl/sssctl_data.c:95
+ msgid "SSSD backup of local data already exists, override?"
+ msgstr ""
++"La sauvegarde des données locales SSSD est déjà existante, souhaitez-vous la "
++"remplacer ?"
+ 
+ #: src/tools/sssctl/sssctl_data.c:111
+ #, c-format
+ msgid "Unable to export user overrides\n"
+-msgstr ""
++msgstr "Impossible d'exporter les substitutions des utilisateurs\n"
+ 
+ #: src/tools/sssctl/sssctl_data.c:118
+ #, c-format
+ msgid "Unable to export group overrides\n"
+-msgstr ""
++msgstr "Impossible d'exporter les substitutions des groupes\n"
+ 
+ #: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217
+ msgid "Override existing backup"
+-msgstr ""
++msgstr "Substitution de la sauvegarde existante"
+ 
+ #: src/tools/sssctl/sssctl_data.c:164
+ #, c-format
+ msgid "Unable to import user overrides\n"
+-msgstr ""
++msgstr "Impossible d'importer les substitutions de l'utilisateur\n"
+ 
+ #: src/tools/sssctl/sssctl_data.c:173
+ #, c-format
+ msgid "Unable to import group overrides\n"
+-msgstr ""
++msgstr "Impossible d'importer les substitutions des groupes\n"
+ 
+ #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74
+ #: src/tools/sssctl/sssctl_domains.c:339
+ msgid "Start SSSD if it is not running"
+-msgstr ""
++msgstr "Démarrer SSSD s'il n'est pas en cours d'exécution"
+ 
+ #: src/tools/sssctl/sssctl_data.c:195
+ msgid "Restart SSSD after data import"
+-msgstr ""
++msgstr "Redémarrer SSSD après l'importation des données"
+ 
+ #: src/tools/sssctl/sssctl_data.c:218
+ msgid "Create clean cache files and import local data"
+-msgstr ""
++msgstr "Créer des fichiers cache propres et importer les données locales"
+ 
+ #: src/tools/sssctl/sssctl_data.c:219
+ msgid "Stop SSSD before removing the cache"
+-msgstr ""
++msgstr "Arrêter SSSD avant de supprimer le cache"
+ 
+ #: src/tools/sssctl/sssctl_data.c:220
+ msgid "Start SSSD when the cache is removed"
+-msgstr ""
++msgstr "Démarrer SSSD une fois le cache retiré"
+ 
+ #: src/tools/sssctl/sssctl_data.c:235
+ #, c-format
+ msgid "Creating backup of local data...\n"
+-msgstr ""
++msgstr "Création de la sauvegarde des données locales...\n"
+ 
+ #: src/tools/sssctl/sssctl_data.c:238
+ #, c-format
+ msgid "Unable to create backup of local data, can not remove the cache.\n"
+ msgstr ""
++"Impossible de créer une sauvegarde des données locales, ou de retirer le "
++"cache.\n"
+ 
+ #: src/tools/sssctl/sssctl_data.c:243
+ #, c-format
+ msgid "Removing cache files...\n"
+-msgstr ""
++msgstr "Supprimer les fichiers cache...\n"
+ 
+ #: src/tools/sssctl/sssctl_data.c:246
+ #, c-format
+ msgid "Unable to remove cache files\n"
+-msgstr ""
++msgstr "Impossible de supprimer les fichiers cache\n"
+ 
+ #: src/tools/sssctl/sssctl_data.c:251
+ #, c-format
+ msgid "Restoring local data...\n"
+-msgstr ""
++msgstr "Restaurer les données locales...\n"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:75
+ msgid "Show domain list including primary or trusted domain type"
+ msgstr ""
++"Afficher la liste de domaines avec le type de domaine de confiance ou "
++"primaire"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:156
+ #, c-format
+ msgid "Online status: %s\n"
+-msgstr ""
++msgstr "Statut en ligne : %s\n"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:156
+ msgid "Online"
+-msgstr ""
++msgstr "En ligne"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:156
+ msgid "Offline"
+-msgstr ""
++msgstr "Hors ligne"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:214
+ #, c-format
+ msgid "Active servers:\n"
+-msgstr ""
++msgstr "Serveurs actifs :\n"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:231
+ msgid "not connected"
+-msgstr ""
++msgstr "non connecté"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:278
+ #, c-format
+ msgid "Discovered %s servers:\n"
+-msgstr ""
++msgstr "%s serveurs découverts :\n"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:296
+ msgid "None so far.\n"
+-msgstr ""
++msgstr "Pas pour l'instant.\n"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:336
+ msgid "Show online status"
+-msgstr ""
++msgstr "Afficher le statut en ligne"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:337
+ msgid "Show information about active server"
+-msgstr ""
++msgstr "Afficher les informations sur le serveur actif"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:338
+ msgid "Show list of discovered servers"
+-msgstr ""
++msgstr "Afficher la liste des serveurs trouvés"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:344
+ msgid "Specify domain name."
+-msgstr ""
++msgstr "Spécifier le nom de domaine."
+ 
+ #: src/tools/sssctl/sssctl_domains.c:360
+ #, c-format
+ msgid "Out of memory!\n"
+-msgstr ""
++msgstr "Plus de mémoire disponible !\n"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387
+ #, c-format
+ msgid "Unable to get online status\n"
+-msgstr ""
++msgstr "Impossible d'afficher le statut en ligne\n"
+ 
+ #: src/tools/sssctl/sssctl_domains.c:397
+ #, c-format
+ msgid "Unable to get server list\n"
+-msgstr ""
++msgstr "Impossible d’obtenir la liste des serveurs\n"
+ 
+ #: src/tools/sssctl/sssctl_logs.c:47
+ msgid "\n"
+@@ -2690,122 +2735,125 @@ msgstr "\n"
+ 
+ #: src/tools/sssctl/sssctl_logs.c:237
+ msgid "Delete log files instead of truncating"
+-msgstr ""
++msgstr "Supprimer les fichiers de journalisation au lieu de les réduire"
+ 
+ #: src/tools/sssctl/sssctl_logs.c:248
+ #, c-format
+ msgid "Deleting log files...\n"
+-msgstr ""
++msgstr "Supprimer les fichiers de journalisation...\n"
+ 
+ #: src/tools/sssctl/sssctl_logs.c:251
+ #, c-format
+ msgid "Unable to remove log files\n"
+-msgstr ""
++msgstr "Impossible de supprimer les fichiers de journalisation\n"
+ 
+ #: src/tools/sssctl/sssctl_logs.c:257
+ #, c-format
+ msgid "Truncating log files...\n"
+-msgstr ""
++msgstr "Réduction des fichiers de journalisation...\n"
+ 
+ #: src/tools/sssctl/sssctl_logs.c:260
+ #, c-format
+ msgid "Unable to truncate log files\n"
+-msgstr ""
++msgstr "Impossible de réduire les fichiers de journalisation\n"
+ 
+ #: src/tools/sssctl/sssctl_logs.c:286
+ #, c-format
+ msgid "Out of memory!"
+-msgstr ""
++msgstr "Manque de mémoire !"
+ 
+ #: src/tools/sssctl/sssctl_logs.c:289
+ #, c-format
+ msgid "Archiving log files into %s...\n"
+-msgstr ""
++msgstr "Archivage des fichiers de journalisation dans %s...\n"
+ 
+ #: src/tools/sssctl/sssctl_logs.c:292
+ #, c-format
+ msgid "Unable to archive log files\n"
+-msgstr ""
++msgstr "Impossible d'archiver les fichiers de journalisation\n"
+ 
+ #: src/tools/sssctl/sssctl_logs.c:317
+ msgid "Specify debug level you want to set"
+-msgstr ""
++msgstr "Indiquer le niveau de débogage que vous souhaitez"
+ 
+ #: src/tools/sssctl/sssctl_sifp.c:28
+ msgid ""
+ "Check that SSSD is running and the InfoPipe responder is enabled. Make sure "
+ "'ifp' is listed in the 'services' option in sssd.conf.\n"
+ msgstr ""
++"Vérifier que SSSD soit bien en cours d'exécution et que le répondant "
++"InfoPipe soit actif. Veillez à ce que « ifp » soit bien listé dans les "
++"options « services » de sssd.conf.\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:91
+ #, c-format
+ msgid "Unable to connect to the InfoPipe"
+-msgstr ""
++msgstr "Impossible de se connecter à InfoPipe"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:97
+ #, c-format
+ msgid "Unable to get user object"
+-msgstr ""
++msgstr "Impossible d'obtenir l'objet utilisateur"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:101
+ #, c-format
+ msgid "SSSD InfoPipe user lookup result:\n"
+-msgstr ""
++msgstr "Résultat de recherche utilisateur SSSD InfoPipe\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:113
+ #, c-format
+ msgid "Unable to get user name attr"
+-msgstr ""
++msgstr "Impossible d'obtenir attr nom utilisateur"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:146
+ #, c-format
+ msgid "dlopen failed with [%s].\n"
+-msgstr ""
++msgstr "dlopen a échoué avec [%s].\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:153
+ #, c-format
+ msgid "dlsym failed with [%s].\n"
+-msgstr ""
++msgstr "dlsym a échoué avec [%s].\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:161
+ #, c-format
+ msgid "malloc failed.\n"
+-msgstr ""
++msgstr "malloc a échoué.\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:168
+ #, c-format
+ msgid "sss_getpwnam_r failed with [%d].\n"
+-msgstr ""
++msgstr "sss_getpwnam_r a échoué avec [%d].\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:173
+ #, c-format
+ msgid "SSSD nss user lookup result:\n"
+-msgstr ""
++msgstr "Résultat de la recherche utilisateur SSSD nss :\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:174
+ #, c-format
+ msgid " - user name: %s\n"
+-msgstr ""
++msgstr " - nom d'utilisateur : %s\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:175
+ #, c-format
+ msgid " - user id: %d\n"
+-msgstr ""
++msgstr " - id Utilisateur : %d\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:176
+ #, c-format
+ msgid " - group id: %d\n"
+-msgstr ""
++msgstr " - id groupe : %d\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:177
+ #, c-format
+ msgid " - gecos: %s\n"
+-msgstr ""
++msgstr " - gecos : %s\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:178
+ #, c-format
+ msgid " - home directory: %s\n"
+-msgstr ""
++msgstr " - répertoire d'accueil : %s\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:179
+ #, c-format
+@@ -2813,18 +2861,20 @@ msgid ""
+ " - shell: %s\n"
+ "\n"
+ msgstr ""
++" - shell : %s\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:211
+ msgid "PAM action [auth|acct|setc|chau|open|clos], default: "
+-msgstr ""
++msgstr "Action PAM [auth|acct|setc|chau|open|clos], par défaut :"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:214
+ msgid "PAM service, default: "
+-msgstr ""
++msgstr "Service PAM, par défaut :"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:219
+ msgid "Specify user name."
+-msgstr ""
++msgstr "Indiquer le nom d'utilisateur."
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:226
+ #, c-format
+@@ -2834,21 +2884,25 @@ msgid ""
+ "service: %s\n"
+ "\n"
+ msgstr ""
++"utilisateur: %s\n"
++"action: %s\n"
++"service: %s\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:232
+ #, c-format
+ msgid "User name lookup with [%s] failed.\n"
+-msgstr ""
++msgstr "La recherche de nom d'utilisateur avec [%s] a échoué.\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:237
+ #, c-format
+ msgid "InfoPipe User lookup with [%s] failed.\n"
+-msgstr ""
++msgstr "La recherche utilisateur avec l'InfoPipe [%s] a échoué.\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:244
+ #, c-format
+ msgid "pam_start failed: %s\n"
+-msgstr ""
++msgstr "pam_start a échoué : %s\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:249
+ #, c-format
+@@ -2856,11 +2910,13 @@ msgid ""
+ "testing pam_authenticate\n"
+ "\n"
+ msgstr ""
++"testing pam_authenticate\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:253
+ #, c-format
+ msgid "pam_get_item failed: %s\n"
+-msgstr ""
++msgstr "pam_get_item a échoué : %s\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:257
+ #, c-format
+@@ -2868,6 +2924,8 @@ msgid ""
+ "pam_authenticate for user [%s]: %s\n"
+ "\n"
+ msgstr ""
++"pam_authenticate pour utilisateur [%s]: %s\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:260
+ #, c-format
+@@ -2875,6 +2933,8 @@ msgid ""
+ "testing pam_chauthtok\n"
+ "\n"
+ msgstr ""
++"testing pam_chauthtok\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:262
+ #, c-format
+@@ -2882,6 +2942,8 @@ msgid ""
+ "pam_chauthtok: %s\n"
+ "\n"
+ msgstr ""
++"pam_chauthtok: %s\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:264
+ #, c-format
+@@ -2889,6 +2951,8 @@ msgid ""
+ "testing pam_acct_mgmt\n"
+ "\n"
+ msgstr ""
++"testing pam_acct_mgmt\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:266
+ #, c-format
+@@ -2896,6 +2960,8 @@ msgid ""
+ "pam_acct_mgmt: %s\n"
+ "\n"
+ msgstr ""
++"pam_acct_mgmt: %s\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:268
+ #, c-format
+@@ -2903,6 +2969,8 @@ msgid ""
+ "testing pam_setcred\n"
+ "\n"
+ msgstr ""
++"testing pam_setcred\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:270
+ #, c-format
+@@ -2910,6 +2978,8 @@ msgid ""
+ "pam_setcred: [%s]\n"
+ "\n"
+ msgstr ""
++"pam_setcred: [%s]\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:272
+ #, c-format
+@@ -2917,6 +2987,8 @@ msgid ""
+ "testing pam_open_session\n"
+ "\n"
+ msgstr ""
++"testing pam_open_session\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:274
+ #, c-format
+@@ -2924,6 +2996,8 @@ msgid ""
+ "pam_open_session: %s\n"
+ "\n"
+ msgstr ""
++"pam_open_session: %s\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:276
+ #, c-format
+@@ -2931,6 +3005,8 @@ msgid ""
+ "testing pam_close_session\n"
+ "\n"
+ msgstr ""
++"testing pam_close_session\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:278
+ #, c-format
+@@ -2938,21 +3014,23 @@ msgid ""
+ "pam_close_session: %s\n"
+ "\n"
+ msgstr ""
++"pam_close_session: %s\n"
++"\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:281
+ #, c-format
+ msgid "unknown action\n"
+-msgstr ""
++msgstr "action inconnue\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:284
+ #, c-format
+ msgid "PAM Environment:\n"
+-msgstr ""
++msgstr "Environnement PAM\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:292
+ #, c-format
+ msgid " - no env -\n"
+-msgstr ""
++msgstr " - aucun env -\n"
+ 
+ #: src/util/util.h:83
+ msgid "The user ID to run the server as"
+@@ -2964,8 +3042,8 @@ msgstr "L'identifiant de groupe sous lequel faire tourner le serveur"
+ 
+ #: src/util/util.h:93
+ msgid "Informs that the responder has been socket-activated"
+-msgstr ""
++msgstr "Indique que le répondant a été activé par socket-activated"
+ 
+ #: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+-msgstr ""
++msgstr "Indique que le répondant a été activé par dbus-activated"
+diff --git a/po/hu.po b/po/hu.po
+index abe75d005..fb7f50979 100644
+--- a/po/hu.po
++++ b/po/hu.po
+@@ -842,9 +842,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "Az LDAP szerveren használt séma-típus, rfc2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "A jelszava lejárt, változtass meg most."
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+diff --git a/po/it.po b/po/it.po
+index 8f14e0df2..4e83c025c 100644
+--- a/po/it.po
++++ b/po/it.po
+@@ -855,9 +855,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "Lo Schema Type utilizzato dal server LDAP, rfc2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "Password scaduta. Cambiare la password ora."
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+diff --git a/po/ja.po b/po/ja.po
+index 03e16c787..eeb573a93 100644
+--- a/po/ja.po
++++ b/po/ja.po
+@@ -6,12 +6,13 @@
+ # Tomoyuki KATO <tomo@dream.daynight.jp>, 2012-2013
+ # Noriko Mizumoto <noriko.mizumoto@gmail.com>, 2016. #zanata
+ # Keiko Moriguchi <kemorigu@redhat.com>, 2019. #zanata
++# Ludek Janda <ljanda@redhat.com>, 2019. #zanata
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+ "POT-Creation-Date: 2019-10-07 11:34+0200\n"
+-"PO-Revision-Date: 2019-05-28 11:45+0000\n"
++"PO-Revision-Date: 2019-11-04 03:20+0000\n"
+ "Last-Translator: Keiko Moriguchi <kemorigu@redhat.com>\n"
+ "Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/"
+ "ja/)\n"
+@@ -458,9 +459,10 @@ msgstr "すべてのユーザー・グループの列挙を有効にする"
+ msgid "Cache credentials for offline login"
+ msgstr "オフラインログインのためにクレディンシャルをキャッシュする"
+ 
++# auto translated by TM merge from project: SSSD, version: master, DocId: po/sssd
+ #: src/config/SSSDConfig/__init__.py.in:167
+ msgid "Store password hashes"
+-msgstr ""
++msgstr "パスワードハッシュを保存する"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:168
+ msgid "Display users/groups in fully-qualified form"
+@@ -870,9 +872,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "LDAP サーバーにおいて使用中のスキーマ形式, rfc2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "パスワードの期限が切れました。いますぐパスワードを変更してください。"
++msgstr "ユーザーのパスワードの変更にモードを使用しました"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+@@ -1307,15 +1308,15 @@ msgstr "ID マッピングに対するデフォルトドメインの SID"
+ msgid "Number of secondary slices"
+ msgstr "セカンダリースライスの数"
+ 
++# auto translated by TM merge from project: SSSD, version: master, DocId: po/sssd
+ #: src/config/SSSDConfig/__init__.py.in:410
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups"
+-msgstr "グループ検索のベース DN"
++msgstr "グループ検索のために LDAP_MATCHING_RULE_IN_CHAIN を使用します"
+ 
++# auto translated by TM merge from project: SSSD, version: master, DocId: po/sssd
+ #: src/config/SSSDConfig/__init__.py.in:411
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups"
+-msgstr "ネットグループ検索のベース DN"
++msgstr "初期グループの検索のために LDAP_MATCHING_RULE_IN_CHAIN を使用します"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:412
+ msgid "Whether to use Token-Groups"
+@@ -2660,16 +2661,19 @@ msgid ""
+ "Check that SSSD is running and the InfoPipe responder is enabled. Make sure "
+ "'ifp' is listed in the 'services' option in sssd.conf.\n"
+ msgstr ""
++"SSSD が実行中で、InfoPipe レスポンダーが有効化されていることを確認しま"
++"す。'ifp' が sssd.conf の 'services' オプションに一覧表示されていることを確認"
++"します。\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:91
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to connect to the InfoPipe"
+-msgstr "システムバスに接続できません!\n"
++msgstr "InfoPipe に接続できません"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:97
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to get user object"
+-msgstr "サーバー一覧を取得できません\n"
++msgstr "ユーザーオブジェクトを取得できません"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:101
+ #, c-format
+@@ -2677,9 +2681,9 @@ msgid "SSSD InfoPipe user lookup result:\n"
+ msgstr "SSSD InfoPipe ユーザー検索の結果:\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:113
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to get user name attr"
+-msgstr "サーバー一覧を取得できません\n"
++msgstr "ユーザー名 attr を取得できません"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:146
+ #, c-format
+@@ -2917,14 +2921,3 @@ msgstr "レスポンダーがソケットでアクティベートされたと知
+ #: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr "レスポンダーが dbus でアクティベートされたと知らせます"
+-
+-#~ msgid "Additional timeout to wait for a card if requested"
+-#~ msgstr "要求された場合に、カードが待つ追加のタイムアウト"
+-
+-#~ msgid ""
+-#~ "PKCS#11 URI to restrict the selection of devices for Smartcard "
+-#~ "authentication"
+-#~ msgstr "スマートカード認証向けのデバイスの選択を PKCS#11 URI が制限"
+-
+-#~ msgid "Similar to --genconf, but only refreshes the given section"
+-#~ msgstr "--genconf と似ていますが、任意のセクションのみをリフレッシュします"
+diff --git a/po/nl.po b/po/nl.po
+index 3dbbfa3b1..4cfbbb371 100644
+--- a/po/nl.po
++++ b/po/nl.po
+@@ -888,9 +888,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "Het schema type wat gebruikt wordt op de LDAP server, rfc2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "Wachtwoord verlopen. Verander nu uw wachtwoord."
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+@@ -1333,14 +1332,12 @@ msgid "Number of secondary slices"
+ msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:410
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups"
+-msgstr "Basis DN voor groep opzoeken"
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:411
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups"
+-msgstr "Basis DN voor netgroep opzoeken"
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:412
+ msgid "Whether to use Token-Groups"
+diff --git a/po/pl.po b/po/pl.po
+index e12bfd488..630955a9b 100644
+--- a/po/pl.po
++++ b/po/pl.po
+@@ -15,7 +15,7 @@ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+ "POT-Creation-Date: 2019-10-07 11:34+0200\n"
+-"PO-Revision-Date: 2019-03-01 06:40+0000\n"
++"PO-Revision-Date: 2019-10-10 10:55+0000\n"
+ "Last-Translator: Piotr Drąg <piotrdrag@gmail.com>\n"
+ "Language-Team: Polish (http://www.transifex.com/projects/p/sssd/language/"
+ "pl/)\n"
+@@ -104,7 +104,7 @@ msgid ""
+ "Directory on the filesystem where SSSD should store Kerberos replay cache "
+ "files."
+ msgstr ""
+-"Katalog w systemie plików, w którym SSSD powinno przechowywać pliki pamięci "
++"Katalog w systemie plików, w którym SSSD ma przechowywać pliki pamięci "
+ "podręcznej odtwarzania Kerberosa."
+ 
+ #: src/config/SSSDConfig/__init__.py.in:63
+@@ -156,19 +156,19 @@ msgstr "Ujemny czas oczekiwania pamięci podręcznej plików (sekundy)"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:76
+ msgid "Users that SSSD should explicitly ignore"
+-msgstr "Użytkownicy, którzy powinni być bezpośrednio ignorowani przez SSSD"
++msgstr "Użytkownicy, którzy mają być bezpośrednio ignorowani przez SSSD"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:77
+ msgid "Groups that SSSD should explicitly ignore"
+-msgstr "Grupy, które powinny być bezpośrednio ignorowane przez SSSD"
++msgstr "Grupy, które mają być bezpośrednio ignorowane przez SSSD"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:78
+ msgid "Should filtered users appear in groups"
+-msgstr "Czy filtrowani użytkownicy powinni pojawiać się w grupach"
++msgstr "Czy filtrowani użytkownicy mają pojawiać się w grupach"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:79
+ msgid "The value of the password field the NSS provider should return"
+-msgstr "Wartość pola hasła, jaką dostawca NSS powinien zwrócić"
++msgstr "Wartość pola hasła, jaką dostawca NSS ma zwrócić"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:80
+ msgid "Override homedir value from the identity provider with this value"
+@@ -488,7 +488,7 @@ msgstr "Dane uwierzytelniające pamięci podręcznej dla logowań w trybie offl
+ 
+ #: src/config/SSSDConfig/__init__.py.in:167
+ msgid "Store password hashes"
+-msgstr ""
++msgstr "Przechowuje mieszanie haseł"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:168
+ msgid "Display users/groups in fully-qualified form"
+@@ -556,8 +556,7 @@ msgstr "TTL do zastosowania do wpisu DNS klienta po jego zaktualizowaniu"
+ #: src/config/SSSDConfig/__init__.py.in:208
+ msgid "The interface whose IP should be used for dynamic DNS updates"
+ msgstr ""
+-"Interfejs, którego adres IP powinien być używany do dynamicznych "
+-"aktualizacji DNS"
++"Interfejs, którego adres IP ma być używany do dynamicznych aktualizacji DNS"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:187
+ msgid "How often to periodically update the client's DNS entry"
+@@ -565,17 +564,17 @@ msgstr "Jak często okresowo aktualizować wpis DNS klienta"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:188
+ msgid "Whether the provider should explicitly update the PTR record as well"
+-msgstr "Określa, czy dostawca powinien aktualizować także wpis PTR"
++msgstr "Określa, czy dostawca ma aktualizować także wpis PTR"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:189
+ msgid "Whether the nsupdate utility should default to using TCP"
+-msgstr "Określa, czy narzędzie nsupdate powinno domyślnie używać portu TCP"
++msgstr "Określa, czy narzędzie nsupdate ma domyślnie używać portu TCP"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:190
+ msgid "What kind of authentication should be used to perform the DNS update"
+ msgstr ""
+-"Jakiego rodzaju uwierzytelnianie powinno być używane do wykonywania "
+-"aktualizacji DNS"
++"Jakiego rodzaju uwierzytelnianie ma być używane do wykonywania aktualizacji "
++"DNS"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:191
+ msgid "Override the DNS server used to perform the DNS update"
+@@ -924,9 +923,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "Typ Schema do użycia na serwerze LDAP, RFC2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "Hasło wygasło. Proszę je zmienić teraz."
++msgstr "Tryb używany do zmiany hasła użytkownika"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+@@ -1033,7 +1031,7 @@ msgid ""
+ "Whether the LDAP library should perform a reverse lookup to canonicalize the "
+ "host name during a SASL bind"
+ msgstr ""
+-"Określa, czy biblioteka LDAP powinna wykonywać odwrotne wyszukanie, aby "
++"Określa, czy biblioteka LDAP ma wykonywać odwrotne wyszukanie, aby "
+ "ujednolicić nazwę komputera podczas dowiązania SASL"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:312
+@@ -1367,14 +1365,12 @@ msgid "Number of secondary slices"
+ msgstr "Liczba drugorzędnych fragmentów"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:410
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups"
+-msgstr "Podstawowe DN dla wyszukiwania grup"
++msgstr "Użycie LDAP_MATCHING_RULE_IN_CHAIN do wyszukiwania grup"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:411
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups"
+-msgstr "Podstawowe DN dla wyszukiwania grupy sieciowej"
++msgstr "Użycie LDAP_MATCHING_RULE_IN_CHAIN do wyszukiwania grup inicjacyjnych"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:412
+ msgid "Whether to use Token-Groups"
+@@ -1402,11 +1398,11 @@ msgstr "Polityka do oszacowania wygaszenia hasła"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:423
+ msgid "Which attributes shall be used to evaluate if an account is expired"
+-msgstr "Które atrybuty powinny być używane do sprawdzenia, czy konto wygasło"
++msgstr "Które atrybuty mają być używane do sprawdzenia, czy konto wygasło"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:424
+ msgid "Which rules should be used to evaluate access control"
+-msgstr "Które reguły powinny być używane do sprawdzania kontroli dostępu"
++msgstr "Które reguły mają być używane do sprawdzania kontroli dostępu"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:427
+ msgid "URI of an LDAP server where password changes are allowed"
+@@ -2727,16 +2723,19 @@ msgid ""
+ "Check that SSSD is running and the InfoPipe responder is enabled. Make sure "
+ "'ifp' is listed in the 'services' option in sssd.conf.\n"
+ msgstr ""
++"Proszę sprawdzić, czy usługa SSSD jest uruchomiona i program odpowiadający "
++"InfoPipe jest włączony. Należy się upewnić, że „ifp” jest w opcji „services” "
++"pliku sssd.conf.\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:91
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to connect to the InfoPipe"
+-msgstr "Nie można połączyć się z magistralą systemową.\n"
++msgstr "Nie można połączyć z InfoPipe"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:97
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to get user object"
+-msgstr "Nie można uzyskać listy serwerów\n"
++msgstr "Nie można uzyskać obiektu użytkownika"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:101
+ #, c-format
+@@ -2744,9 +2743,9 @@ msgid "SSSD InfoPipe user lookup result:\n"
+ msgstr "Wynik wyszukiwania użytkownika InfoPipe usługi SSSD:\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:113
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to get user name attr"
+-msgstr "Nie można uzyskać listy serwerów\n"
++msgstr "Nie można uzyskać atrybutu nazwy użytkownika"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:146
+ #, c-format
+@@ -2990,16 +2989,3 @@ msgstr "Informuje, że program odpowiadający został aktywowany gniazdem"
+ #: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr "Informuje, że program odpowiadający został aktywowany magistralą D-Bus"
+-
+-#~ msgid "Additional timeout to wait for a card if requested"
+-#~ msgstr "Dodatkowy czas oczekiwania na kartę, jeśli zażądano"
+-
+-#~ msgid ""
+-#~ "PKCS#11 URI to restrict the selection of devices for Smartcard "
+-#~ "authentication"
+-#~ msgstr ""
+-#~ "Adres URI PKCS#11 do ograniczenia wyboru urządzeń dla uwierzytelniania za "
+-#~ "pomocą kart smartcard"
+-
+-#~ msgid "Similar to --genconf, but only refreshes the given section"
+-#~ msgstr "Podobne do --genconf, ale odświeża tylko podaną sekcję"
+diff --git a/po/pt.po b/po/pt.po
+index b7e46f62f..6372c2cf5 100644
+--- a/po/pt.po
++++ b/po/pt.po
+@@ -850,9 +850,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "O tipo de Schema em utilização no servidor LDAP, rfc2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "A senha expirou. Altere a sua senha agora."
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+diff --git a/po/ru.po b/po/ru.po
+index 1fc53cd84..f47df1e7d 100644
+--- a/po/ru.po
++++ b/po/ru.po
+@@ -866,9 +866,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "Тип схемы, используемой на LDAP-сервере, rfc2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "Срок действия пароля истёк. Необходимо сейчас изменить ваш пароль."
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+diff --git a/po/sv.po b/po/sv.po
+index bb0c29b73..5cf6a5ae1 100644
+--- a/po/sv.po
++++ b/po/sv.po
+@@ -6,12 +6,13 @@
+ # Göran Uddeborg <goeran@uddeborg.se>, 2013-2014
+ # Anders Jonsson <anders.jonsson@norsjovallen.se>, 2018. #zanata
+ # Göran Uddeborg <goeran@uddeborg.se>, 2018. #zanata
++# Göran Uddeborg <goeran@uddeborg.se>, 2019. #zanata
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+ "POT-Creation-Date: 2019-10-07 11:34+0200\n"
+-"PO-Revision-Date: 2018-06-25 02:36+0000\n"
++"PO-Revision-Date: 2019-08-03 08:42+0000\n"
+ "Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n"
+ "Language-Team: Swedish (http://www.transifex.com/projects/p/sssd/language/"
+ "sv/)\n"
+@@ -271,7 +272,7 @@ msgstr "Vilka PAM-tjänster tillåts att kontakta applikationsdomäner"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:106
+ msgid "Allowed services for using smartcards"
+-msgstr ""
++msgstr "Tillåtna tjänster för användning av smartkort"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:109
+ msgid "Whether to evaluate the time-based attributes in sudo rules"
+@@ -893,9 +894,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "Schematypen som används i LDAP-servern, rfc2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "Lösenordet har gått ut.  Ändra ditt lösenord nu."
++msgstr "Läge som används för att ändra användares lösenord"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+@@ -1333,14 +1333,12 @@ msgid "Number of secondary slices"
+ msgstr "Antal sekundära skivor"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:410
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups"
+-msgstr "Bas-DN för gruppuppslagningar"
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:411
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups"
+-msgstr "Bas-DN för nätgruppuppslagningar"
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:412
+ msgid "Whether to use Token-Groups"
+@@ -1792,7 +1790,7 @@ msgstr "Porten att använda för att ansluta till värden"
+ 
+ #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210
+ msgid "Print the host ssh public keys"
+-msgstr ""
++msgstr "Skriv ut värdens publika ssh-nycklar"
+ 
+ #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252
+ msgid "Invalid port\n"
+@@ -2686,14 +2684,14 @@ msgid ""
+ msgstr ""
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:91
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to connect to the InfoPipe"
+-msgstr "Kan inte hugga av loggfiler\n"
++msgstr ""
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:97
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to get user object"
+-msgstr "Kan inte ta reda på serverlistan\n"
++msgstr ""
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:101
+ #, c-format
+@@ -2701,9 +2699,9 @@ msgid "SSSD InfoPipe user lookup result:\n"
+ msgstr "Resultat av SSSD InfoPipe-användaruppslagning:\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:113
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to get user name attr"
+-msgstr "Kan inte ta reda på serverlistan\n"
++msgstr ""
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:146
+ #, c-format
+diff --git a/po/uk.po b/po/uk.po
+index 373496c08..84a8511a6 100644
+--- a/po/uk.po
++++ b/po/uk.po
+@@ -15,7 +15,7 @@ msgstr ""
+ "Project-Id-Version: PACKAGE VERSION\n"
+ "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+ "POT-Creation-Date: 2019-10-07 11:34+0200\n"
+-"PO-Revision-Date: 2019-03-03 07:23+0000\n"
++"PO-Revision-Date: 2019-10-07 02:18+0000\n"
+ "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
+ "Language-Team: Ukrainian (http://www.transifex.com/projects/p/sssd/language/"
+ "uk/)\n"
+@@ -506,7 +506,7 @@ msgstr "Кешувати реєстраційні дані для автоном
+ 
+ #: src/config/SSSDConfig/__init__.py.in:167
+ msgid "Store password hashes"
+-msgstr ""
++msgstr "Зберігати хеші паролів"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:168
+ msgid "Display users/groups in fully-qualified form"
+@@ -947,9 +947,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr "Тип схеми, використаний на сервері LDAP, rfc2307"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "Строк дії пароля вичерпано. Змініть ваш пароль."
++msgstr "Режим для зміни пароля користувача"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+@@ -1400,14 +1399,14 @@ msgid "Number of secondary slices"
+ msgstr "Кількість вторинних зрізів"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:410
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups"
+-msgstr "Базова назва домену для пошуків груп"
++msgstr "Використовувати LDAP_MATCHING_RULE_IN_CHAIN щодо пошуків груп (group)"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:411
+-#, fuzzy
+ msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups"
+-msgstr "Базова назва домену для пошуків груп у мережі"
++msgstr ""
++"Використовувати LDAP_MATCHING_RULE_IN_CHAIN щодо пошуків початкових груп "
++"(initgroup)"
+ 
+ #: src/config/SSSDConfig/__init__.py.in:412
+ msgid "Whether to use Token-Groups"
+@@ -2774,17 +2773,18 @@ msgid ""
+ "Check that SSSD is running and the InfoPipe responder is enabled. Make sure "
+ "'ifp' is listed in the 'services' option in sssd.conf.\n"
+ msgstr ""
++"Перевірте, чи запущено SSSD і чи увімкнено відповідач InfoPipe. "
++"Переконайтеся, що у списку параметра «services» у sssd.conf є запис «ifp».\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:91
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to connect to the InfoPipe"
+-msgstr ""
+-"Не вдалося встановити з'єднання із системним каналом передавання даних!\n"
++msgstr "Не вдалося встановити з'єднання із InfoPipe"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:97
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to get user object"
+-msgstr "Не вдалося отримати список серверів\n"
++msgstr "Не вдалося отримати об'єкт користувача"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:101
+ #, c-format
+@@ -2792,9 +2792,9 @@ msgid "SSSD InfoPipe user lookup result:\n"
+ msgstr "Результат пошуку користувача у InfoPipe SSSD:\n"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:113
+-#, fuzzy, c-format
++#, c-format
+ msgid "Unable to get user name attr"
+-msgstr "Не вдалося отримати список серверів\n"
++msgstr "Не вдалося отримати атрибут імені користувача"
+ 
+ #: src/tools/sssctl/sssctl_user_checks.c:146
+ #, c-format
+@@ -3038,16 +3038,3 @@ msgstr "Інформує про те, що на відповідачі заді
+ #: src/util/util.h:95
+ msgid "Informs that the responder has been dbus-activated"
+ msgstr "Інформує про те, що на відповідачі задіяно D-Bus"
+-
+-#~ msgid "Additional timeout to wait for a card if requested"
+-#~ msgstr "Додатковий час очікування на картку, якщо надійде запит"
+-
+-#~ msgid ""
+-#~ "PKCS#11 URI to restrict the selection of devices for Smartcard "
+-#~ "authentication"
+-#~ msgstr ""
+-#~ "Адреса PKCS#11 для обмеження переліку пристроїв для розпізнавання за "
+-#~ "смарт-карткою"
+-
+-#~ msgid "Similar to --genconf, but only refreshes the given section"
+-#~ msgstr "Подібний до --genconf, але оновлює дані лише вказаного розділу"
+diff --git a/po/zh_TW.po b/po/zh_TW.po
+index 00662b946..9c0e0bcc9 100644
+--- a/po/zh_TW.po
++++ b/po/zh_TW.po
+@@ -839,9 +839,8 @@ msgid "The Schema Type in use on the LDAP server, rfc2307"
+ msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:284
+-#, fuzzy
+ msgid "Mode used to change user password"
+-msgstr "密碼已過期。請立刻變更您的密碼。"
++msgstr ""
+ 
+ #: src/config/SSSDConfig/__init__.py.in:285
+ msgid "The default bind DN"
+diff --git a/src/man/po/br.po b/src/man/po/br.po
+index 5a29f3f75..4cf5b6b0c 100644
+--- a/src/man/po/br.po
++++ b/src/man/po/br.po
+@@ -6,9 +6,9 @@
+ # Fulup <fulup.jakez@gmail.com>, 2012
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2014-12-14 11:51+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Breton (http://www.transifex.com/projects/p/sssd/language/"
+@@ -4401,10 +4401,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: exop"
+-msgstr "Dre ziouer : 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -12045,10 +12043,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "Dre ziouer : 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+diff --git a/src/man/po/ca.po b/src/man/po/ca.po
+index 49b945893..a819fa457 100644
+--- a/src/man/po/ca.po
++++ b/src/man/po/ca.po
+@@ -12,9 +12,9 @@
+ # Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>, 2015. #zanata
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2015-10-18 04:13+0000\n"
+ "Last-Translator: Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>\n"
+ "Language-Team: Catalan (http://www.transifex.com/projects/p/sssd/language/"
+@@ -3739,10 +3739,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3018
+-#, fuzzy
+-#| msgid "False"
+ msgid "false"
+-msgstr "False"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3021
+@@ -3783,16 +3781,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2999
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Opcions vàlides per als dominis del servidor intermediari. <placeholder type="
+-"\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3062
+@@ -4198,10 +4190,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3367
+-#, fuzzy
+-#| msgid "ldap_sasl_mech (string)"
+ msgid "ldap_sasl_mech,"
+-msgstr "ldap_sasl_mech (cadena)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3368
+@@ -4232,10 +4222,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3379
+-#, fuzzy
+-#| msgid "CONFIGURATION OPTIONS"
+ msgid "PROMPTING CONFIGURATION SECTION"
+-msgstr "OPCIONS DE CONFIGURACIÓ"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3381
+@@ -4263,10 +4251,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3404
+-#, fuzzy
+-#| msgid "password"
+ msgid "password_prompt"
+-msgstr "contrasenya"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3405
+@@ -4275,16 +4261,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3403
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "to configure password prompting, allowed options are: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Opcions vàlides per als dominis del servidor intermediari. <placeholder type="
+-"\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3413
+@@ -4326,16 +4306,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3415
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "to configure two-factor authentication prompting, allowed options are: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Opcions vàlides per als dominis del servidor intermediari. <placeholder type="
+-"\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3396
+@@ -4692,10 +4666,8 @@ msgstr "Per defecte: rfc2307"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:209
+-#, fuzzy
+-#| msgid "ldap_group_modify_timestamp (string)"
+ msgid "ldap_pwmodify_mode (string)"
+-msgstr "ldap_group_modify_timestamp (cadena)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:212
+@@ -4704,10 +4676,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:216
+-#, fuzzy
+-#| msgid "The two mechanisms currently supported are:"
+ msgid "Two modes are currently supported:"
+-msgstr "Els dos mecanismes suportats actualment són:"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ldap.5.xml:220
+@@ -4730,10 +4700,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: gecos"
+ msgid "Default: exop"
+-msgstr "Per defecte: gecos"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -6451,16 +6419,10 @@ msgstr "ldap_sasl_mech (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1808
+-#, fuzzy
+-#| msgid ""
+-#| "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-#| "supported."
+ msgid ""
+ "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
+ "tested and supported."
+ msgstr ""
+-"Especifica el mecanisme SASL a utilitzar.  Actualment només GSSAPI és provat "
+-"i suportat."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1812
+@@ -6550,10 +6512,8 @@ msgstr "ldap_krb5_keytab (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1889
+-#, fuzzy
+-#| msgid "Specify the keytab to use when using SASL/GSSAPI."
+ msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+-msgstr "Especifica el fitxer keytab a utilitzar quan s'utilitza SASL/GSSAPI."
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1893
+@@ -6569,19 +6529,11 @@ msgstr "ldap_krb5_init_creds (booleà)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1902
+-#, fuzzy
+-#| msgid ""
+-#| "Specifies that the id_provider should init Kerberos credentials (TGT).  "
+-#| "This action is performed only if SASL is used and the mechanism selected "
+-#| "is GSSAPI."
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+ "GSSAPI or GSS-SPNEGO."
+ msgstr ""
+-"Especifica que id_provider ha d'iniciar les credencials del Kerberos (TGT). "
+-"Aquesta acció únicament es realitza si s'utilitza SASL i el mecanisme "
+-"seleccionat és GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1914
+@@ -6590,11 +6542,9 @@ msgstr "ldap_krb5_ticket_lifetime (enter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1917
+-#, fuzzy
+-#| msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
+ msgid ""
+ "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+-msgstr "Especifica el temps de vida en segons de la TGT si s'utilitza GSSAPI."
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+@@ -6648,10 +6598,8 @@ msgstr "krb5_realm (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1959
+-#, fuzzy
+-#| msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
+ msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+-msgstr "Especifica l'àmbit KERBEROS (per a l'autenticació SASL/GSSAPI)."
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1963
+@@ -10635,17 +10583,13 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:435
+-#, fuzzy
+-#| msgid "Default: 5 (seconds)"
+ msgid "Default: False (seconds)"
+-msgstr "Per defecte: 5 (segons)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:441
+-#, fuzzy
+-#| msgid "ad_enable_gc (boolean)"
+ msgid "ad_gpo_ignore_unreadable (boolean)"
+-msgstr "ad_enable_gc (booleà)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:444
+@@ -12787,27 +12731,17 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-#, fuzzy
+-#| msgid "krb5_confd_path (string)"
+ msgid "krb5_kdcinfo_lookahead (string)"
+-msgstr "krb5_confd_path (cadena)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+-#, fuzzy
+-#| msgid ""
+-#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+-#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+-#| "citerefentry> for more information on configuring Kerberos."
+ msgid ""
+ "When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
+ "handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
+ "helpful when there are too many servers discovered using SRV record."
+ msgstr ""
+-"<quote>krb5</quote> per canviar la contrasenya Kerberos. Vegeu "
+-"<citerefentry><refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</"
+-"manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:518
+@@ -12819,27 +12753,17 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:524
+-#, fuzzy
+-#| msgid ""
+-#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+-#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+-#| "citerefentry> for more information on configuring Kerberos."
+ msgid ""
+ "For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
+ "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
+ "servers."
+ msgstr ""
+-"<quote>krb5</quote> per canviar la contrasenya Kerberos. Vegeu "
+-"<citerefentry><refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</"
+-"manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "Per defecte: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+@@ -14456,12 +14380,6 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:59
+-#, fuzzy
+-#| msgid ""
+-#| "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+-#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+-#| "citerefentry> manual page for details on the configuration of an SSSD "
+-#| "domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "In addition to the options listed below, generic SSSD domain options can be "
+ "set where applicable.  Refer to the section <quote>DOMAIN SECTIONS</quote> "
+@@ -14469,10 +14387,6 @@ msgid ""
+ "manvolnum> </citerefentry> manual page for details on the configuration of "
+ "an SSSD domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Per a més informació sobre la configuració d'un domini SSSD, consulteu la "
+-"secció <quote>SECCIONS DELS DOMINIS</quote> de la pàgina del manual "
+-"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+-"manvolnum> </citerefentry>. <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:105
+diff --git a/src/man/po/cs.po b/src/man/po/cs.po
+index 73ba69ee9..da1e91901 100644
+--- a/src/man/po/cs.po
++++ b/src/man/po/cs.po
+@@ -5,13 +5,14 @@
+ # Translators:
+ # sgallagh <sgallagh@redhat.com>, 2011
+ # Zdenek <chmelarz@gmail.com>, 2017. #zanata
++# Pavel Borecki <pavel.borecki@gmail.com>, 2019. #zanata
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+-"PO-Revision-Date: 2017-09-11 08:53+0000\n"
+-"Last-Translator: Zdenek <chmelarz@gmail.com>\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
++"PO-Revision-Date: 2019-06-21 02:15+0000\n"
++"Last-Translator: Pavel Borecki <pavel.borecki@gmail.com>\n"
+ "Language-Team: Czech (http://www.transifex.com/projects/p/sssd/language/"
+ "cs/)\n"
+ "Language: cs\n"
+@@ -3990,13 +3991,10 @@ msgstr ""
+ msgid "[prompting/password]"
+ msgstr ""
+ 
+-# auto translated by TM merge from project: FreeIPA, version: ipa-4-5, DocId: po/ipa
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3404
+-#, fuzzy
+-#| msgid "password"
+ msgid "password_prompt"
+-msgstr "heslo"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3405
+@@ -7682,7 +7680,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sssd-simple.5.xml:10 sssd-simple.5.xml:16
+ msgid "sssd-simple"
+-msgstr ""
++msgstr "sssd-simple"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sssd-simple.5.xml:17
+@@ -7710,7 +7708,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd-simple.5.xml:43
+ msgid "If all lists are empty, access is granted"
+-msgstr ""
++msgstr "Pokud jsou všechny seznamy prázdné, přístup je udělen"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd-simple.5.xml:47
+@@ -7736,7 +7734,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-simple.5.xml:78
+ msgid "simple_allow_users (string)"
+-msgstr ""
++msgstr "simple_allow_users (řetězec)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-simple.5.xml:81
+@@ -7746,7 +7744,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-simple.5.xml:88
+ msgid "simple_deny_users (string)"
+-msgstr ""
++msgstr "simple_deny_users (řetězec)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-simple.5.xml:91
+@@ -7756,7 +7754,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-simple.5.xml:97
+ msgid "simple_allow_groups (string)"
+-msgstr ""
++msgstr "simple_allow_groups (řetězec)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-simple.5.xml:100
+@@ -7768,7 +7766,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-simple.5.xml:108
+ msgid "simple_deny_groups (string)"
+-msgstr ""
++msgstr "simple_deny_groups (řetězec)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-simple.5.xml:111
+@@ -7833,7 +7831,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss-certmap.5.xml:10 sss-certmap.5.xml:16
+ msgid "sss-certmap"
+-msgstr ""
++msgstr "sss-certmap"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss-certmap.5.xml:17
+@@ -7933,7 +7931,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:93
+ msgid "Example: &lt;SUBJECT&gt;.*,DC=MY,DC=DOMAIN"
+-msgstr ""
++msgstr "Příklad: &lt;SUBJECT&gt;.*,DC=MOJE,DC=DOMENA"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:98
+@@ -7967,47 +7965,47 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:118
+ msgid "digitalSignature"
+-msgstr ""
++msgstr "digitalSignature"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:119
+ msgid "nonRepudiation"
+-msgstr ""
++msgstr "nonRepudiation"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:120
+ msgid "keyEncipherment"
+-msgstr ""
++msgstr "keyEncipherment"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:121
+ msgid "dataEncipherment"
+-msgstr ""
++msgstr "dataEncipherment"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:122
+ msgid "keyAgreement"
+-msgstr ""
++msgstr "keyAgreement"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:123
+ msgid "keyCertSign"
+-msgstr ""
++msgstr "keyCertSign"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:124
+ msgid "cRLSign"
+-msgstr ""
++msgstr "cRLSign"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:125
+ msgid "encipherOnly"
+-msgstr ""
++msgstr "encipherOnly"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:126
+ msgid "decipherOnly"
+-msgstr ""
++msgstr "decipherOnly"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:130
+@@ -8036,47 +8034,47 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:146
+ msgid "serverAuth"
+-msgstr ""
++msgstr "serverAuth"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:147
+ msgid "clientAuth"
+-msgstr ""
++msgstr "clientAuth"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:148
+ msgid "codeSigning"
+-msgstr ""
++msgstr "codeSigning"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:149
+ msgid "emailProtection"
+-msgstr ""
++msgstr "emailProtection"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:150
+ msgid "timeStamping"
+-msgstr ""
++msgstr "timeStamping"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:151
+ msgid "OCSPSigning"
+-msgstr ""
++msgstr "OCSPSigning"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:152
+ msgid "KPClientAuth"
+-msgstr ""
++msgstr "KPClientAuth"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:153
+ msgid "pkinit"
+-msgstr ""
++msgstr "pkinit"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:154
+ msgid "msScLogin"
+-msgstr ""
++msgstr "msScLogin"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:158
+@@ -8365,7 +8363,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:376
+ msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
+-msgstr ""
++msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:379
+@@ -8426,7 +8424,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:428
+ msgid "{cert[!(bin|base64)]}"
+-msgstr ""
++msgstr "{cert[!(bin|base64)]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:431
+@@ -8441,12 +8439,12 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:439
+ msgid "Example: (userCertificate;binary={cert!bin})"
+-msgstr ""
++msgstr "Příklad: (userCertificate;binary={cert!bin})"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:444
+ msgid "{subject_principal[.short_name]}"
+-msgstr ""
++msgstr "{subject_principal[.short_name]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:447
+@@ -8482,11 +8480,13 @@ msgid ""
+ "Example: (|(userPrincipal={subject_pkinit_principal})"
+ "(uid={subject_pkinit_principal.short_name}))"
+ msgstr ""
++"Příklad: (|(userPrincipal={subject_pkinit_principal})"
++"(uid={subject_pkinit_principal.short_name}))"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:472
+ msgid "{subject_nt_principal[.short_name]}"
+-msgstr ""
++msgstr "{subject_nt_principal[.short_name]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:475
+@@ -8499,7 +8499,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:486
+ msgid "{subject_rfc822_name[.short_name]}"
+-msgstr ""
++msgstr "{subject_rfc822_name[.short_name]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:489
+@@ -8515,11 +8515,13 @@ msgid ""
+ "Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name."
+ "short_name}))"
+ msgstr ""
++"Příklad: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name."
++"short_name}))"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:500
+ msgid "{subject_dns_name[.short_name]}"
+-msgstr ""
++msgstr "{subject_dns_name[.short_name]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:503
+@@ -8534,11 +8536,12 @@ msgstr ""
+ msgid ""
+ "Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))"
+ msgstr ""
++"Příklad: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:514
+ msgid "{subject_uri}"
+-msgstr ""
++msgstr "{subject_uri}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:517
+@@ -8550,7 +8553,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:521
+ msgid "Example: (uri={subject_uri})"
+-msgstr ""
++msgstr "Příklad: (uri={subject_uri})"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:526
+@@ -14647,12 +14650,12 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sssd-systemtap.5.xml:124
+ msgid "probe sssd_transaction_commit_after"
+-msgstr ""
++msgstr "vyzkoušet sssd_transaction_commit_after"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-systemtap.5.xml:127
+ msgid "Probes the sysdb_transaction_commit_after()  function."
+-msgstr ""
++msgstr "Vyzkouší funkci sysdb_transaction_commit_after()."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd-systemtap.5.xml:141
+@@ -14662,12 +14665,12 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sssd-systemtap.5.xml:145
+ msgid "probe sdap_search_send"
+-msgstr ""
++msgstr "vyzkouší sdap_search_send"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-systemtap.5.xml:148
+ msgid "Probes the sdap_get_generic_ext_send()  function."
+-msgstr ""
++msgstr "Vyzkouší funkci sdap_get_generic_ext_send()."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
+ #: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196
+@@ -14793,22 +14796,22 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sssd-systemtap.5.xml:274
+ msgid "probe sdap_search_user_save_begin"
+-msgstr ""
++msgstr "probe sdap_search_user_save_begin"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-systemtap.5.xml:277
+ msgid "Probes the sdap_search_user_save_begin()  function."
+-msgstr ""
++msgstr "Zkouší funkci sdap_search_user_save_begin()."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sssd-systemtap.5.xml:286
+ msgid "probe sdap_search_user_save_end"
+-msgstr ""
++msgstr "vyzkoušet sdap_search_user_save_end"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-systemtap.5.xml:289
+ msgid "Probes the sdap_search_user_save_end()  function."
+-msgstr ""
++msgstr "Vyzkouší funkci sdap_search_user_save_end()."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd-systemtap.5.xml:302
+@@ -14818,7 +14821,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sssd-systemtap.5.xml:306
+ msgid "probe dp_req_send"
+-msgstr ""
++msgstr "probe dp_req_send"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-systemtap.5.xml:309
+@@ -14839,7 +14842,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sssd-systemtap.5.xml:320
+ msgid "probe dp_req_done"
+-msgstr ""
++msgstr "probe dp_req_done"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-systemtap.5.xml:323
+@@ -14861,12 +14864,12 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd-systemtap.5.xml:339
+ msgid "MISCELLANEOUS FUNCTIONS"
+-msgstr ""
++msgstr "RŮZNÉ FUNKCE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd-systemtap.5.xml:346
+ msgid "function acct_req_desc(entry_type)"
+-msgstr ""
++msgstr "function acct_req_desc(entry_type)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd-systemtap.5.xml:349
+@@ -14879,6 +14882,8 @@ msgid ""
+ "function sssd_acct_req_probestr(fc_name, entry_type, filter_type, "
+ "filter_value, extra_value)"
+ msgstr ""
++"funkce sssd_acct_req_probestr(fc_name, entry_type, filter_type, "
++"filter_value, extra_value)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd-systemtap.5.xml:358
+@@ -14888,7 +14893,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd-systemtap.5.xml:363
+ msgid "function dp_target_str(target)"
+-msgstr ""
++msgstr "funkce dp_target_str(target)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd-systemtap.5.xml:366
+@@ -14898,17 +14903,17 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd-systemtap.5.xml:371
+ msgid "function dp_method_str(target)"
+-msgstr ""
++msgstr "funkce dp_method_str(target)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd-systemtap.5.xml:374
+ msgid "Convert method to string and return string"
+-msgstr ""
++msgstr "Převést metodu na řetězec a vrátit řetězec"
+ 
+ #. type: Content of: <refsect1><title>
+ #: include/service_discovery.xml:2
+ msgid "SERVICE DISCOVERY"
+-msgstr ""
++msgstr "OBJEVOVÁNÍ SLUŽBY"
+ 
+ #. type: Content of: <refsect1><para>
+ #: include/service_discovery.xml:4
+@@ -14921,7 +14926,7 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><title>
+ #: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99
+ msgid "Configuration"
+-msgstr ""
++msgstr "Nastavení"
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+ #: include/service_discovery.xml:11
+@@ -14938,7 +14943,7 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><title>
+ #: include/service_discovery.xml:23
+ msgid "The domain name"
+-msgstr ""
++msgstr "Název domény"
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+ #: include/service_discovery.xml:25
+@@ -14951,7 +14956,7 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><title>
+ #: include/service_discovery.xml:35
+ msgid "The protocol"
+-msgstr ""
++msgstr "Protokol"
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+ #: include/service_discovery.xml:37
+@@ -14963,7 +14968,7 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><title>
+ #: include/service_discovery.xml:42
+ msgid "See Also"
+-msgstr ""
++msgstr "Viz také"
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+ #: include/service_discovery.xml:44
+@@ -14981,7 +14986,7 @@ msgstr ""
+ #. type: Content of: outside any tag (error?)
+ #: include/upstream.xml:1
+ msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
+-msgstr ""
++msgstr "<placeholder type=\"refentryinfo\" id=\"0\"/>"
+ 
+ #. type: Content of: <refsect1><title>
+ #: include/failover.xml:2
+@@ -15076,7 +15081,7 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: include/failover.xml:76
+ msgid "dns_resolver_op_timeout"
+-msgstr ""
++msgstr "dns_resolver_op_timeout"
+ 
+ #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: include/failover.xml:80
+@@ -15086,7 +15091,7 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: include/failover.xml:86
+ msgid "dns_resolver_timeout"
+-msgstr ""
++msgstr "dns_resolver_timeout"
+ 
+ #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: include/failover.xml:90
+@@ -15118,7 +15123,7 @@ msgstr ""
+ #. type: Content of: <refsect1><title>
+ #: include/ldap_id_mapping.xml:2
+ msgid "ID MAPPING"
+-msgstr ""
++msgstr "MAPOVÁNÍ IDENTIFIKÁTORŮ"
+ 
+ #. type: Content of: <refsect1><para>
+ #: include/ldap_id_mapping.xml:4
+@@ -15159,17 +15164,17 @@ msgstr ""
+ #. type: Content of: <refsect1><para><itemizedlist><listitem><para>
+ #: include/ldap_id_mapping.xml:38
+ msgid "Stopping the SSSD service"
+-msgstr ""
++msgstr "Zastavování služby SSSD"
+ 
+ #. type: Content of: <refsect1><para><itemizedlist><listitem><para>
+ #: include/ldap_id_mapping.xml:43
+ msgid "Removing the database"
+-msgstr ""
++msgstr "Odebrání databáze"
+ 
+ #. type: Content of: <refsect1><para><itemizedlist><listitem><para>
+ #: include/ldap_id_mapping.xml:48
+ msgid "Starting the SSSD service"
+-msgstr ""
++msgstr "Spuštění služby SSSD"
+ 
+ #. type: Content of: <refsect1><para>
+ #: include/ldap_id_mapping.xml:52
+@@ -15182,7 +15187,7 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><title>
+ #: include/ldap_id_mapping.xml:59
+ msgid "Mapping Algorithm"
+-msgstr ""
++msgstr "Mapovací algoritmus"
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+ #: include/ldap_id_mapping.xml:61
+@@ -15244,6 +15249,8 @@ msgid ""
+ "ldap_id_mapping = True\n"
+ "ldap_schema = ad\n"
+ msgstr ""
++"ldap_id_mapping = True\n"
++"ldap_schema = ad\n"
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+ #: include/ldap_id_mapping.xml:111
+@@ -15256,12 +15263,12 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><refsect3><title>
+ #: include/ldap_id_mapping.xml:117
+ msgid "Advanced Configuration"
+-msgstr ""
++msgstr "Pokročilé nastavení"
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+ #: include/ldap_id_mapping.xml:120
+ msgid "ldap_idmap_range_min (integer)"
+-msgstr ""
++msgstr "ldap_idmap_range_min (celé číslo)"
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: include/ldap_id_mapping.xml:123
+@@ -15283,12 +15290,12 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191
+ msgid "Default: 200000"
+-msgstr ""
++msgstr "Výchozí: 200000"
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+ #: include/ldap_id_mapping.xml:142
+ msgid "ldap_idmap_range_max (integer)"
+-msgstr ""
++msgstr "ldap_idmap_range_max (celé číslo)"
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: include/ldap_id_mapping.xml:145
+@@ -15310,12 +15317,12 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: include/ldap_id_mapping.xml:159
+ msgid "Default: 2000200000"
+-msgstr ""
++msgstr "Výchozí: 2000200000"
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+ #: include/ldap_id_mapping.xml:164
+ msgid "ldap_idmap_range_size (integer)"
+-msgstr ""
++msgstr "ldap_idmap_range_size (celé číslo)"
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: include/ldap_id_mapping.xml:167
+@@ -15353,7 +15360,7 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+ #: include/ldap_id_mapping.xml:196
+ msgid "ldap_idmap_default_domain_sid (string)"
+-msgstr ""
++msgstr "ldap_idmap_default_domain_sid (řetězec)"
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: include/ldap_id_mapping.xml:199
+@@ -15366,7 +15373,7 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+ #: include/ldap_id_mapping.xml:210
+ msgid "ldap_idmap_default_domain (string)"
+-msgstr ""
++msgstr "ldap_idmap_default_domain (řetězec)"
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: include/ldap_id_mapping.xml:213
+@@ -15405,7 +15412,7 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+ #: include/ldap_id_mapping.xml:249
+ msgid "ldap_idmap_helper_table_size (integer)"
+-msgstr ""
++msgstr "ldap_idmap_helper_table_size (celé číslo)"
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: include/ldap_id_mapping.xml:252
+@@ -15472,7 +15479,7 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+ #: include/ldap_id_mapping.xml:289
+ msgid "Built-in"
+-msgstr ""
++msgstr "Vestavěné"
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+ #: include/ldap_id_mapping.xml:291
+@@ -15497,7 +15504,7 @@ msgstr ""
+ #. type: Content of: <varlistentry><term>
+ #: include/param_help.xml:3
+ msgid "<option>-?</option>,<option>--help</option>"
+-msgstr ""
++msgstr "<option>-?</option>,<option>--help</option>"
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: include/param_help.xml:7 include/param_help_py.xml:7
+@@ -15738,12 +15745,12 @@ msgstr ""
+ #: include/ldap_search_bases.xml:9
+ #, no-wrap
+ msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n"
+-msgstr ""
++msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n"
+ 
+ #. type: Content of: <listitem><para>
+ #: include/ldap_search_bases.xml:7
+ msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>"
+-msgstr ""
++msgstr "syntaxe: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <listitem><para>
+ #: include/ldap_search_bases.xml:13
+@@ -15779,7 +15786,7 @@ msgstr ""
+ #. type: Content of: <varlistentry><term>
+ #: include/override_homedir.xml:2
+ msgid "override_homedir (string)"
+-msgstr ""
++msgstr "override_homedir (řetězec)"
+ 
+ #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: include/override_homedir.xml:16
+@@ -15794,7 +15801,7 @@ msgstr ""
+ #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: include/override_homedir.xml:23
+ msgid "%f"
+-msgstr ""
++msgstr "%f"
+ 
+ #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: include/override_homedir.xml:24
+@@ -15804,7 +15811,7 @@ msgstr ""
+ #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: include/override_homedir.xml:27
+ msgid "%l"
+-msgstr ""
++msgstr "%l"
+ 
+ #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: include/override_homedir.xml:28
+@@ -15915,37 +15922,37 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ad_modified_defaults.xml:28
+ msgid "ldap_schema = ad"
+-msgstr ""
++msgstr "ldap_schema = ad"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+ msgid "ldap_force_upper_case_realm = true"
+-msgstr ""
++msgstr "ldap_force_upper_case_realm = true"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ad_modified_defaults.xml:38
+ msgid "ldap_id_mapping = true"
+-msgstr ""
++msgstr "ldap_id_mapping = true"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ad_modified_defaults.xml:43
+ msgid "ldap_sasl_mech = gssapi"
+-msgstr ""
++msgstr "ldap_sasl_mech = gssapi"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ad_modified_defaults.xml:48
+ msgid "ldap_referrals = false"
+-msgstr ""
++msgstr "ldap_referrals = false"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ad_modified_defaults.xml:53
+ msgid "ldap_account_expire_policy = ad"
+-msgstr ""
++msgstr "ldap_account_expire_policy = ad"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+ msgid "ldap_use_tokengroups = true"
+-msgstr ""
++msgstr "ldap_use_tokengroups = true"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ad_modified_defaults.xml:63
+@@ -15967,12 +15974,12 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><title>
+ #: include/ad_modified_defaults.xml:80
+ msgid "NSS configuration"
+-msgstr ""
++msgstr "Nastavení NSS"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ad_modified_defaults.xml:84
+ msgid "fallback_homedir = /home/%d/%u"
+-msgstr ""
++msgstr "fallback_homedir = /home/%d/%u"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ad_modified_defaults.xml:87
+@@ -15995,17 +16002,17 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ipa_modified_defaults.xml:18
+ msgid "krb5_use_fast = try"
+-msgstr ""
++msgstr "krb5_use_fast = try"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ipa_modified_defaults.xml:23
+ msgid "krb5_canonicalize = true"
+-msgstr ""
++msgstr "krb5_canonicalize = true"
+ 
+ #. type: Content of: <refsect1><refsect2><title>
+ #: include/ipa_modified_defaults.xml:29
+ msgid "LDAP Provider - General"
+-msgstr ""
++msgstr "LDAP poskytovatel – obecné"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ipa_modified_defaults.xml:33
+@@ -16065,24 +16072,24 @@ msgstr ""
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ipa_modified_defaults.xml:98
+ msgid "ldap_group_object_class_alt = posixGroup"
+-msgstr ""
++msgstr "ldap_group_object_class_alt = posixGroup"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ipa_modified_defaults.xml:103
+ msgid "ldap_group_member = member"
+-msgstr ""
++msgstr "ldap_group_member = member"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ipa_modified_defaults.xml:108
+ msgid "ldap_group_uuid = ipaUniqueID"
+-msgstr ""
++msgstr "ldap_group_uuid = ipaUniqueID"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ipa_modified_defaults.xml:113
+ msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+-msgstr ""
++msgstr "ldap_group_objectsid = ipaNTSecurityIdentifier"
+ 
+ #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+ #: include/ipa_modified_defaults.xml:118
+ msgid "ldap_group_external_member = ipaExternalMember"
+-msgstr ""
++msgstr "ldap_group_external_member = ipaExternalMember"
+diff --git a/src/man/po/de.po b/src/man/po/de.po
+index bc021ec26..bed1fa55a 100644
+--- a/src/man/po/de.po
++++ b/src/man/po/de.po
+@@ -8,9 +8,9 @@
+ # Mario Blättermann <mario.blaettermann@gmail.com>, 2014
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2014-12-14 11:53+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: German (http://www.transifex.com/projects/p/sssd/language/"
+@@ -3960,16 +3960,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2999
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"gültige Optionen für Proxy-Domains. <placeholder type=\"variablelist\" id="
+-"\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3062
+@@ -4387,10 +4381,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3367
+-#, fuzzy
+-#| msgid "ldap_sasl_mech (string)"
+ msgid "ldap_sasl_mech,"
+-msgstr "ldap_sasl_mech (Zeichenkette)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3368
+@@ -4421,10 +4413,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3379
+-#, fuzzy
+-#| msgid "CONFIGURATION OPTIONS"
+ msgid "PROMPTING CONFIGURATION SECTION"
+-msgstr "KONFIGURATIONSOPTIONEN"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3381
+@@ -4452,10 +4442,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3404
+-#, fuzzy
+-#| msgid "password"
+ msgid "password_prompt"
+-msgstr "password"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3405
+@@ -4464,16 +4452,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3403
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "to configure password prompting, allowed options are: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"gültige Optionen für Proxy-Domains. <placeholder type=\"variablelist\" id="
+-"\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3413
+@@ -4515,16 +4497,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3415
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "to configure two-factor authentication prompting, allowed options are: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"gültige Optionen für Proxy-Domains. <placeholder type=\"variablelist\" id="
+-"\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3396
+@@ -4925,10 +4901,8 @@ msgstr "Voreinstellung: rfc2307"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:209
+-#, fuzzy
+-#| msgid "ldap_group_modify_timestamp (string)"
+ msgid "ldap_pwmodify_mode (string)"
+-msgstr "ldap_group_modify_timestamp (Zeichenkette)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:212
+@@ -4937,10 +4911,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:216
+-#, fuzzy
+-#| msgid "Four schema types are currently supported:"
+ msgid "Two modes are currently supported:"
+-msgstr "Derzeit werden vier Schematypen unterstützt:"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ldap.5.xml:220
+@@ -4963,10 +4935,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: gecos"
+ msgid "Default: exop"
+-msgstr "Voreinstellung: gecos"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -6828,16 +6798,10 @@ msgstr "ldap_sasl_mech (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1808
+-#, fuzzy
+-#| msgid ""
+-#| "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-#| "supported."
+ msgid ""
+ "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
+ "tested and supported."
+ msgstr ""
+-"gibt an, welcher SASL-Mechanismus benutzt werden soll. Derzeit ist nur "
+-"GSSAPI getestet und wird unterstützt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1812
+@@ -6933,10 +6897,8 @@ msgstr "ldap_krb5_keytab (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1889
+-#, fuzzy
+-#| msgid "Specify the keytab to use when using SASL/GSSAPI."
+ msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+-msgstr "gibt die Keytab an, wenn SASL/GSSAPI benutzt wird."
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1893
+@@ -6952,19 +6914,11 @@ msgstr "ldap_krb5_init_creds (Boolesch)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1902
+-#, fuzzy
+-#| msgid ""
+-#| "Specifies that the id_provider should init Kerberos credentials (TGT).  "
+-#| "This action is performed only if SASL is used and the mechanism selected "
+-#| "is GSSAPI."
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+ "GSSAPI or GSS-SPNEGO."
+ msgstr ""
+-"gibt an, dass der »id_provider« Kerberos-Anmeldedaten (TGT) initialisieren "
+-"soll. Diese Aktion wird nur durchgeführt, falls SASL benutzt wird und der "
+-"ausgewählte Mechnaismus GSSAPI ist."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1914
+@@ -6973,12 +6927,9 @@ msgstr "ldap_krb5_ticket_lifetime (Ganzzahl)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1917
+-#, fuzzy
+-#| msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
+ msgid ""
+ "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
+-"gibt die Lebensdauer eines TGT in Sekunden an, falls GSSAPI benutzt wird."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+@@ -7039,10 +6990,8 @@ msgstr "krb5_realm (Zeichenkette)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1959
+-#, fuzzy
+-#| msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
+ msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+-msgstr "gibt den Kerberos-REALM an (für SASL/GSSAPI-Authentifizierung)."
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1963
+@@ -7928,9 +7877,6 @@ msgid ""
+ "rules (which downloads all rules that have USN higher than the highest USN "
+ "of cached rules)."
+ msgstr ""
+-"wie viele Sekunden SSSD warten soll, bevor ein kluges Aktualisieren der Sudo-"
+-"Regeln ausgeführt wird (wodurch alle Regeln, die eine höhere USN als die "
+-"höchste USN der zwischengespeicherten Regeln haben, heruntergeladen werden)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2616
+@@ -11303,17 +11249,13 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:435
+-#, fuzzy
+-#| msgid "Default: 5 (seconds)"
+ msgid "Default: False (seconds)"
+-msgstr "Voreinstellung: 5 (Sekunden)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:441
+-#, fuzzy
+-#| msgid "ad_enable_gc (boolean)"
+ msgid "ad_gpo_ignore_unreadable (boolean)"
+-msgstr "ad_enable_gc (Boolesch)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:444
+@@ -13641,27 +13583,17 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-#, fuzzy
+-#| msgid "krb5_ccachedir (string)"
+ msgid "krb5_kdcinfo_lookahead (string)"
+-msgstr "krb5_ccachedir (Zeichenkette)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+-#, fuzzy
+-#| msgid ""
+-#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+-#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
+-#| "more information on the locator plugin."
+ msgid ""
+ "When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
+ "handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
+ "helpful when there are too many servers discovered using SRV record."
+ msgstr ""
+-"Weitere Informationen über die Locator-Erweiterung finden Sie auf der "
+-"Handbuchseite <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+-"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:518
+@@ -13673,27 +13605,17 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:524
+-#, fuzzy
+-#| msgid ""
+-#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+-#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
+-#| "more information on the locator plugin."
+ msgid ""
+ "For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
+ "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
+ "servers."
+ msgstr ""
+-"Weitere Informationen über die Locator-Erweiterung finden Sie auf der "
+-"Handbuchseite <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+-"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "Voreinstellung: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+@@ -15315,12 +15237,6 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:59
+-#, fuzzy
+-#| msgid ""
+-#| "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+-#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+-#| "citerefentry> manual page for details on the configuration of an SSSD "
+-#| "domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "In addition to the options listed below, generic SSSD domain options can be "
+ "set where applicable.  Refer to the section <quote>DOMAIN SECTIONS</quote> "
+@@ -15328,10 +15244,6 @@ msgid ""
+ "manvolnum> </citerefentry> manual page for details on the configuration of "
+ "an SSSD domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Einzelheiten über die Konfiguration einer SSSD-Domain finden Sie im "
+-"Abschnitt »DOMAIN-ABSCHNITTE« der Handbuchseite <citerefentry> "
+-"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+-"citerefentry>. <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:105
+@@ -18168,9 +18080,3 @@ msgstr ""
+ #: include/ipa_modified_defaults.xml:118
+ msgid "ldap_group_external_member = ipaExternalMember"
+ msgstr ""
+-
+-#~ msgid ""
+-#~ "You can turn off dereference lookups completely by setting the value to 0."
+-#~ msgstr ""
+-#~ "Sie können dereferenzierendes Nachschlagen komplett ausschalten, indem "
+-#~ "Sie den Wert auf 0 setzen."
+diff --git a/src/man/po/es.po b/src/man/po/es.po
+index 56469b2de..8389a6efe 100644
+--- a/src/man/po/es.po
++++ b/src/man/po/es.po
+@@ -15,10 +15,10 @@
+ # Emilio Herrera <ehespinosa57@gmail.com>, 2019. #zanata
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+-"PO-Revision-Date: 2019-03-17 04:48+0000\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
++"PO-Revision-Date: 2019-09-30 10:20+0000\n"
+ "Last-Translator: Emilio Herrera <ehespinosa57@gmail.com>\n"
+ "Language-Team: Spanish (http://www.transifex.com/projects/p/sssd/language/"
+ "es/)\n"
+@@ -889,15 +889,9 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:482
+-#, fuzzy
+-#| msgid ""
+-#| "(NSS Version) This option must be used together with "
+-#| "ocsp_default_responder_signing_cert."
+ msgid ""
+ "This option must be used together with ocsp_default_responder_signing_cert."
+ msgstr ""
+-"(Versión NSS) Esta opción debe ser usada junto con "
+-"ocsp_default_responder_signing_cert."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:490
+@@ -906,19 +900,11 @@ msgstr "ocsp_default_responder_signing_cert=NAME"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:492
+-#, fuzzy
+-#| msgid ""
+-#| "(NSS Version) The nickname of the cert to trust (expected) to sign the "
+-#| "OCSP responses.  The certificate with the given nickname must be "
+-#| "available in the systems NSS database."
+ msgid ""
+ "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
+ "The certificate with the given nickname must be available in the systems NSS "
+ "database."
+ msgstr ""
+-"(NSS Version) El apodo del certificado en el que confiar (esperado) para "
+-"firmar las respuestas OCSP.  El certificado con el apodo dado debe estar "
+-"disponible en la base de datos NSS del sistema."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:497
+@@ -1235,6 +1221,8 @@ msgid ""
+ "This option specifies whether the responder should query all caches before "
+ "querying the Data Providers."
+ msgstr ""
++"Esta opción especifica si el contestador consultará todos los caches antes "
++"de consultar a los Proveedores de Datos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd.conf.5.xml:730
+@@ -1342,7 +1330,7 @@ msgstr "Predeterminado: 15"
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:795
+ msgid "local_negative_timeout (integer)"
+-msgstr ""
++msgstr "local_negative_timeout (integer)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:798
+@@ -1351,11 +1339,14 @@ msgid ""
+ "negative cache before trying to look it up in the back end again. Setting "
+ "the option to 0 disables this feature."
+ msgstr ""
++"Especifica por cuantos segundos nss_sss mantendría a los usuarios y grupos "
++"locales en cache negativo antes de intentar buscarlo en el extremo final "
++"otra vez. Fijando la opción a 0 deshabilita esta característica."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:804
+ msgid "Default: 14400 (4 hours)"
+-msgstr ""
++msgstr "Por defecto: 14400 (4 horas)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:809
+@@ -1370,6 +1361,11 @@ msgid ""
+ "also be set per-domain or include fully-qualified names to filter only users "
+ "from the particular domain or by a user principal name (UPN)."
+ msgstr ""
++"Excluye a ciertos usuarios o grupos de ser recuperados de la base de datos "
++"sss NSS. Esto es particularmente útil para cuentas del sistema. Esta opción "
++"puede ser también establecida por dominio o incluir nombres completos para "
++"filtrar solo usuarios de un dominio concreto o por el nombre principal de "
++"usuario (UPN)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:820
+@@ -1379,6 +1375,10 @@ msgid ""
+ "NSS. E.g. a group having a member group filtered out will still have the "
+ "member users of the latter listed."
+ msgstr ""
++"AVISO: La opción filter_groups no afecta a la herencia de miembros de grupos "
++"anidados, puesto que el filtrado sucede después de que hayan sido propagados "
++"para volver por medio de NSS. E.g. un grupo que tenga un miembro del grupo "
++"filtrado mantendrá los usuarios miembros del listado posterior."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:828
+@@ -1454,6 +1454,9 @@ msgid ""
+ "shell options if it takes effect and can be set either in the [nss] section "
+ "or per-domain."
+ msgstr ""
++"Anula el shell de acceso para todos los usuarios. Esta opción reemplaza "
++"cualquier otra opción de shell si tinene efecto y puede ser fijada bien en "
++"la sección [nss] o por dominio."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:880
+@@ -1499,7 +1502,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:906
+ msgid "The wildcard (*) can be used to allow any shell."
+-msgstr ""
++msgstr "Se puede usar el comodín (*) para permitir cualquier shell."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:909
+@@ -1508,6 +1511,9 @@ msgid ""
+ "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
+ "allowed shells in allowed_shells would be to much overhead."
+ msgstr ""
++"(*) es útil si usted desea usar shell_fallback en caso de que el shell del "
++"usuario no esté en <quote>/etc/shells</quote> y las lista que mantiene todos "
++"los shells permitidos en allowed_shells estuviera llena."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:916
+@@ -1568,6 +1574,9 @@ msgid ""
+ "The default shell to use if the provider does not return one during lookup. "
+ "This option can be specified globally in the [nss] section or per-domain."
+ msgstr ""
++"El shell por defecto a usar si el proveedor no devuelve uno durante la "
++"búsqueda. Esta opción puede ser especificada globalmente en la sección [nss] "
++"o por dominio."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:957
+@@ -1604,6 +1613,8 @@ msgid ""
+ "Specifies time in seconds for which records in the in-memory cache will be "
+ "valid. Setting this option to zero will disable the in-memory cache."
+ msgstr ""
++"Especifica el tiempo en segundos por el cual os registros en la memoria "
++"cache serán validos. Fijando esta opción o cero deshabilita la memoria cache."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:987
+@@ -1611,6 +1622,9 @@ msgid ""
+ "WARNING: Disabling the in-memory cache will have significant negative impact "
+ "on SSSD's performance and should only be used for testing."
+ msgstr ""
++"PRECAUCIÓN: Deshabilitar la memoria cache puede llevar a un impacto negativo "
++"significativo sobre el rendimiento de SSSD y debería ser usado solo para "
++"pruebas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:993
+@@ -1618,11 +1632,13 @@ msgid ""
+ "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
+ "client applications will not use the fast in-memory cache."
+ msgstr ""
++"AVISO: Si la variable de entorno SSS_NSS_USE_MEMCACHE estça fijada a \"NO\", "
++"las aplicaciones clientes no usaran la memoria cache rápida."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1001 sssd-ifp.5.xml:74
+ msgid "user_attributes (string)"
+-msgstr ""
++msgstr "user_attributes (string)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1004
+@@ -1634,6 +1650,13 @@ msgid ""
+ "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</"
+ "manvolnum> </citerefentry> for details) but with no default values."
+ msgstr ""
++"Algunas de las solicitudes de respuestas adicionales NSS pueden devolver mas "
++"atributos que solos los de POXIS definido por el interfaz NSS. La lista de "
++"atributos se controla con esta opción. Se maneja de la misma forma que la "
++"opción <quote>user_attributes</quote> del contestador InfoPipe (see "
++"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</"
++"manvolnum> </citerefentry> para mas detalles) pero sin valores "
++"predeterminados."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1017
+@@ -1641,16 +1664,18 @@ msgid ""
+ "To make configuration more easy the NSS responder will check the InfoPipe "
+ "option if it is not set for the NSS responder."
+ msgstr ""
++"Para hacer mas fácil la configuración el contestador NSS comprobará la "
++"opción InfoPipe si no está fijada para el contestador NSS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1022
+ msgid "Default: not set, fallback to InfoPipe option"
+-msgstr ""
++msgstr "Por defecto: no ajustada, retroceder a opción InfoPipe"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1027
+ msgid "pwfield (string)"
+-msgstr ""
++msgstr "pwfield (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1030
+@@ -1658,6 +1683,8 @@ msgid ""
+ "The value that NSS operations that return users or groups will return for "
+ "the <quote>password</quote> field."
+ msgstr ""
++"El valor que las operaciones NSS que devuelven usuarios o grupos devolverán "
++"para el campo <quote>password</quote>."
+ 
+ #. type: Content of: <varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1035 include/override_homedir.xml:56
+@@ -1670,6 +1697,8 @@ msgid ""
+ "Default: <quote>*</quote> (remote domains)  or <quote>x</quote> (the files "
+ "domain)"
+ msgstr ""
++"Por defecto: <quote>*</quote> (dominios remotos)  o <quote>x</quote> (los "
++"ficheros de dominio)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd.conf.5.xml:1046
+@@ -1798,7 +1827,7 @@ msgstr "Predeterminado: 1"
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1131
+ msgid "pam_response_filter (integer)"
+-msgstr ""
++msgstr "pam_response_filter (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1134
+@@ -1808,6 +1837,10 @@ msgid ""
+ "responses sent to pam_sss e.g. messages displayed to the user or environment "
+ "variables which should be set by pam_sss."
+ msgstr ""
++"Una lista separada por comas de cadenas que permiten borrar (filtrar) datos "
++"enviados por el contestador PAM al modulo PAM pam_sss PAM. Hay diferentes "
++"clases de respuestas enviadas a pam_sss e.g. mensajes mostrados al usuario o "
++"variables de entorno que deberían ser fijadas por pam_sss."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1142
+@@ -1815,36 +1848,38 @@ msgid ""
+ "While messages already can be controlled with the help of the pam_verbosity "
+ "option this option allows to filter out other kind of responses as well."
+ msgstr ""
++"Como los mensajes ya pueden ser controlados con la ayuda de la opción "
++"pam_verbosity esta opción permite filtrar otra clase de respuestas también."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1149
+ msgid "ENV"
+-msgstr ""
++msgstr "ENV"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1150
+ msgid "Do not send any environment variables to any service."
+-msgstr ""
++msgstr "No envía ninguna variable de entorno a ningún servicio."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1153
+ msgid "ENV:var_name"
+-msgstr ""
++msgstr "ENV:var_name"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1154
+ msgid "Do not send environment variable var_name to any service."
+-msgstr ""
++msgstr "No envía la variable de entorno var_name a  ningún servicio."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1158
+ msgid "ENV:var_name:service"
+-msgstr ""
++msgstr "ENV:var_name:service"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1159
+ msgid "Do not send environment variable var_name to service."
+-msgstr ""
++msgstr "No envía la variable de entorno var_name al servicio."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1147
+@@ -1852,11 +1887,13 @@ msgid ""
+ "Currently the following filters are supported: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
++"Actualmente se soportan los siguientes filtros: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1169
+ msgid "Example: ENV:KRB5CCNAME:sudo-i"
+-msgstr ""
++msgstr "Ejemplo: ENV:KRB5CCNAME:sudo-i"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1175
+@@ -1937,7 +1974,7 @@ msgstr "Predeterminado: 0"
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1237
+ msgid "pam_trusted_users (string)"
+-msgstr ""
++msgstr "pam_trusted_users (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1240
+@@ -1948,11 +1985,16 @@ msgid ""
+ "<quote>pam_public_domains</quote>.  User names are resolved to UIDs at "
+ "startup."
+ msgstr ""
++"Especifica la lista separada por comas de valores de UID o nombres de "
++"usuarios que tienen permitidas conversaciones PAM contra dominios de "
++"confianza.  Los usuarios no incluidos en esta lista pueden solo acceder a "
++"dominios marcadoscomo públicos con <quote>pam_public_domains</quote>.  Los "
++"nombres de usuarios se resuelven a UIDs en el arranque."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1250
+ msgid "Default: All users are considered trusted by default"
+-msgstr ""
++msgstr "Por defecto: Todos los usuarios se consideran de confianza por defecto"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1254
+@@ -1960,11 +2002,13 @@ msgid ""
+ "Please note that UID 0 is always allowed to access the PAM responder even in "
+ "case it is not in the pam_trusted_users list."
+ msgstr ""
++"Por favor advierta que la UID 0 siempre permite el acceso al contestador PAM "
++"aunque no está en la la lista pam_trusted_users."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1261
+ msgid "pam_public_domains (string)"
+-msgstr ""
++msgstr "pam_public_domains (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1264
+@@ -1972,17 +2016,22 @@ msgid ""
+ "Specifies the comma-separated list of domain names that are accessible even "
+ "to untrusted users."
+ msgstr ""
++"Especifica la lista separada por comas de nombres de dominios que son "
++"accesibles hasta para los usuarios en los que no se confíe."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1268
+ msgid "Two special values for pam_public_domains option are defined:"
+ msgstr ""
++"Hay definidos dos valores especiales para la opción pam_public_domains:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1272
+ msgid ""
+ "all (Untrusted users are allowed to access all domains in PAM responder.)"
+ msgstr ""
++"all (Los usuarios de no confianza están permitidos para acceder a todos los "
++"dominios en el contestador PAM.)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1276
+@@ -1990,6 +2039,8 @@ msgid ""
+ "none (Untrusted users are not allowed to access any domains PAM in "
+ "responder.)"
+ msgstr ""
++"none (Los usuarios de no confianza no tienen permitido acceder a los "
++"dominios PAM en el contestador.)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1280 sssd.conf.5.xml:1305 sssd.conf.5.xml:1324
+@@ -2000,7 +2051,7 @@ msgstr "Predeterminado: none"
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1285
+ msgid "pam_account_expired_message (string)"
+-msgstr ""
++msgstr "pam_account_expired_message (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1288
+@@ -2008,6 +2059,8 @@ msgid ""
+ "Allows a custom expiration message to be set, replacing the default "
+ "'Permission denied' message."
+ msgstr ""
++"Permite configurar un mensaje de expiración personalizado, reemplazando el "
++"mensaje predeterminado 'Permiso denegado'."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1293
+@@ -2015,6 +2068,9 @@ msgid ""
+ "Note: Please be aware that message is only printed for the SSH service "
+ "unless pam_verbosity is set to 3 (show all messages and debug information)."
+ msgstr ""
++"Nota: Por favor tenga cuidado que este mensaje solo se imprime por el "
++"servicio SSH a no ser que pam_verbosity esté fijado a 3 (mostrar todos los "
++"mensajes e información de depuración)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd.conf.5.xml:1301
+@@ -2023,11 +2079,13 @@ msgid ""
+ "pam_account_expired_message = Account expired, please contact help desk.\n"
+ "                            "
+ msgstr ""
++"pam_account_expired_message = Cuenta expirada, por favor contacte con la mesa de ayuda.\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1310
+ msgid "pam_account_locked_message (string)"
+-msgstr ""
++msgstr "pam_account_locked_message (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1313
+@@ -2035,6 +2093,8 @@ msgid ""
+ "Allows a custom lockout message to be set, replacing the default 'Permission "
+ "denied' message."
+ msgstr ""
++"Permite fijar un mensaje de bloqueo personalizado, reemplazando el mensaje "
++"por defecto 'Permiso denegado'."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd.conf.5.xml:1320
+@@ -2043,11 +2103,13 @@ msgid ""
+ "pam_account_locked_message = Account locked, please contact help desk.\n"
+ "                            "
+ msgstr ""
++"pam_account_locked_message = Cuenta bloqueada, por favor contacte con la mesa de ayuda.\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1329
+ msgid "pam_cert_auth (bool)"
+-msgstr ""
++msgstr "pam_cert_auth (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1332
+@@ -2056,6 +2118,9 @@ msgid ""
+ "additional communication with the Smartcard which will delay the "
+ "authentication process this option is disabled by default."
+ msgstr ""
++"Habilita un certificado en base a la autenticación Smartcard.  Como esto "
++"requiere comunicación adicional con la Smartcard lo que dilatará el proceso "
++"de autenticación esta opción está deshabilitada por defecto."
+ 
+ #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1338 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1152
+@@ -2067,7 +2132,7 @@ msgstr "Por defecto: False"
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1343
+ msgid "pam_cert_db_path (string)"
+-msgstr ""
++msgstr "pam_cert_db_path (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1346
+@@ -2075,16 +2140,18 @@ msgid ""
+ "The path to the certificate database which contain the PKCS#11 modules to "
+ "access the Smartcard."
+ msgstr ""
++"La ruta a la base de datos de certificado que contiene los módulos PKCS#11 "
++"para acceder a la Smartcard."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1350 sssd.conf.5.xml:1609
+ msgid "Default:"
+-msgstr ""
++msgstr "Predeterminado:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1352 sssd.conf.5.xml:1611
+ msgid "/etc/pki/nssdb (NSS version, path to a NSS database)"
+-msgstr ""
++msgstr "/etc/pki/nssdb (versión NSS, ruta a la base de datos NSS)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1355 sssd.conf.5.xml:1614
+@@ -2092,6 +2159,8 @@ msgid ""
+ "/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with "
+ "trusted CA certificates in PEM format)"
+ msgstr ""
++"/etc/sssd/pki/sssd_auth_ca_db.pem (Versión de OpenSSL, ruta a un fichero con "
++"certificados CA de confianza en formato PEM)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1362 sssd.conf.5.xml:1621
+@@ -2106,17 +2175,17 @@ msgstr "Esta página de manual fue generada para la versión OPENSSL."
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1370
+ msgid "p11_child_timeout (integer)"
+-msgstr ""
++msgstr "p11_child_timeout (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1373
+ msgid "How many seconds will pam_sss wait for p11_child to finish."
+-msgstr ""
++msgstr "Cuantos segundos esperará pam_sss wait para que p11_child finalice."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1382
+ msgid "pam_app_services (string)"
+-msgstr ""
++msgstr "pam_app_services (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1385
+@@ -2124,11 +2193,13 @@ msgid ""
+ "Which PAM services are permitted to contact domains of type "
+ "<quote>application</quote>"
+ msgstr ""
++"Cuales son los servicios PAM que tiene permitido contactar con dominios del "
++"tipo <quote>application</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1394
+ msgid "pam_p11_allowed_services (integer)"
+-msgstr ""
++msgstr "pam_p11_allowed_services (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1397
+@@ -2136,6 +2207,8 @@ msgid ""
+ "A comma-separated list of PAM service names for which it will be allowed to "
+ "use Smartcards."
+ msgstr ""
++"Una lista separada por comas de nombres de servicios PAM a los que les será "
++"permitidos usar Smartcards."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd.conf.5.xml:1412
+@@ -2144,6 +2217,8 @@ msgid ""
+ "pam_p11_allowed_services = +my_pam_service, -login\n"
+ "                            "
+ msgstr ""
++"pam_p11_allowed_services = +my_pam_service, -login\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1401
+@@ -2156,57 +2231,67 @@ msgid ""
+ "<quote>my_pam_service</quote>), you would use the following configuration: "
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
++"Es posible añadir otro nombre de servicio PAM al conjunto predeterminado "
++"usando <quote>+service_name</quote> o quitar explícitamente nombre de "
++"servicio PAM de los predeterminados usando <quote>-service_name</quote>. Por "
++"ejemplo, con el objetivo de reemplazar un nombre de servicio PAM por "
++"autenticación con Smartcards (e.g. <quote>login</quote>) con un nombre de "
++"servicio PAM personalizado (e.g. <quote>my_pam_service</quote>), debería "
++"usar la siguiente configuración: <placeholder type=\"programlisting\" id="
++"\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
+ #: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+ msgstr ""
++"Predeterminado: el conjunto predeterminado de nombres de servicio PAM "
++"incluye:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+-msgstr ""
++msgstr "login"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+-msgstr ""
++msgstr "su"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+-msgstr ""
++msgstr "su-l"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+-msgstr ""
++msgstr "gdm-smartcard"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+-msgstr ""
++msgstr "gdm-password"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+-msgstr ""
++msgstr "kdm"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+-msgstr ""
++msgstr "sudo"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+-msgstr ""
++msgstr "sudo-i"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1461
+ msgid "gnome-screensaver"
+-msgstr ""
++msgstr "gnome-screensaver"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd.conf.5.xml:1472
+@@ -2223,6 +2308,13 @@ msgid ""
+ "</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-"
+ "sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ msgstr ""
++"Se pueden usar estas opciones para configurar el servicio sudo.  Las "
++"instrucciones detalladas para la configuración de <citerefentry> "
++"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> "
++"para trabajar con <citerefentry> <refentrytitle>sssd</refentrytitle> "
++"<manvolnum>8</manvolnum> </citerefentry> están en la página de manual "
++"<citerefentry> <refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</"
++"manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1491
+@@ -2241,7 +2333,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1506
+ msgid "sudo_threshold (integer)"
+-msgstr ""
++msgstr "sudo_threshold (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1509
+@@ -2252,6 +2344,12 @@ msgid ""
+ "<quote>full refresh</quote> of sudo rules is triggered instead. This "
+ "threshold number also applies to IPA sudo command and command group searches."
+ msgstr ""
++"Número máxio de reflas expiradas que pueden ser refrescadas a la vez. Si el "
++"número de reglas expiradas está por debajo del umbral son refrescadas con el "
++"mecanismo <quote>refrescar reglas</quote> mechanism. SI se supera el umbral "
++"un <quote>refresco total</quote> de reglas sudo se dispara en su lugar. Este "
++"umbral también se aplica al comando IPA sudo y a las búsquedas de grupo de "
++"comando."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd.conf.5.xml:1528
+@@ -2325,7 +2423,7 @@ msgstr "Por defecto: 180"
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1583
+ msgid "ssh_use_certificate_keys (bool)"
+-msgstr ""
++msgstr "ssh_use_certificate_keys (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1586
+@@ -2335,11 +2433,16 @@ msgid ""
+ "entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</"
+ "refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details."
+ msgstr ""
++"Si se ajusta a true <command>sss_ssh_authorizedkeys</command> devolverá "
++"claves ssh derivadas de la clave pública de los certificados X.509 "
++"almacenados en la entrada de usuario también. Vea detalles en <citerefentry> "
++"<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>1</"
++"manvolnum> </citerefentry> for details."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1601
+ msgid "ca_db (string)"
+-msgstr ""
++msgstr "ca_db (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1604
+@@ -2347,6 +2450,9 @@ msgid ""
+ "Path to a storage of trusted CA certificates. The option is used to validate "
+ "user certificates before deriving public ssh keys from them."
+ msgstr ""
++"Ruta al almacenamiento de certificados CA de confianza. Esta opción se usa "
++"para validar los certificados de usuario antes de derivar las claves "
++"públicas ssh de ellos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd.conf.5.xml:1632
+@@ -2363,6 +2469,13 @@ msgid ""
+ "joined to and of remote trusted domains from the local domain controller. If "
+ "the PAC is decoded and evaluated some of the following operations are done:"
+ msgstr ""
++"El contestador PAC trabaja junto con el plugin de autorización de datos para "
++"MIT Kerberos sssd_pac_plugin.so y un proveedor de sub dominios. El plugin "
++"envía los datos PAC durante la autenticación GSSAPI al contestador PAC. El "
++"proveedor de sub dominio recoge el SID de dominio y los rangos de ID del "
++"dominio al que el cliente se ha unido y de los dominios remotos de confianza "
++"desde el controlador local de dominio. Si el PAC es decodificado y evaluado "
++"se hacen algunas de las siguientes operaciones:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1643
+@@ -2374,6 +2487,11 @@ msgid ""
+ "the system defaults are used, but can be overwritten with the default_shell "
+ "parameter."
+ msgstr ""
++"Si el usuario remoto no existe en la cache, se crea. Se determina la UID con "
++"la ayuda del SID, los dominios de confianza tendrán UPGs y el GID tendrá el "
++"mismo valor que la UID. El directorio home se ajusta en base al parámetro "
++"subdomain_homedir. La shell estará vacía por defecto, i.e. se usa el sistema "
++"predeterminado, pero se puede sustituir con el parámetro default_shell."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1651
+@@ -2381,6 +2499,8 @@ msgid ""
+ "If there are SIDs of groups from domains sssd knows about, the user will be "
+ "added to those groups."
+ msgstr ""
++"Si se conocen los SIDs de los grupos de los dominios, se añadirá el usuario "
++"a esos grupos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sssd.conf.5.xml:1657
+@@ -2425,7 +2545,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1683
+ msgid "pac_lifetime (integer)"
+-msgstr ""
++msgstr "pac_lifetime (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1686
+@@ -2433,11 +2553,14 @@ msgid ""
+ "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
+ "data can be used to determine the group memberships of a user."
+ msgstr ""
++"Tiempo de vida de la entrada PAC en segundos. Tanto como la PAC es válida "
++"los datos PAC pueden ser usados para determinar la membresia de grupo de un "
++"usuario."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd.conf.5.xml:1699
+ msgid "Session recording configuration options"
+-msgstr ""
++msgstr "Opciones de configuración de la grabación de sesión"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sssd.conf.5.xml:1701
+@@ -2448,31 +2571,37 @@ msgid ""
+ "they log in on a text terminal.  See also <citerefentry> <refentrytitle>sssd-"
+ "session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ msgstr ""
++"Trabajos de grabación de sesión en conjunto con <citerefentry> "
++"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
++"citerefentry>, una parte del paquete tlog, para registrar lo que los "
++"usuarios ven y el tipo cuando ellos lo registran en un terminal de texto.  "
++"Vea también <citerefentry> <refentrytitle>sssd-session-recording</"
++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sssd.conf.5.xml:1714
+ msgid "These options can be used to configure session recording."
+-msgstr ""
++msgstr "Se pueden usar estas opciones para configurar la grabación de sesión."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1718 sssd-session-recording.5.xml:64
+ msgid "scope (string)"
+-msgstr ""
++msgstr "scope (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1725 sssd-session-recording.5.xml:71
+ msgid "\"none\""
+-msgstr ""
++msgstr "\"none\""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1728 sssd-session-recording.5.xml:74
+ msgid "No users are recorded."
+-msgstr ""
++msgstr "NO se grabaron usuarios."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1733 sssd-session-recording.5.xml:79
+ msgid "\"some\""
+-msgstr ""
++msgstr "\"some\""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1736 sssd-session-recording.5.xml:82
+@@ -2480,16 +2609,18 @@ msgid ""
+ "Users/groups specified by <replaceable>users</replaceable> and "
+ "<replaceable>groups</replaceable> options are recorded."
+ msgstr ""
++"Usuarios/grupos especificados por las opciones <replaceable>users</"
++"replaceable> y<replaceable>groups</replaceable> son grabados."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1745 sssd-session-recording.5.xml:91
+ msgid "\"all\""
+-msgstr ""
++msgstr "\"all\""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1748 sssd-session-recording.5.xml:94
+ msgid "All users are recorded."
+-msgstr ""
++msgstr "Se graban todos los usuarios."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1721 sssd-session-recording.5.xml:67
+@@ -2497,16 +2628,18 @@ msgid ""
+ "One of the following strings specifying the scope of session recording: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
++"Una de las siguientes cadena especifica el alcande de la sesión de "
++"grabación: <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1755 sssd-session-recording.5.xml:101
+ msgid "Default: \"none\""
+-msgstr ""
++msgstr "Predeterminado: \"none\""
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1760 sssd-session-recording.5.xml:106
+ msgid "users (string)"
+-msgstr ""
++msgstr "users (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1763 sssd-session-recording.5.xml:109
+@@ -2515,16 +2648,20 @@ msgid ""
+ "Matches user names as returned by NSS. I.e. after the possible space "
+ "replacement, case changes, etc."
+ msgstr ""
++"Una lista separada por comas de usuarios que deberían tener la grabación de "
++"sesión habilitada. Coincide con los nombres de usuario que son devueltos por "
++"NSS. I.e. después de las posibles sustituciones de espacios, cambios de "
++"mayúsculas/minúsculas, etc."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1769 sssd-session-recording.5.xml:115
+ msgid "Default: Empty. Matches no users."
+-msgstr ""
++msgstr "Predeterminado: Vacío. No hay usuarios coincidentes."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1774 sssd-session-recording.5.xml:120
+ msgid "groups (string)"
+-msgstr ""
++msgstr "groups (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1777 sssd-session-recording.5.xml:123
+@@ -2533,6 +2670,10 @@ msgid ""
+ "recording enabled. Matches group names as returned by NSS. I.e. after the "
+ "possible space replacement, case changes, etc."
+ msgstr ""
++"Una lista separada por comas de grupos, cuyos miembros tendrían habilitado "
++"la grabación de sesión. Coincide con los nombres de grupo devueltos por NSS. "
++"I.e. después de los posibles cambios de espacio, cambios de mayúsculas/"
++"minúsculas, etc."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1783 sssd-session-recording.5.xml:129
+@@ -2541,11 +2682,15 @@ msgid ""
+ "performance cost, because each uncached request for a user requires "
+ "retrieving and matching the groups the user is member of."
+ msgstr ""
++"AVISO: el uso de esta opción (teniéndolo ajustado a cualquiera) tiene un "
++"costo considerable de rendimiento, puesto que cada petición sin caché para "
++"un usuario requiere a recuperación y el emparejado de los grupos a los que "
++"pertenece el usuario."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1790 sssd-session-recording.5.xml:136
+ msgid "Default: Empty. Matches no groups."
+-msgstr ""
++msgstr "Predeterminado: Vacío. No empareja grupos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:1800
+@@ -2555,7 +2700,7 @@ msgstr "SECCIONES DE DOMINIO"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1807
+ msgid "domain_type (string)"
+-msgstr ""
++msgstr "domain_type (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1810
+@@ -2565,6 +2710,10 @@ msgid ""
+ "be present or generated. Only objects from POSIX domains are available to "
+ "the operating system interfaces and utilities."
+ msgstr ""
++"Especifica si el dominio está destinado a ser usado por clientes atentos a "
++"POSIX como Name Service Switch o por aplicaciones que no necesitan datos "
++"POSIX presentes o generados. Solo los objetos de dominios POSIX están "
++"disponibles para las interfaces y utilidades de sistema operativo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1818
+@@ -2572,6 +2721,8 @@ msgid ""
+ "Allowed values for this option are <quote>posix</quote> and "
+ "<quote>application</quote>."
+ msgstr ""
++"Los valores permitidos para esta opción son <quote>posix</quote> y "
++"<quote>application</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1822
+@@ -2581,6 +2732,10 @@ msgid ""
+ "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </"
+ "citerefentry>) and the PAM responder."
+ msgstr ""
++"Los dominios POSIX son alcanzables por todos los servicios. Los dominios "
++"aplicación son solo alcanzables desde el contestador InfoPipe (vea "
++"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</"
++"manvolnum> </citerefentry>) y el contestador PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1830
+@@ -2588,6 +2743,8 @@ msgid ""
+ "NOTE: The application domains are currently well tested with "
+ "<quote>id_provider=ldap</quote> only."
+ msgstr ""
++"AVISO: LOs dominios aplicación actualmente están bien probados solamente con "
++"<quote>id_provider=ldap</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1834
+@@ -2595,11 +2752,13 @@ msgid ""
+ "For an easy way to configure a non-POSIX domains, please see the "
+ "<quote>Application domains</quote> section."
+ msgstr ""
++"Para una manera fácil de configurar dominios no POSIX, vea la sección "
++"<quote>Dominios aplicación</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1838
+ msgid "Default: posix"
+-msgstr ""
++msgstr "Predeterminado: posix"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1844
+@@ -2634,6 +2793,8 @@ msgid ""
+ "These ID limits affect even saving entries to cache, not only returning them "
+ "by name or ID."
+ msgstr ""
++"Estos límites de ID afectan aunque se guarden entrada en la caché, no solo "
++"devolviéndolas por nombre o ID."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1863
+@@ -2653,6 +2814,10 @@ msgid ""
+ "enable enumeration in order for secondary groups to be displayed. This "
+ "parameter can have one of the following values:"
+ msgstr ""
++"Determina si un dominio puede ser enumerado, esto es, si el dominio puede "
++"listar tods los usuarios y grupos que contiene. Advierta que no requiere "
++"habilitar la enumeración con el objetivo de visualizar grupos secundarios. "
++"Este parámetros puede tener uno de los siguientes valores:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1880
+@@ -2675,6 +2840,8 @@ msgid ""
+ "Enumerating a domain requires SSSD to download and store ALL user and group "
+ "entries from the remote server."
+ msgstr ""
++"Enumerar un dominio requiere que SSSD descargue y almacene TODAS las "
++"entradas de usuario y grupo del servidor remoto."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1894
+@@ -2689,6 +2856,16 @@ msgid ""
+ "quote> process becoming unresponsive or even restarted by the internal "
+ "watchdog."
+ msgstr ""
++"Aviso: Habilitar la enumeración tiene un impacto moderado en el rendimiento "
++"sobre SSSD mientras está corriendo la enumeración. Puede llevar varios "
++"minutos después de que SSSD inicie una enumeración completa total.  Durante "
++"este tiempo, las peticiones individuales de información irán directamente a "
++"LDAP, piense que puede ser lento, debido al pesado procesamiento de la "
++"enumeración. El guardar gran número de entradas en la caché después de una "
++"enumeración completa puede ser también intensiva para la CPU puesto que la "
++"membresía debe ser vuelta a computar. Esto puede llevar a que el proceso "
++"<quote>sssd_be</quote> no responda o que sea reiniciado por el perro "
++"guardián interno."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1909
+@@ -2726,27 +2903,27 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1930
+ msgid "subdomain_enumerate (string)"
+-msgstr ""
++msgstr "subdomain_enumerate (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1937
+ msgid "all"
+-msgstr ""
++msgstr "all"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1938
+ msgid "All discovered trusted domains will be enumerated"
+-msgstr ""
++msgstr "Se enumerarán todos los dominios de confianza descubiertos"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1941
+ msgid "none"
+-msgstr ""
++msgstr "none"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1942
+ msgid "No discovered trusted domains will be enumerated"
+-msgstr ""
++msgstr "No serán enumerados dominios de confianza descubiertos"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1933
+@@ -2756,6 +2933,10 @@ msgid ""
+ "Optionally, a list of one or more domain names can enable enumeration just "
+ "for these trusted domains."
+ msgstr ""
++"Si se debe enumerar alguno de los dominios de confianza autodetectados. Los "
++"valores soportados son: <placeholder type=\"variablelist\" id=\"0\"/> "
++"Opcionalmente, una lista de uno o más nombres de dominio puede habilitar la "
++"enumeración solo para estos dominios de confianza."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1956
+@@ -2781,6 +2962,13 @@ msgid ""
+ "citerefentry> tool in order to force refresh of entries that have already "
+ "been cached."
+ msgstr ""
++"Los sellos de tiempo de expiración de caché son almacenados somo atributos "
++"de los objetos individuales en caché. Por lo tanto, el cambio del tiempo de "
++"expiración de la caché solo tendrá efecto para las entradas más nuevas o "
++"expiradas.  Debería ejecutar la herramienta <citerefentry> "
++"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </"
++"citerefentry> con el objetivo de forzar el refresco de las entradas que ya "
++"están en la caché."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1976
+@@ -2881,7 +3069,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2061
+ msgid "entry_cache_ssh_host_timeout (integer)"
+-msgstr ""
++msgstr "entry_cache_ssh_host_timeout (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2064
+@@ -2889,11 +3077,13 @@ msgid ""
+ "How many seconds to keep a host ssh key after refresh. IE how long to cache "
+ "the host key for."
+ msgstr ""
++"Cuantos segundos mantener una clave ssh de host después de refrescar. IE "
++"cuanto guardar en caché la clave de host."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2075
+ msgid "refresh_expired_interval (integer)"
+-msgstr ""
++msgstr "refresh_expired_interval (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2078
+@@ -2901,6 +3091,9 @@ msgid ""
+ "Specifies how many seconds SSSD has to wait before triggering a background "
+ "refresh task which will refresh all expired or nearly expired records."
+ msgstr ""
++"Especifica cuantos segundos tiene que esperar SSSD antes de disparar una "
++"tarea de refresco en segundo plano que refrescará todos los registros "
++"expirados o a punto de hacerlo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2083
+@@ -2919,12 +3112,12 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2095
+ msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+-msgstr ""
++msgstr "Usted puede considerar ajustar este valor a 3/4 * entry_cache_timeout."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2099 sssd-ldap.5.xml:784 sssd-ipa.5.xml:254
+ msgid "Default: 0 (disabled)"
+-msgstr ""
++msgstr "Predeterminado: 0 (deshabilitado)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2105
+@@ -2948,7 +3141,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2122
+ msgid "cache_credentials_minimal_first_factor_length (int)"
+-msgstr ""
++msgstr "cache_credentials_minimal_first_factor_length (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2125
+@@ -2957,6 +3150,10 @@ msgid ""
+ "this value determines the minimal length the first authentication factor "
+ "(long term password) must have to be saved as SHA512 hash into the cache."
+ msgstr ""
++"Si se usa 2-Factor-Authentication (2FA) y las credenciales deberían ser "
++"guardadas este valor determina la longitud mínima del primer factor de "
++"autenticación (contraseña de largo plazo) que debe ser guardado como hash "
++"SHA512 en el caché."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2132
+@@ -2964,11 +3161,14 @@ msgid ""
+ "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+ "the cache which would make them easy targets for brute-force attacks."
+ msgstr ""
++"Esto evitaría que los PINs cortos de un esquema de PIN basado en 2FA se "
++"guarden en caché lo que les haría objetivos fáciles de ataques de fuerza "
++"bruta."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2137
+ msgid "Default: 8"
+-msgstr ""
++msgstr "Predeterminado: 8"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2143
+@@ -3032,13 +3232,15 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2189
+ msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+-msgstr ""
++msgstr "<quote>proxy</quote>: Soporta un proveedor NSS heredado."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2192
+ msgid ""
+ "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)."
+ msgstr ""
++"<quote>local</quote>: Proveedor SSSD interno para usuarios locales "
++"(OBSOLETO)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2196
+@@ -3047,6 +3249,10 @@ msgid ""
+ "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
+ "information on how to mirror local users and groups into SSSD."
+ msgstr ""
++"<quote>files</quote>: Proveedor de FICHEROS. Vea <citerefentry> "
++"<refentrytitle>sssd-files</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry> para más información sobre como hacer espejo de usuarios y "
++"grupos locales en SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2204
+@@ -3122,11 +3328,15 @@ msgid ""
+ "include nested netgroups without qualified names. For netgroups, all domains "
+ "will be searched when an unqualified name is requested."
+ msgstr ""
++"AVISO: Esta opción no tiene efecto sobre búsquedas de grupo de red debido a "
++"su tendencia a incluir grupos de red anidados sin nombres cualificados. Para "
++"grupos de red, se buscará en todos los dominios cuando se pida un no no "
++"cualificado."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2255
+ msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
+-msgstr ""
++msgstr "Predeterminado: FALSE (TRUE si se usa default_domain_suffix)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2261
+@@ -3149,6 +3359,13 @@ msgid ""
+ "citerefentry>.  As an effect, <quote>getent group $groupname</quote> would "
+ "return the requested group as if it was empty."
+ msgstr ""
++"Si se fija a TRUE, no se pide el atributo de membresía de grupo al servidor "
++"ldap y los miembros no son devueltos cuando se procesan llamadas de "
++"búsqueda, como <citerefentry> <refentrytitle>getgrnam</refentrytitle> "
++"<manvolnum>3</manvolnum> </citerefentry> o <citerefentry> "
++"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </"
++"citerefentry>.  Como efecto, <quote>getent group $groupname</quote> debería "
++"devolver el grupo pedido como si estuviera vacío."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2285
+@@ -3157,6 +3374,9 @@ msgid ""
+ "membership significantly faster, especially for groups containing many "
+ "members."
+ msgstr ""
++"Habilitar esta opción puede también hacer acceso a las comprobaciones de "
++"proveedor ara membresía de grupo significativamente más rápidas, "
++"especialmente para grupos que contienen muchos miembros."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2296
+@@ -3271,11 +3491,16 @@ msgid ""
+ "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
+ "citerefentry> for more information on configuring Kerberos."
+ msgstr ""
++"<quote>krb5</quote>: .k5login basado en control de acceso.  Vea "
++"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> para más información sobre la configuración de "
++"Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2403
+ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+ msgstr ""
++"<quote>proxy</quote> para transmitir control de acceso a otro módulo PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2406
+@@ -3303,6 +3528,10 @@ msgid ""
+ "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
+ "manvolnum> </citerefentry> for more information on configuring LDAP."
+ msgstr ""
++"<quote>ldap</quote> para cambiar una contraseña almacenada en un servidor "
++"LDAP. Vea <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
++"<manvolnum>5</manvolnum> </citerefentry> para más información sobre la "
++"configuración de LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2427
+@@ -3366,6 +3595,8 @@ msgid ""
+ "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+ "settings."
+ msgstr ""
++"<quote>ipa</quote> lo mismo que <quote>ldap</quote> pero con ajustes "
++"predeterminados IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2485
+@@ -3373,6 +3604,8 @@ msgid ""
+ "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+ "settings."
+ msgstr ""
++"<quote>ad</quote> lo mismo que <quote>ldap</quote> pero con ajustes "
++"predeterminados AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2489
+@@ -3396,6 +3629,12 @@ msgid ""
+ "\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
+ "<manvolnum>5</manvolnum> </citerefentry>."
+ msgstr ""
++"Las instrucciones detalladas para la configuración de sudo_provider están el "
++"la página de manual <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
++"<manvolnum>5</manvolnum> </citerefentry>.  Hay muchas opciones de "
++"configuración que se puden usar para ajustar el comportamiento. Vea por "
++"favor \"ldap_sudo_*\" en <citerefentry> <refentrytitle>sssd-ldap</"
++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2511
+@@ -3405,6 +3644,11 @@ msgid ""
+ "<emphasis>sudo_provider = None</emphasis> to disable all sudo-related "
+ "activity in SSSD if you do not want to use sudo with SSSD at all."
+ msgstr ""
++"<emphasis>AVISO:</emphasis> Las reglas sudo son periódicamente descargadas "
++"en segundo plano a no ser que proveedor sudo esté explícitamente "
++"deshabilitado. Ajuste <emphasis>sudo_provider = None</emphasis> para "
++"deshabilitatr toda la actividad relacionada con sudo en SSSD si usted no "
++"desea usar sudo cn SSSD mas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2521
+@@ -3485,6 +3729,10 @@ msgid ""
+ "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
+ "the AD provider."
+ msgstr ""
++"<quote>ad</quote> para descargar una lista de subdominios desde un servidor "
++"Active Directory. Vea <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
++"<manvolnum>5</manvolnum> </citerefentry> para más información sobre la "
++"configuración del proveedor AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2574
+@@ -3495,7 +3743,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2584
+ msgid "session_provider (string)"
+-msgstr ""
++msgstr "session_provider (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2587
+@@ -3504,17 +3752,25 @@ msgid ""
+ "only user session task currently provided is the integration with Fleet "
+ "Commander, which works only with IPA.  Supported session providers are:"
+ msgstr ""
++"El proveedor que configura y gestiona las tareas relacionadas con la sesión "
++"de usuario. La única tarea de usuario que actualmente se provee es la "
++"integración con Fleet Commander, que trabaja solo con IPA.  Los proveedores "
++"de sesiones soportados son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2594
+ msgid "<quote>ipa</quote> to allow performing user session related tasks."
+ msgstr ""
++"<quote>ipa</quote> para permitir llevar a cabo tareas relacionadas con la "
++"sesión de usuario."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2598
+ msgid ""
+ "<quote>none</quote> does not perform any kind of user session related tasks."
+ msgstr ""
++"<quote>none</quote> no lleva a cabo ninguna tarea relacionada con la sesión "
++"de usuario."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2602
+@@ -3522,6 +3778,8 @@ msgid ""
+ "Default: <quote>id_provider</quote> is used if it is set and can perform "
+ "session related tasks."
+ msgstr ""
++"Predeterminado: <quote>id_provider</quote> se usa si está ajustado y puede "
++"llevar a cabo tareas relacionadas con la sesión de usuario."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2606
+@@ -3529,6 +3787,9 @@ msgid ""
+ "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
+ "SSSD must be running as \"root\" and not as the unprivileged user."
+ msgstr ""
++"<emphasis>AVISO:</emphasis> Con el objetivo de tener esta característica "
++"trabajando como se espera SSSD se debe correr como \"root\" y o como usuario "
++"sin privilegios."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2614
+@@ -3574,6 +3835,10 @@ msgid ""
+ "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
+ "citerefentry> for more information on configuring the AD provider."
+ msgstr ""
++"<quote>ad</quote> para cargar mapas almacenados en un servidor AD. Vea "
++"<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
++"manvolnum> </citerefentry> para más información sobre como configurar un "
++"proveedor AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2645
+@@ -3620,6 +3885,11 @@ msgid ""
+ "trust subdomains and Active Directory domains, the flat (NetBIOS) name of "
+ "the domain."
+ msgstr ""
++"Expresión regular para este dominio que describe como analizar "
++"gramaticalmente la cadena que contiene el nombre de usuario y el dominio en "
++"estos componentes.  El \"dominio\" puede coincidir bien con el nombre de "
++"dominio de configuración SSSD o en el caso de subdominios de confianza IPA y "
++"dominios Active Directory, el nombre plano (NetBIOS) del dominio."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2692
+@@ -3679,6 +3949,11 @@ msgid ""
+ "consider changing the re_expression value to: <quote>((?P&lt;name&gt;.+)@(?"
+ "P&lt;domain&gt;[^@]+$))</quote>."
+ msgstr ""
++"AVISO: Algunos grupos Active Directory, normalmente aquellos que se usan por "
++"MS Exchange contienen un signo <quote>@</quote> en el nombre, lo que choca "
++"con el valor predeterminado de re_expressionpara los proveedores AD e IPA. "
++"Para soportar estos grupos, considere cambiar el valor de re_expression a: "
++"<quote>((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2768
+@@ -3742,6 +4017,10 @@ msgid ""
+ "If this timeout is reached, the domain will continue to operate in offline "
+ "mode."
+ msgstr ""
++"Define la cantidad de tiempo (en segundos) a esperar una respuesta de un "
++"fallo interno sobre un servicio ntes de asumir que ese servicio es "
++"inalcanzable. ISi se alcanza este tiempo de salida, el dominio continuará "
++"trabajando en modo offline."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2812
+@@ -3749,6 +4028,8 @@ msgid ""
+ "Please see the section <quote>FAILOVER</quote> for more information about "
+ "the service resolution."
+ msgstr ""
++"Por favor vea la sección <quote>RECUPERACIÓN DE FALLOS</quote> para más "
++"información sobre la resolución del servicio."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2817 sssd-ldap.5.xml:1434 sssd-ldap.5.xml:1476
+@@ -3789,32 +4070,34 @@ msgstr "Anula el valor primario GID con el especificado."
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2845
+ msgid "case_sensitive (string)"
+-msgstr ""
++msgstr "case_sensitive (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2853
+ msgid "True"
+-msgstr ""
++msgstr "True"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2856
+ msgid "Case sensitive. This value is invalid for AD provider."
+ msgstr ""
++"Distingue mayúsculas y minúsculas. Este valor es invalido para el proveedor "
++"AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2862
+ msgid "False"
+-msgstr ""
++msgstr "False"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2864
+ msgid "Case insensitive."
+-msgstr ""
++msgstr "No sensible a mayúsculas minúsculas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2868
+ msgid "Preserving"
+-msgstr ""
++msgstr "Preserving"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2871
+@@ -3823,32 +4106,28 @@ msgid ""
+ "of NSS operations. Note that name aliases (and in case of services also "
+ "protocol names) are still lowercased in the output."
+ msgstr ""
++"Igual que False (no sensible a mayúsculas minúsculas.), pero sin minúsculas "
++"en los nombres en el resultado de las operaciones NSS. Advierta que los "
++"nombres de alias (y en el caso de servicios también los nombres de "
++"protocolo) están en minúsculas en la salida."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2848
+-#, fuzzy
+-#| msgid ""
+-#| "With this parameter the certificate verification can be tuned with a "
+-#| "comma separated list of options. Supported options are: <placeholder type="
+-#| "\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Con este parámetros la verificación del certificado se puede sintonizar con "
+-"una lista de opciones separadas por comas. Las opciones soportadas son: "
+-"<placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2883
+ msgid "Default: True (False for AD provider)"
+-msgstr ""
++msgstr "Predeterminado: True (False para proveedor AD)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2889
+ msgid "subdomain_inherit (string)"
+-msgstr ""
++msgstr "subdomain_inherit (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2892
+@@ -3857,26 +4136,30 @@ msgid ""
+ "subdomain. Please note that only selected parameters can be inherited.  "
+ "Currently the following options can be inherited:"
+ msgstr ""
++"Especifica una lista de parámetros de configuración que deberían ser "
++"heredados por un subdominio. Por favor advierta que solo pueden ser "
++"heredados parámetros seleccionados.  Actualmente se pueden heredar las "
++"siguientes opciones:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2898
+ msgid "ignore_group_members"
+-msgstr ""
++msgstr "ignore_group_members"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2901
+ msgid "ldap_purge_cache_timeout"
+-msgstr ""
++msgstr "ldap_purge_cache_timeout"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2904 sssd-ldap.5.xml:1158
+ msgid "ldap_use_tokengroups"
+-msgstr ""
++msgstr "ldap_use_tokengroups"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2907
+ msgid "ldap_user_principal"
+-msgstr ""
++msgstr "ldap_user_principal"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2910
+@@ -3884,6 +4167,8 @@ msgid ""
+ "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+ "is not set explicitly)"
+ msgstr ""
++"ldap_krb5_keytab (se deberá usar el valor de krb5_keytab si no se ha fijado "
++"explícitamente ldap_krb5_keytab)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd.conf.5.xml:2916
+@@ -3892,16 +4177,18 @@ msgid ""
+ "subdomain_inherit = ldap_purge_cache_timeout\n"
+ "                            "
+ msgstr ""
++"subdomain_inherit = ldap_purge_cache_timeout\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2914 sssd-secrets.5.xml:448
+ msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+-msgstr ""
++msgstr "Ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2923
+ msgid "Note: This option only works with the IPA and AD provider."
+-msgstr ""
++msgstr "Aviso: Esta opción solo trabaja con el proveedor IPA y AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2930
+@@ -3911,12 +4198,12 @@ msgstr "subdomain_homedir (cadena)"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2941
+ msgid "%F"
+-msgstr ""
++msgstr "%F"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2942
+ msgid "flat (NetBIOS) name of a subdomain."
+-msgstr ""
++msgstr "flat (NetBIOS) nombre de un subdominio."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2933
+@@ -3927,6 +4214,12 @@ msgid ""
+ "with <emphasis>subdomain_homedir</emphasis>.  <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
++"Use este directorio home como valor predeterminado para todos los "
++"subdominios dentro de este dominio en IPA AD de confianza.  Vea "
++"<emphasis>override_homedir</emphasis> para información sobre los posibles "
++"valores. Además de esto, la expansión de abajo sólo puede ser usada con "
++"<emphasis>subdomain_homedir</emphasis>.  <placeholder type=\"variablelist\" "
++"id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2947
+@@ -3944,18 +4237,20 @@ msgstr "Por defecto: <filename>/home/%d/%u</filename>"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2956
+ msgid "realmd_tags (string)"
+-msgstr ""
++msgstr "realmd_tags (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2959
+ msgid ""
+ "Various tags stored by the realmd configuration service for this domain."
+ msgstr ""
++"Diversas banderas almacenadas por el servicio de configuración realmd para "
++"este dominio."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2965
+ msgid "cached_auth_timeout (int)"
+-msgstr ""
++msgstr "cached_auth_timeout (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2968
+@@ -3965,6 +4260,10 @@ msgid ""
+ "the online mode. If the credentials are incorrect, SSSD falls back to online "
+ "authentication."
+ msgstr ""
++"Especifica el tiempo en segundos desde la última autenticación en línea con "
++"éxito por las cuales el usuario serán autenticado usando las credenciales en "
++"cache mientras SSSD está en modo en línea. Si las credenciales son "
++"incorrectas, SSSD cae de nuevo a la autenticación en linea."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2976
+@@ -3972,11 +4271,14 @@ msgid ""
+ "This option's value is inherited by all trusted domains. At the moment it is "
+ "not possible to set a different value per trusted domain."
+ msgstr ""
++"Este valor de opción es heredado por todos los dominios de confianza. En "
++"este momento no es posible establecer un valor diferente por dominio de "
++"confianza."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2981
+ msgid "Special value 0 implies that this feature is disabled."
+-msgstr ""
++msgstr "El valor especial 0 implica que esta función está deshabilitada."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2985
+@@ -3985,16 +4287,19 @@ msgid ""
+ "<quote>pam_id_timeout</quote> then the back end could be called to handle "
+ "<quote>initgroups.</quote>"
+ msgstr ""
++"Por favor advierta que si <quote>cached_auth_timeout</quote> es mayor que "
++"<quote>pam_id_timeout</quote> el otro extremo podría ser llamado para "
++"gestionar <quote>initgroups.</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:2996
+ msgid "auto_private_groups (string)"
+-msgstr ""
++msgstr "auto_private_groups (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3002
+ msgid "true"
+-msgstr ""
++msgstr "true"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3005
+@@ -4002,6 +4307,8 @@ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
++"crear el grupo privado de usuario incondicionalmente desde el número UID del "
++"usuario.  El número GID se ignora en este caso."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3009
+@@ -4011,11 +4318,15 @@ msgid ""
+ "UID or GID number with this option. In other words, enabling this option "
+ "enforces uniqueness across the ID space."
+ msgstr ""
++"AVISO: Puesto que el número GID y el grupo privado de usuario se infieren de "
++"número UID, no está soportado tener múltiples entrada con los mismos UID o "
++"GID con esta opción. En otras palabras, habilitando esta opción se fuerza la "
++"unicidad den el espacio de ID."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3018
+ msgid "false"
+-msgstr ""
++msgstr "false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3021
+@@ -4023,11 +4334,13 @@ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
++"Use siempre el número GID primario del usuario. El número GID debe referirse "
++"a un  objeto grupo en las base de datos LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3027
+ msgid "hybrid"
+-msgstr ""
++msgstr "hybrid"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3030
+@@ -4038,6 +4351,11 @@ msgid ""
+ "GID in the user entry is also used by a group object, the primary GID of the "
+ "user resolves to that group object."
+ msgstr ""
++"Un grupo primario se autogenera para las entradas de usuario cuyos números "
++"UID y GID tienen los mismos valores y al mismo tiempo el número GID no "
++"coresponde a un objeto grupo real en LDAP si los valores son los mismos, "
++"pero el GID primario en la entrada de usuario se usa también por un objeto "
++"grupo, el GID primario del usaurio resuelve a este objeto grupo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3043
+@@ -4045,6 +4363,8 @@ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
++"Si el UID y el GID de un usuario son diferentes, el GID debe corresponder a "
++"una entrada de grupo, de otro modo el GID simplemente no se puede resolver."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3050
+@@ -4053,19 +4373,18 @@ msgid ""
+ "separate group objects for the user private groups, but also wish to retain "
+ "the existing user private groups."
+ msgstr ""
++"Esta característica es útil para entornos que desean parar manteniendo un "
++"grupo separado de objetos grupos para el usuario de grupos privados, pero "
++"también desea retener los grupos privados existentes del usuario."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2999
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Opciones válidas para dominios proxy.  <placeholder type=\"variablelist\" id="
+-"\"0\"/>"
++"Esta opción toma cualquiera de los tres valores disponibles: <placeholder "
++"type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3062
+@@ -4073,6 +4392,8 @@ msgid ""
+ "For subdomains, the default value is False for subdomains that use assigned "
+ "POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
++"Para subdominios el valor por defecto es False par subdominios que usan "
++"POSIX IDs asignados y True para subdominios que usan mapeo de ID automático."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd.conf.5.xml:3070
+@@ -4081,6 +4402,8 @@ msgid ""
+ "[domain/forest.domain/sub.domain]\n"
+ "auto_private_groups = false\n"
+ msgstr ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd.conf.5.xml:3076
+@@ -4090,6 +4413,9 @@ msgid ""
+ "subdomain_inherit = auto_private_groups\n"
+ "auto_private_groups = false\n"
+ msgstr ""
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3067
+@@ -4099,6 +4425,11 @@ msgid ""
+ "globally for all subdomains in the main domain section using the "
+ "subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
++"El valor de auto_private_groups puede bien ser establecido por subdominios "
++"en una subsección, por ejemplo: <placeholder type=\"programlisting\" id="
++"\"0\"/> o globalmente para todos los subdominios en la sección principal "
++"dominio usando la opción subdomain_inherit: <placeholder type="
++"\"programlisting\" id=\"1\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:1802
+@@ -4169,7 +4500,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3135
+ msgid "proxy_max_children (integer)"
+-msgstr ""
++msgstr "proxy_max_children (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3138
+@@ -4178,6 +4509,10 @@ msgid ""
+ "for high-load SSSD environments where sssd may run out of available child "
+ "slots, which would cause some issues due to the requests being queued."
+ msgstr ""
++"Esta opción especifica el número de hijos proxy pre-bifurcados. Es útil para "
++"entornor SSSD de alta carga donde sssd puede quedarse sin espacios para "
++"hijos disponibles, lo que podría causar errores debido a las peticiones que "
++"son encoladas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3087
+@@ -4191,7 +4526,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd.conf.5.xml:3154
+ msgid "Application domains"
+-msgstr ""
++msgstr "Dominios de aplicaciones"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sssd.conf.5.xml:3156
+@@ -4209,6 +4544,18 @@ msgid ""
+ "<quote>application</quote> optionally inherits settings from a tradition "
+ "SSSD domain."
+ msgstr ""
++"SSSD, con su interfaz D-Bus (see <citerefentry> <refentrytitle>sssd-ifp</"
++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) es atractivo para "
++"las aplicaciones como puerta de entrada a un directorio LDAP donde se "
++"almacenan usuarios y grupos. Sin embargo, de modo distinto al tradicional "
++"despliegue SSSD donde todos los usuarios y grupos bien tienen atributos "
++"POSIX o esos atributos se pueden inferir desde los Windows SIDs, en muchos "
++"casos los usuarios y grupos en el escenario de soporte de la aplicación no "
++"tienen atributos POSIX.  En lugar de establecer una sección <quote>[domain/"
++"<replaceable>NAME</replaceable>]</quote>, el administrador puede configurar "
++"una sección <quote>[application/<replaceable>NAME</replaceable>]</quote> que "
++"internamente represente un dominio con un tipo <quote>application</quote> "
++"que opcionalmente herede ajustes de un dominio SSSD tradicional."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sssd.conf.5.xml:3176
+@@ -4217,16 +4564,20 @@ msgid ""
+ "the <quote>domains</quote> parameter so that the lookup order between the "
+ "application domain and its POSIX sibling domain is set correctly."
+ msgstr ""
++"Por favor advierta que el dominio de aplicación debe aún ser habilitado "
++"explícitamente en el parámetros <quote>domains</quote> de modo que la orden "
++"de búsqueda entre el dominio de aplicación y su dominio POSIX hermano está "
++"establecido correctamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+ #: sssd.conf.5.xml:3182
+ msgid "Application domain parameters"
+-msgstr ""
++msgstr "Parámetros de dominio de aplicación"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3184
+ msgid "inherit_from (string)"
+-msgstr ""
++msgstr "inherit_from (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3187
+@@ -4236,6 +4587,10 @@ msgid ""
+ "application settings that augment or override the <quote>sibling</quote> "
+ "domain settings."
+ msgstr ""
++"En el dominio tipo SSSD POSIX el dominio de aplicación hereda todos los "
++"ajustes. El dominio de aplicación puede además añadir sus propios ajustes a "
++"los ajustes de aplicación que aumentan o anulan los ajustes del dominio "
++"<quote>hermano</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sssd.conf.5.xml:3201
+@@ -4246,6 +4601,11 @@ msgid ""
+ "the telephoneNumber attribute, stores it as the phone attribute in the cache "
+ "and makes the phone attribute reachable through the D-Bus interface."
+ msgstr ""
++"El siguiente ejemplo ilustra el uso de un dominio de aplicación. En este "
++"ajuste, el dominio POSIX está conectado a un servidor LDAP y se usa por el "
++"SO a través de un contestador NSS. Además, el dominio de aplicación también "
++"pide el atributo telephoneNumber, lo almacena como el atributo phone en la "
++"cache y hace al atributo phone alcanzable a través del interfaz D-Bus."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+ #: sssd.conf.5.xml:3209
+@@ -4266,6 +4626,20 @@ msgid ""
+ "inherit_from = posixdom\n"
+ "ldap_user_extra_attrs = phone:telephoneNumber\n"
+ msgstr ""
++"[sssd]\n"
++"domains = appdom, posixdom\n"
++"\n"
++"[ifp]\n"
++"user_attributes = +phone\n"
++"\n"
++"[domain/posixdom]\n"
++"id_provider = ldap\n"
++"ldap_uri = ldap://ldap.example.com\n"
++"ldap_search_base = dc=example,dc=com\n"
++"\n"
++"[application/appdom]\n"
++"inherit_from = posixdom\n"
++"ldap_user_extra_attrs = phone:telephoneNumber\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd.conf.5.xml:3227
+@@ -4442,7 +4816,7 @@ msgstr "Predeterminado: None, no se ejecuta comando"
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3353
+ msgid "TRUSTED DOMAIN SECTION"
+-msgstr ""
++msgstr "SECCIÓN DE DOMINIO DE CONFIANZA"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3355
+@@ -4454,58 +4828,62 @@ msgid ""
+ "domain. Please refer to examples below for explanation.  Currently supported "
+ "options in the trusted domain section are:"
+ msgstr ""
++"Algunas opciones usadas en la sección dominio puede ser usadas también en la "
++"sección dominio de confianza, esto es, en una sección llamada<quote>[domain/"
++"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</"
++"replaceable>]</quote>.  Donde DOMAIN_NAME es el dominio base real. Por favor "
++"vea los ejemplos de abajo para una explicación.  Actualmente las opciones "
++"soportadas en la sección de dominio de confianza son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3362
+ msgid "ldap_search_base,"
+-msgstr ""
++msgstr "ldap_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3363
+ msgid "ldap_user_search_base,"
+-msgstr ""
++msgstr "ldap_user_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3364
+ msgid "ldap_group_search_base,"
+-msgstr ""
++msgstr "ldap_group_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3365
+ msgid "ldap_netgroup_search_base,"
+-msgstr ""
++msgstr "ldap_netgroup_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3366
+ msgid "ldap_service_search_base,"
+-msgstr ""
++msgstr "ldap_service_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3367
+-#, fuzzy
+-#| msgid "ldap_sasl_mech (string)"
+ msgid "ldap_sasl_mech,"
+-msgstr "ldap_sasl_mech (cadena)"
++msgstr "ldap_sasl_mech,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3368
+ msgid "ad_server,"
+-msgstr ""
++msgstr "ad_server,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3369
+ msgid "ad_backup_server,"
+-msgstr ""
++msgstr "ad_backup_server,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3370
+ msgid "ad_site,"
+-msgstr ""
++msgstr "ad_site,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:3371 sssd-ipa.5.xml:782
+ msgid "use_fully_qualified_names"
+-msgstr ""
++msgstr "use_fully_qualified_names"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3373
+@@ -4513,13 +4891,13 @@ msgid ""
+ "For more details about these options see their individual description in the "
+ "manual page."
+ msgstr ""
++"Para más detalles sobre estas opciones vea su descripción individual en la "
++"página de manual."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3379
+-#, fuzzy
+-#| msgid "CONFIGURATION OPTIONS"
+ msgid "PROMPTING CONFIGURATION SECTION"
+-msgstr "OPCIONES DE CONFIGURACIÓN"
++msgstr "SECCIÓN DE CONFIGURACIÓN INICIAL"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3381
+@@ -4530,6 +4908,11 @@ msgid ""
+ "Based on the results pam_sss will prompt the user for appropriate "
+ "credentials."
+ msgstr ""
++"Si existe un fichero especial(<filename>/var/lib/sss/pubconf/"
++"pam_preauth_available</filename>)  el módulo PAM de SSSD pam_sss le pedirá a "
++"SSSD que descubra que métodos de autenticación están disponibles para el "
++"usuario que intenta iniciar sesión. En base a los resultados pam_sss pedirá "
++"al usuario las credenciales apropiadas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3389
+@@ -4539,66 +4922,64 @@ msgid ""
+ "select the prompting might not be suitable for all use cases. To following "
+ "options should provide a better flexibility here."
+ msgstr ""
++"Con el creciente número de métodos de autenticación kyh la posibilidad de "
++"que haya múltiples para un solo usuario la heurística usada por pam_sss "
++"podría no ser adecuada para todos los casos de uso. Las siguientes opciones "
++"suministrarían una mejor flexibilidad aquí."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3401
+ msgid "[prompting/password]"
+-msgstr ""
++msgstr "[prompting/password]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3404
+-#, fuzzy
+-#| msgid "password"
+ msgid "password_prompt"
+-msgstr "contraseña"
++msgstr "password_prompt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3405
+ msgid "to change the string of the password prompt"
+-msgstr ""
++msgstr "cambiar la cadena de solicitud de contraseña"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3403
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "to configure password prompting, allowed options are: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Opciones válidas para dominios proxy.  <placeholder type=\"variablelist\" id="
+-"\"0\"/>"
++"para configurar la solicitud de contraseña, las opciones permitidas son: "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3413
+ msgid "[prompting/2fa]"
+-msgstr ""
++msgstr "[prompting/2fa]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3417
+ msgid "first_prompt"
+-msgstr ""
++msgstr "first_prompt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3418
+ msgid "to change the string of the prompt for the first factor"
+-msgstr ""
++msgstr "para cambiar la cadena de la solicitud del primer factor"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3421
+ msgid "second_prompt"
+-msgstr ""
++msgstr "second_prompt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3422
+ msgid "to change the string of the prompt for the second factor"
+-msgstr ""
++msgstr "para cambiar la cadena de la solicitud para el segundo factor"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3425
+ msgid "single_prompt"
+-msgstr ""
++msgstr "single_prompt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3426
+@@ -4607,19 +4988,18 @@ msgid ""
+ "first_prompt where it is expected that both factor are entered as a single "
+ "string"
+ msgstr ""
++"valor booleano, si True habrá solo una única consulta usando el valor de "
++"first_prompt donde se espera que el factor sea introducido como una única "
++"cadena"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3415
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "to configure two-factor authentication prompting, allowed options are: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Opciones válidas para dominios proxy.  <placeholder type=\"variablelist\" id="
+-"\"0\"/>"
++"para configurar la consulta de autenticación de dos factores, las opciones "
++"permitidas son: <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3396
+@@ -4628,6 +5008,10 @@ msgid ""
+ "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
+ "\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
+ msgstr ""
++"Cada método de autenticación soportado tiene su propia subsección de "
++"configuración bajo <quote>[prompting/...]</quote>. Actualmente hay: "
++"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
++"\"variablelist\" id=\"1\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3438
+@@ -4636,11 +5020,14 @@ msgid ""
+ "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
+ "for this service."
+ msgstr ""
++"Es posible añadir una subsección para srvicios PAM especificos como e.g. "
++"<quote>[prompting/password/sshd]</quote> para cambio individual de la "
++"consulta para este servicio."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+ msgid "EXAMPLES"
+-msgstr ""
++msgstr "EJEMPLOS"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd.conf.5.xml:3451
+@@ -4704,6 +5091,10 @@ msgid ""
+ "configuring domains for more details.  <placeholder type=\"programlisting\" "
+ "id=\"0\"/>"
+ msgstr ""
++"1. El siguiente ejemplo muestra una configuración SSSD típica.No describe la "
++"configuración de los dominios en si mismos - vea la documentación sobre "
++"configuración de dominios para mas detalles.  <placeholder type="
++"\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd.conf.5.xml:3484
+@@ -4712,6 +5103,8 @@ msgid ""
+ "[domain/ipa.com/child.ad.com]\n"
+ "use_fully_qualified_names = false\n"
+ msgstr ""
++"[domain/ipa.com/child.ad.com]\n"
++"use_fully_qualified_names = false\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3478
+@@ -4723,6 +5116,12 @@ msgid ""
+ "configuration should be used.  <placeholder type=\"programlisting\" id=\"0\"/"
+ ">"
+ msgstr ""
++"2. El siguiente ejemplo muestra la configuración de confianza IPA AD el "
++"bosque AD consta de dos dominios en una estructura padre-hijo.  Supone que "
++"el dominio IPA (ipa.com) tiene confianza con el dominio AD (ad.com).  ad.com "
++"tiene dominio hijo (child.ad.com). Para habilitar nombres cortos en el "
++"dominio hijo se debería usar la siguiente configuración.  <placeholder type="
++"\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
+@@ -4732,7 +5131,7 @@ msgstr "sssd-ldap"
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sssd-ldap.5.xml:17
+ msgid "SSSD LDAP provider"
+-msgstr ""
++msgstr "Proveedor SSSD LDAP"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:23
+@@ -5015,32 +5414,29 @@ msgstr "Predeterminado: rfc2307"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:209
+-#, fuzzy
+-#| msgid "ldap_group_modify_timestamp (string)"
+ msgid "ldap_pwmodify_mode (string)"
+-msgstr "ldap_group_modify_timestamp (cadena)"
++msgstr "ldap_pwmodify_mode (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:212
+ msgid "Specify the operation that is used to modify user password."
+ msgstr ""
++"Especifica la operación que se usa para modificar la contraseña de usuario."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:216
+-#, fuzzy
+-#| msgid "Four schema types are currently supported:"
+ msgid "Two modes are currently supported:"
+-msgstr "Cuatro tipos de esquema son actualmente soportados:"
++msgstr "Actualmente se soportan dos modos:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ldap.5.xml:220
+ msgid "exop - Password Modify Extended Operation (RFC 3062)"
+-msgstr ""
++msgstr "exop - Operación Extendida de Modificación de Contraseña (RFC 3062)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ldap.5.xml:226
+ msgid "ldap_modify - Direct modification of userPassword (not recommended)."
+-msgstr ""
++msgstr "ldap_modify - Modificación directa de userPassword (no recomendado)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:233
+@@ -5050,13 +5446,15 @@ msgid ""
+ "connection is used to change the password therefore the user must have write "
+ "access to userPassword attribute."
+ msgstr ""
++"Aviso: Primero, se establece una nueva conexión para verificar la contraseña "
++"acutal uniendo con el usuario que ha pedido el cambio de contraseña. Si "
++"tiene éxito, esta conexión se usa para el cambio de contraseña por lo tanto "
++"el usuario debe haber escrito el atributo de acceos a userPassword."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: gecos"
+ msgid "Default: exop"
+-msgstr "Predeterminado: gecos"
++msgstr "Predeterminado: exop"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -5142,7 +5540,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:308
+ msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+-msgstr ""
++msgstr "Predeterminado: uid (rfc2307, rfc2307bis e IPA), sAMAccountName (AD)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:315
+@@ -5177,7 +5575,7 @@ msgstr "Predeterminado: gidNumber"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:341
+ msgid "ldap_user_primary_group (string)"
+-msgstr ""
++msgstr "ldap_user_primary_group (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:344
+@@ -5186,11 +5584,14 @@ msgid ""
+ "attribute should only be set manually if you are running the <quote>ldap</"
+ "quote> provider with ID mapping."
+ msgstr ""
++"Atributo de grupo primario Active Directory para el mapeo de ID. Advierta "
++"que este atributo debería solo ser establecido manualmente si usted está "
++"ejecutando el proveedor <quote>ldap</quote> con mapeo ID."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:350
+ msgid "Default: unset (LDAP), primaryGroupID (AD)"
+-msgstr ""
++msgstr "Predeterminado: no establecido (LDAP), primaryGroupID (AD)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:356
+@@ -5243,12 +5644,13 @@ msgstr "Predeterminado: loginShell"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:395
+ msgid "ldap_user_uuid (string)"
+-msgstr ""
++msgstr "ldap_user_uuid (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:398
+ msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
+ msgstr ""
++"El atributo LDAP que contiene el UUID/GUID de un objeto de usuario LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:402 sssd-ldap.5.xml:993
+@@ -5256,6 +5658,8 @@ msgid ""
+ "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
+ "IPA"
+ msgstr ""
++"Predeterminado: no establecido en caso general, objectGUID para AD e "
++"ipaUniqueID para IPA"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:409
+@@ -5275,6 +5679,8 @@ msgstr ""
+ #: sssd-ldap.5.xml:417 sssd-ldap.5.xml:1008
+ msgid "Default: objectSid for ActiveDirectory, not set for other servers."
+ msgstr ""
++"Predeterminado: objectSid para ActiveDirectory, no establecido para otros "
++"servidores."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:424
+@@ -5607,7 +6013,7 @@ msgstr "Predeterminado: krbPrincipalName"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:675
+ msgid "ldap_user_extra_attrs (string)"
+-msgstr ""
++msgstr "ldap_user_extra_attrs (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:678
+@@ -5615,6 +6021,8 @@ msgid ""
+ "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
+ "usual set of user attributes."
+ msgstr ""
++"Lista separada por comas de atributos LDAP que SSSD debería ir a buscar con "
++"el conjunto usual de atributos de usuario."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:683
+@@ -5625,6 +6033,12 @@ msgid ""
+ "verbatim.  Using a custom SSSD attribute name might be required by "
+ "environments that configure several SSSD domains with different LDAP schemas."
+ msgstr ""
++"La lista puede contener bien nombres de atributo LDAP solamente o tuplas "
++"separadas por comas de de nombre de atributo SSSD en caché y nombre de "
++"atributo LDAP. En el caso de que solo sed especifique el nombre de atributo "
++"LDAP, el atributo se salva al caché literal.  El uso de un nombre de "
++"atributo SSSD personal puede ser requerido por entornos que configuran "
++"varios dominios SSSD con diferentes esquemas LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:693
+@@ -5633,11 +6047,15 @@ msgid ""
+ "<quote>name</quote> attribute. SSSD would report an error if any of the "
+ "reserved attribute names is used as an extra attribute name."
+ msgstr ""
++"Por favor advierta que varios nombres de atributos están reservados por "
++"SSSD, notablemente el atributo <quote>name</quote>. SSSD informaría de un "
++"error si cualquiera de los nombres de atributo reservados es usado como un "
++"nombre de atributo extra."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:703
+ msgid "ldap_user_extra_attrs = telephoneNumber"
+-msgstr ""
++msgstr "ldap_user_extra_attrs = telephoneNumber"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:706
+@@ -5645,11 +6063,13 @@ msgid ""
+ "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
+ "<quote>telephoneNumber</quote> to the cache."
+ msgstr ""
++"Guarda el atributo <quote>telephoneNumber</quote> desde LDAP como "
++"<quote>telephoneNumber</quote> al caché."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:710
+ msgid "ldap_user_extra_attrs = phone:telephoneNumber"
+-msgstr ""
++msgstr "ldap_user_extra_attrs = phone:telephoneNumber"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:713
+@@ -5657,6 +6077,8 @@ msgid ""
+ "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
+ "quote> to the cache."
+ msgstr ""
++"Guarda el atributo <quote>telephoneNumber</quote> desde LDAP como "
++"<quote>phone</quote> al caché."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:723
+@@ -5671,7 +6093,7 @@ msgstr "El atributo LDAP que contiene las claves públicas SSH del usuario."
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:730 sssd-ldap.5.xml:1344
+ msgid "Default: sshPublicKey"
+-msgstr ""
++msgstr "Predeterminado: sshPublicKey"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:736
+@@ -5729,6 +6151,11 @@ msgid ""
+ "to detect entries removed from the server and can't be disabled. By default, "
+ "the cleanup task will run every 3 hours with enumeration enabled."
+ msgstr ""
++"Estableciendo esta opción a cero deshabilitará la operación de limpieza del "
++"caché. Por favor advierta que si la enumeración está habilitada, se requiere "
++"la tarea de limpieza con el objetivo de detectar entradas borradas desde el "
++"servidor y no pueden ser deshabilitadas. Por defecto, la tarea de limpieza "
++"correrá cada tres horas con la enumeración habilitada."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:790
+@@ -5793,6 +6220,9 @@ msgid ""
+ "emphasis> include <quote>authorized_service</quote> in order for the "
+ "ldap_user_authorized_service option to work."
+ msgstr ""
++"Por favor advierta que la opcion de configuración ldap_access_order "
++"<emphasis>debe</emphasis> incluir <quote>authorized_service</quote> con el "
++"objetivo de que la opción ldap_user_authorized_service trabaje."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:838
+@@ -5831,6 +6261,9 @@ msgid ""
+ "emphasis> include <quote>host</quote> in order for the "
+ "ldap_user_authorized_host option to work."
+ msgstr ""
++"Por favor advierta que la opción de configuración ldap_access_order "
++"<emphasis>debe</emphasis> incluir <quote>host</quote> con el objetivo de que "
++"la opción ldap_user_authorized_host."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:865
+@@ -5840,7 +6273,7 @@ msgstr "Default: host"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:871
+ msgid "ldap_user_authorized_rhost (string)"
+-msgstr ""
++msgstr "ldap_user_authorized_rhost (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:874
+@@ -5849,6 +6282,9 @@ msgid ""
+ "presence of the rhost attribute in the user's LDAP entry to determine access "
+ "privilege. Similarly to host verification process."
+ msgstr ""
++"Si access_provider=ldap y ldap_access_order=rhost, SSSD usará la presencia "
++"del atributo rhost en la entrada LDAP de usuario para determinar el "
++"privilegio de acceso. Similarmente al proceso de verificación de host."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:881
+@@ -5856,6 +6292,8 @@ msgid ""
+ "An explicit deny (!rhost) is resolved first. Second, SSSD searches for "
+ "explicit allow (rhost) and finally for allow_all (*)."
+ msgstr ""
++"Una denegación explícita (!rhost) se resuelve primero. Segundo, SSSD busca "
++"permisos explícitos (rhost) y finalmente allow_all (*)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:886
+@@ -5864,36 +6302,40 @@ msgid ""
+ "emphasis> include <quote>rhost</quote> in order for the "
+ "ldap_user_authorized_rhost option to work."
+ msgstr ""
++"Por favor advierta que la opción de configuración ldap_access_order "
++"<emphasis>debe</emphasis> incluir <quote>rhost</quote> con el objetivo de "
++"que la opción ldap_user_authorized_rhost trabaje."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:893
+ msgid "Default: rhost"
+-msgstr ""
++msgstr "Predeterminado: rhost"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:899
+ msgid "ldap_user_certificate (string)"
+-msgstr ""
++msgstr "ldap_user_certificate (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:902
+ msgid "Name of the LDAP attribute containing the X509 certificate of the user."
+-msgstr ""
++msgstr "Nombre del atributo LDAP que contiene el certificado X509 del usuario."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:906
+ msgid "Default: userCertificate;binary"
+-msgstr ""
++msgstr "Predeterminado: userCertificate;binary"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:912
+ msgid "ldap_user_email (string)"
+-msgstr ""
++msgstr "ldap_user_email (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:915
+ msgid "Name of the LDAP attribute containing the email address of the user."
+ msgstr ""
++"Nombre del atributo LDAP que contiene el correo electrónico del usuario."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:919
+@@ -5904,11 +6346,18 @@ msgid ""
+ "email address then set this option to a nonexistent attribute name in order "
+ "to disable user lookup/login by email."
+ msgstr ""
++"Aviso: Si una dirección de correo electrónico de un usuario entra en "
++"conflicto con una dirección de correo electrónico o el nombre totalmente "
++"cualificado de otro usuario, SSSD no será capaz de servir adecuadamente a "
++"esos usuarios. Si por alguna de varias razones los usuarios necesitan "
++"compartir la misma dirección de correo electrónico establezca esta opción a "
++"un nombre de atributo no existente con elobjetivo de deshabilitar la "
++"búsqueda/acceso por correo electrónico."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:928
+ msgid "Default: mail"
+-msgstr ""
++msgstr "Predeterminado: mail"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:934
+@@ -5938,7 +6387,7 @@ msgstr "El atributo LDAP que corresponde al nombre de grupo."
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:953
+ msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+-msgstr ""
++msgstr "Predeterminado: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:960
+@@ -5968,12 +6417,12 @@ msgstr "Valor predeterminado: memberuid (rfc2307) / member (rfc2307bis)"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:986
+ msgid "ldap_group_uuid (string)"
+-msgstr ""
++msgstr "ldap_group_uuid (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:989
+ msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
+-msgstr ""
++msgstr "El atributo LDAP que contiene el UUID/GUID de un objeto grupo LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1000
+@@ -5997,7 +6446,7 @@ msgstr "ldap_group_modify_timestamp (cadena)"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1028
+ msgid "ldap_group_type (integer)"
+-msgstr ""
++msgstr "ldap_group_type (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1031
+@@ -6005,6 +6454,8 @@ msgid ""
+ "The LDAP attribute that contains an integer value indicating the type of the "
+ "group and maybe other flags."
+ msgstr ""
++"El atributo LDAP que contiene un valor entero indicando el tipo del grupo y "
++"puede ser otras banderas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1036
+@@ -6013,16 +6464,20 @@ msgid ""
+ "group is a domain local groups and has to be filtered out for trusted "
+ "domains."
+ msgstr ""
++"Este atributo es actualmente usado por el proveedor AD para determinar si un "
++"grupo está en grupos de dominio local y ha de ser sacado de los dominios de "
++"confianza."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1042
+ msgid "Default: groupType in the AD provider, otherwise not set"
+ msgstr ""
++"Predeterminado: groupType en el proveedor AD, de otro modo no establecido"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1049
+ msgid "ldap_group_external_member (string)"
+-msgstr ""
++msgstr "ldap_group_external_member (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1052
+@@ -6030,11 +6485,16 @@ msgid ""
+ "The LDAP attribute that references group members that are defined in an "
+ "external domain. At the moment, only IPA's external members are supported."
+ msgstr ""
++"El atributo LDAP que referencia a los miembros de grupo que están definidos "
++"en un dominio externo. En este momento, solo se soportan los miembros "
++"externos de IPA."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1058
+ msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
+ msgstr ""
++"Predeterminado: ipaExternalMember en el proveedor IPA, de otro modo no "
++"estabecido."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1065
+@@ -6062,6 +6522,12 @@ msgid ""
+ "the deeper nesting levels.  Also, subsequent lookups for other groups may "
+ "enlarge the result set for original lookup if re-queried."
+ msgstr ""
++"Aviso: Esta opción especifica el nivel garantizado d grupos anidados a ser "
++"procesados para cualquier búsqueda. Sin embargo, los grupos anidados detrás "
++"de este límite <emphasis>pueden ser</emphasis> devueltos si las búsquedas "
++"anteriores ya resueltas en os niveles más profundos de anidamiento.  "
++"También, las búsquedas subsiguientes para otros grupos pueden agrandar el "
++"conjunto de resultados de la búsqueda origina si se requiere."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1084
+@@ -6072,6 +6538,12 @@ msgid ""
+ "usage of Token-Groups by setting ldap_use_tokengroups to false in order to "
+ "restrict group nesting."
+ msgstr ""
++"Si ldap_group_nesting_level está establecido a 0 no se procesan de ninguna "
++"manera grupos anidados. Sin embargo, cuando está conectado a Active-"
++"Directory Server 2008 y posteriores usando <quote>id_provider=ad</quote> se "
++"recomienda además deshabilitar la utilización de Token-Groups estableciendo "
++"ldap_use_tokengroups a false con el objetivo de restringir el anidamiento de "
++"grupos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1093
+@@ -6134,11 +6606,14 @@ msgid ""
+ "This options enables or disables use of Token-Groups attribute when "
+ "performing initgroup for users from Active Directory Server 2008 and later."
+ msgstr ""
++"Esta opción habilita o deshabilita el uso del atributo Token-Groups cuando "
++"lleva a cabo un initgroup para usuarios de Active Directory Server 2008 y "
++"posteriores."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1166
+ msgid "Default: True for AD and IPA otherwise False."
+-msgstr ""
++msgstr "Predeterminado: True para AD e IPA en otro caso False."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1172
+@@ -6227,12 +6702,12 @@ msgstr "ldap_netgroup_modify_timestamp (cadena)"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1254
+ msgid "ldap_host_object_class (string)"
+-msgstr ""
++msgstr "ldap_host_object_class (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1257
+ msgid "The object class of a host entry in LDAP."
+-msgstr ""
++msgstr "El objeto clase de una entrada host en LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1260 sssd-ldap.5.xml:1369
+@@ -6242,17 +6717,17 @@ msgstr "Por defecto: ipService"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1266
+ msgid "ldap_host_name (string)"
+-msgstr ""
++msgstr "ldap_host_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1269 sssd-ldap.5.xml:1295
+ msgid "The LDAP attribute that corresponds to the host's name."
+-msgstr ""
++msgstr "El atributo LDAP que corresponde al nombre de host."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1279
+ msgid "ldap_host_fqdn (string)"
+-msgstr ""
++msgstr "ldap_host_fqdn (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1282
+@@ -6260,36 +6735,38 @@ msgid ""
+ "The LDAP attribute that corresponds to the host's fully-qualified domain "
+ "name."
+ msgstr ""
++"El atributo LDAP que corresponde al nombre de dominio totalmente cualificado "
++"del host."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1286
+ msgid "Default: fqdn"
+-msgstr ""
++msgstr "Predeterminado: fqdn"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1292
+ msgid "ldap_host_serverhostname (string)"
+-msgstr ""
++msgstr "ldap_host_serverhostname (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1299
+ msgid "Default: serverHostname"
+-msgstr ""
++msgstr "Predeterminado: serverHostname"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1305
+ msgid "ldap_host_member_of (string)"
+-msgstr ""
++msgstr "ldap_host_member_of (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1308
+ msgid "The LDAP attribute that lists the host's group memberships."
+-msgstr ""
++msgstr "Atributo LDAP que lista los miembros del grupo del host."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1318
+ msgid "ldap_host_search_base (string)"
+-msgstr ""
++msgstr "ldap_host_search_base (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1321
+@@ -6314,22 +6791,22 @@ msgstr "Predeterminado: el valor de <emphasis>ldap_search_base</emphasis>"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1337
+ msgid "ldap_host_ssh_public_key (string)"
+-msgstr ""
++msgstr "ldap_host_ssh_public_key (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1340
+ msgid "The LDAP attribute that contains the host's SSH public keys."
+-msgstr ""
++msgstr "Atributo LDAP que contiene las claves públicas SSH del host."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1350
+ msgid "ldap_host_uuid (string)"
+-msgstr ""
++msgstr "ldap_host_uuid (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1353
+ msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object."
+-msgstr ""
++msgstr "Atributo LDAP que contiene las UUID/GUID de un objeto host LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1363
+@@ -6470,6 +6947,11 @@ msgid ""
+ "communicating with the KDC in case of SASL bind, the timeout of an LDAP bind "
+ "operation, password change extended operation and the StartTLS operation."
+ msgstr ""
++"Especifica un tiempo de espera (en segundos) después del cual las llamadas a "
++"LDAP APIs asíncronos se abortarán si no se recibe respuesta. También "
++"controla el tiempo de espera cuando se comunica con el KDC en caso de enlace "
++"SASL, el tiempo de espera de una operación de enlace LDAP, la operación de "
++"cambio extendido de contraseña y las operación StartTLS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1500
+@@ -6553,12 +7035,12 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1558
+ msgid "ldap_disable_range_retrieval (boolean)"
+-msgstr ""
++msgstr "ldap_disable_range_retrieval (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1561
+ msgid "Disable Active Directory range retrieval."
+-msgstr ""
++msgstr "Deshabilitar la recuperación del rango de Active Directory."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1564
+@@ -6569,6 +7051,12 @@ msgid ""
+ "extension. This option disables parsing of the range extension, therefore "
+ "large groups will appear as having no members."
+ msgstr ""
++"Active Directory limita el número de miembros a recuperar en una única "
++"búsqueda usando la política MaxValRange (que está predeterminada a 1500 "
++"miembros). Si un grupo contiene mas miembros, la replica incluiría una "
++"extensión de rango específica AD. Esta opción deshabilita el análisis de la "
++"extensión del rango, por eso grupos grandes aparecerán como si no tuvieran "
++"miembros."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1579
+@@ -6619,6 +7107,12 @@ msgid ""
+ "the server supports it and advertises the dereference control in the rootDSE "
+ "object."
+ msgstr ""
++"Puede desactivar las búsquedas de desreferencia completamente estableciendo "
++"el valor a 0. Tenga en cuenta que hay algunas rutas de código en SSSD, como "
++"el proveedor IPA HBAC, que solo son implementadas usando la llamada de "
++"desreferencia, de modo que solo con la desreferencia explícitamente "
++"deshabilitada aquellas partes usarán todavía la desreferencia si el servidor "
++"lo soporta y auncia el control de la desreferencia en el objeto rootDSE."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1615
+@@ -6786,6 +7280,9 @@ msgid ""
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+ "<manvolnum>5</manvolnum></citerefentry> for format."
+ msgstr ""
++"Especifica conjuntos de cifrado aceptable.  Por lo general, es una lista "
++"searada por dos puntos.  Vea el formato en <citerefentry><refentrytitle>ldap."
++"conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1752
+@@ -6826,7 +7323,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+-msgstr ""
++msgstr "ldap_min_id, ldap_max_id (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1787
+@@ -6838,11 +7335,18 @@ msgid ""
+ "can be set to restrict the allowed range for the IDs which are read directly "
+ "from the server. Sub-domains can then pick other ranges to map IDs."
+ msgstr ""
++"En contraste con el SID basado en mapeo de ID que se usa si ldap_id_mapping "
++"está establecido a true el rango de ID permitido para ldap_user_uid_number y "
++"ldap_group_gid_number está sin consolidar. En una configuración con "
++"subdominios de confianza, esto podría producir colisiones de ID. Para evitar "
++"las colisiones ldap_min_id y ldap_max_id pueden er establecidos para "
++"restringir el rango permitido para las IDs que son leídas directamente desde "
++"el servidor. Los subdominios pueden elegir otros rangos para asignar IDs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+-msgstr ""
++msgstr "Predeterminado: no establecido (ambas opciones se establecen a 0)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1805
+@@ -6851,16 +7355,12 @@ msgstr "ldap_sasl_mech (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1808
+-#, fuzzy
+-#| msgid ""
+-#| "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-#| "supported."
+ msgid ""
+ "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
+ "tested and supported."
+ msgstr ""
+-"Especifica el mecanismo SASL a emplear.  Actualmente sólo GSSAPI está "
+-"probado y soportado."
++"Especifica el mecanismo SASL a usar.  Actualmente solo están probados y "
++"soportados GSSAPI y GSS-SPNEGO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1812
+@@ -6872,6 +7372,12 @@ msgid ""
+ "<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+ "manvolnum></citerefentry> for details."
+ msgstr ""
++"Si el backend admite subdominios el valor de ldap_sasl_mech es heredado "
++"automáticamente por los subdominios. Si se necesita un valor diferente para "
++"un subdominio puede ser sobrescrito estabeciendo ldap_sasl_mech para este "
++"subdominio explícitamente.  Por favor vea la SECCIÓN DOMINIO DE CONFIANZA es "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> para más detalles."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1828
+@@ -6890,6 +7396,13 @@ msgid ""
+ "host/*\n"
+ "                            "
+ msgstr ""
++"hostname@REALM\n"
++"netbiosname$@REALM\n"
++"host/hostname@REALM\n"
++"*$@REALM\n"
++"host/*@REALM\n"
++"host/*\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1831
+@@ -6902,6 +7415,14 @@ msgid ""
+ "used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
+ "found, the first principal in keytab is returned."
+ msgstr ""
++"Especifica la identificación de autorización SASL a usar.  Cuando son usados "
++"GSSAPI/GSS-SPNEGO, esto representa el principal Kerberos usado para "
++"autenticación al directorio.  Esta opción puede contener el principal "
++"completo (por ejemplo host/myhost@EXAMPLE.COM) o solo el nombre principal "
++"(por ejemplo host/myhost).  Por defecto, el valor no está establecido y se "
++"usan los siguientes principales: <placeholder type=\"programlisting\" id="
++"\"0\"/> Si no se encuentra ninguno de ellos, se devuelve en primer principal "
++"en la pestaña."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1851
+@@ -6955,10 +7476,8 @@ msgstr "ldap_krb5_keytab (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1889
+-#, fuzzy
+-#| msgid "Specify the keytab to use when using SASL/GSSAPI."
+ msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+-msgstr "Especifica la keytab a usar cuando se utilice SASL/GSSAPI."
++msgstr "Especifica la pestaña a usar cuando se utiliza SASL/GSSAPI/GSS-SPNEGO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1893
+@@ -6974,19 +7493,14 @@ msgstr "ldap_krb5_init_creds (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1902
+-#, fuzzy
+-#| msgid ""
+-#| "Specifies that the id_provider should init Kerberos credentials (TGT).  "
+-#| "This action is performed only if SASL is used and the mechanism selected "
+-#| "is GSSAPI."
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+ "GSSAPI or GSS-SPNEGO."
+ msgstr ""
+-"Especifica la id de proveedor que iniciaría las credenciales Kerberos (TGT). "
+-"Esta acción se lleva a cabo sólo si SASL se usa y el mecanismo seleccionado "
+-"es GSSAPI."
++"Especifica que id_provider debería iniciar las credenciales Kerberos (TGT).  "
++"Esta acción solo se lleva a cabo si se usa SASL y el mecanismo seleccionado "
++"es GSSAPI o GSS-SPNEGO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1914
+@@ -6995,11 +7509,11 @@ msgstr "ldap_krb5_ticket_lifetime (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1917
+-#, fuzzy
+-#| msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
+ msgid ""
+ "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+-msgstr "Especifica el tiempo de vida en segundos del TGT si se usa GSSAPI."
++msgstr ""
++"Especifica el tiempo de vida en segundos del TGT si se usa GSSAPI o GSS-"
++"SPNEGO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+@@ -7060,10 +7574,9 @@ msgstr "krb5_realm (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1959
+-#, fuzzy
+-#| msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
+ msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+-msgstr "Especifica el REALM Kerberos (para autorización SASL/GSSAPI)."
++msgstr ""
++"Especifica el REALM Kerberos (para autorización SASL/GSSAPI/GSS-SPNEGO)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1963
+@@ -7089,7 +7602,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+-msgstr ""
++msgstr "krb5_use_kdcinfo (booleano)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+@@ -7100,6 +7613,11 @@ msgid ""
+ "<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+ "citerefentry> configuration file."
+ msgstr ""
++"Especifica si el SSSD debe instruir a las librerías Kerberos que ámbito y "
++"que KDCs usar. Esta opción está por defecto, si la deshabilita, necesita "
++"configurar las librerías Kerberos usando el fichero de configuración "
++"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
++"manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+@@ -7108,6 +7626,10 @@ msgid ""
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+ "information on the locator plugin."
+ msgstr ""
++"Vea la página de manual <citerefentry> "
++"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
++"manvolnum> </citerefentry> para más información sobre el complemento "
++"localizador."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2012
+@@ -7161,6 +7683,9 @@ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
++"<emphasis>Aviso</emphasis>: si está configurada una política de contraseña "
++"en el lado del servidor siempre tiene prioridad sobre la política "
++"establecida por esta opción."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2048
+@@ -7267,6 +7792,18 @@ msgid ""
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</"
+ "manvolnum> </citerefentry>."
+ msgstr ""
++"Si está usando access_provider = ldap y ldap_access_order = filter "
++"(predeterminado), esta opción es obligatoria. Especifica un criterio de "
++"filtro de búsqueda LDAP que debe cumplirse para que el usuario obtenga "
++"acceso a este host. Si access_provider = ldap, ldap_access_order = filter y "
++"esta opción no estñan establecidos resultará que todos los usuarios tendrán "
++"el acceso denegado.  Use access_provider = permit para cambiar este "
++"comportamiento predeterminado. Por favor advierta que este filtro se aplica "
++"sobre la entrada LDAP del usuario y, por lo tanto, el filtrado basado en "
++"grupos anidados puede no funcionar (e.g. el atributo memberOf sobre entradas "
++"AD apunta solo a los parientes directos). Si se requiere el filtrado basado "
++"en grupos anidados, vea por favor <citerefentry> <refentrytitle>sssd-simple</"
++"refentrytitle><manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2139
+@@ -7281,6 +7818,9 @@ msgid ""
+ "ldap_access_filter = (employeeType=admin)\n"
+ "                        "
+ msgstr ""
++"access_provider = ldap\n"
++"ldap_access_filter = (employeeType=admin)\n"
++"                        "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2146
+@@ -7288,6 +7828,8 @@ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
++"Este ejemplo significa que el acceso a este host está restringido a los "
++"usuarios cuyo atributo employeeType esté establecido a \"admin\"."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2151
+@@ -7297,6 +7839,10 @@ msgid ""
+ "access during their last login, they will continue to be granted access "
+ "while offline and vice versa."
+ msgstr ""
++"El almacenamiento en caché sin conexión para esta función está limitado a "
++"determinar si el último inicio de sesión del usuario recibió permiso de "
++"acceso. Si obtuvieron permiso de acceso durante su último inicio de sesión, "
++"se les seguirán otorgando acceso sin conexión y viceversa."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+@@ -7386,6 +7932,9 @@ msgid ""
+ "emphasis> include <quote>expire</quote> in order for the "
+ "ldap_account_expire_policy option to work."
+ msgstr ""
++"Por favor advierta que la opción de configuración ldap_access_order "
++"<emphasis>debe</emphasis> incluir <quote>expire</quote> con el objetivo de "
++"la opción ldap_account_expire_policy funcione."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2222
+@@ -7413,6 +7962,12 @@ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work."
+ msgstr ""
++"<emphasis>lockout</emphasis>: usar bloqueo de cuenta.  Si se establece, esta "
++"opción deniega el acceso en el caso de que el atributo ldap "
++"'pwdAccountLockedTime' esté presente y tenga un valor de '000001010000Z'. "
++"Por favor vea la opción ldap_pwdlockout_dn. Por favor advieta que "
++"'access_provider = ldap' debe ser establecido para que está característica "
++"funciones."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2242
+@@ -7420,6 +7975,9 @@ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
++"<emphasis> Por favor tenga en cuenta que esta opción es reemplazada por la "
++"opción <quote>ppolicy</quote> y puede ser quitada en un futuro lanzamiento.  "
++"</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2249
+@@ -7433,6 +7991,15 @@ msgid ""
+ "the option ldap_pwdlockout_dn.  Please note that 'access_provider = ldap' "
+ "must be set for this feature to work."
+ msgstr ""
++"<emphasis>ppolicy</emphasis>: usar bloqueo de cuenta.  Si se establece, esta "
++"opción deniega el acceso en el caso de que el atributo ldap "
++"'pwdAccountLockedTime' esté presente y tenga un valor de '000001010000Z' o "
++"represente cualquier momento en el pasado.  El valor del atributo "
++"'pwdAccountLockedTime' debe terminar con 'Z', que denota la zona horaria "
++"UTC. Otras zonas horarias no se soportan actualmente y llevarán a \"access-"
++"denied\" cuando los usuarios intenten acceder.  Por favor vea la opción "
++"ldap_pwdlockout_dn.  Por favor advierta que 'access_provider = ldap' debe "
++"estar establecido para que esta característica funcione."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2266
+@@ -7448,6 +8015,11 @@ msgid ""
+ "authentication is based on using a different method than passwords - for "
+ "example SSH keys."
+ msgstr ""
++"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
++"pwd_expire_policy_renew: </emphasis> Estas opciones son útiles si los "
++"usuarios están interesados en que se les avise de que la contraseña está "
++"próxima a expirar y la autenticación está basada en la utilización de un "
++"método distinto a las contraseñas - por ejemplo claves SSH."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2280
+@@ -7458,12 +8030,19 @@ msgid ""
+ "pwd_expire_policy_renew - user is prompted to change his password "
+ "immediately."
+ msgstr ""
++"La diferencia entre estas opciones es la acción que se toma si la contraseña "
++"de usuario ha expirado: pwd_expire_policy_reject - se deniega el acceso al "
++"usuario, pwd_expire_policy_warn - el usuario es todavía capaz de acceder, "
++"pwd_expire_policy_renew - al usuario se le pide que cambie la contraseña "
++"inmediatamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
++"Nota: si la contraseña de usuario expiró, SSSD no solicita ningún mensaje "
++"explícito."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2292
+@@ -7471,6 +8050,9 @@ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
++"Por favor advierta que 'access_provider = ldap' debe estar establecido para "
++"que esta función trabaje. También 'ldap_pwd_policy' debe estar establecido "
++"para una política de contraseña apropiada."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2297
+@@ -7493,6 +8075,8 @@ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
++"<emphasis>rhost</emphasis>: usar el atributo rhost para determinar si el "
++"host remoto puede acceder"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2310
+@@ -7500,6 +8084,9 @@ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
++"Por favor advierta el campo rhost en pam es establecido por la aplicación, "
++"es mejor comprobar que la aplicación lo envía a pam, antes de habilitar esta "
++"opción de control de acceso"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2315
+@@ -7518,7 +8105,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+-msgstr ""
++msgstr "ldap_pwdlockout_dn (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2328
+@@ -7528,16 +8115,21 @@ msgid ""
+ "lockout checking will yield access denied as ppolicy attributes on LDAP "
+ "server cannot be checked properly."
+ msgstr ""
++"Esta opción especifica la DN de la contraseña de entrada a la política sobre "
++"un servidor LDAP. Tenga en cuenta que la ausencia de esta opción en sssd."
++"conf en caso de verificación de bloqueo de cuenta habilitada dará como "
++"resultado el acceso denegado ya que los atributos ppolicy en el servidor "
++"LDAP no pueden verificarse correctamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+-msgstr ""
++msgstr "Ejemplo: cn=ppolicy,ou=policies,dc=example,dc=com"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+-msgstr ""
++msgstr "Predeterminado: cn=ppolicy,ou=policies,$ldap_search_base"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2345
+@@ -7642,7 +8234,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+-msgstr ""
++msgstr "wildcard_limit (entero)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2413
+@@ -7650,16 +8242,19 @@ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
++"Especifica un límite superior sobre el número de entradas que son "
++"descargadas durante una búsqueda de comodín."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
++"En este momento solo el respondedor InfoPipe soporta búsqueda de comodín"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+-msgstr ""
++msgstr "Predeterminado: 1000 (frecuentemente el tamaño de una página)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:51
+@@ -7688,6 +8283,9 @@ msgid ""
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+ "<manvolnum>5</manvolnum> </citerefentry>."
+ msgstr ""
++"Las instrucciones detalladas para la configuración de sudo_provider están en "
++"la página de manual <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
++"<manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2444
+@@ -7914,9 +8512,6 @@ msgid ""
+ "rules (which downloads all rules that have USN higher than the highest USN "
+ "of cached rules)."
+ msgstr ""
+-"Cuantos segundos tiene que esperar SSSD antes de ejecutar una actualización "
+-"inteligente de las reglas sudo (que descarga todas las reglas que tienen "
+-"USBN más alto que el USN más alto de las reglas escondidas)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2616
+@@ -8054,21 +8649,23 @@ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
++"Algunos de los valores por defecto para los parámetros de abajo dependen del "
++"esquema LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+-msgstr ""
++msgstr "ldap_autofs_map_master_name (cadena)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+-msgstr ""
++msgstr "El nombre del mapa maestro de montaje automático en LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+-msgstr ""
++msgstr "Pfredeterminado: auto.master"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2755
+@@ -8084,6 +8681,8 @@ msgstr "El objeto clase de una entrada de mapa de automontaje en LDAP."
+ #: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+ msgstr ""
++"Predeterminado: nisMap (rfc2307, autofs_provider=ad), de otra manera "
++"automountMap"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2769
+@@ -8100,6 +8699,8 @@ msgstr "El nombre de una entrada de mapa de automontaje en LDAP."
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
++"Predeterminado: nisMapName (rfc2307, autofs_provider=ad), de otra manera "
++"automountMapName"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2783
+@@ -8112,11 +8713,15 @@ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
++"El objeto clase de una entrada de montaje automático en LDAP. La entrada "
++"normalmente corresponde a un punto de montaje."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+ msgstr ""
++"Predeterminado: nisObject (rfc2307, autofs_provider=ad), de otra manera "
++"automount"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2799
+@@ -8136,6 +8741,7 @@ msgstr ""
+ #: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+ msgstr ""
++"Predeterminado: cn (rfc2307, autofs_provider=ad), de otra manera automountKey"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2814
+@@ -8148,6 +8754,8 @@ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
++"Predeterminado: nisMapEntry (rfc2307, autofs_provider=ad), de otra manera "
++"automountInformation"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:2740
+@@ -8157,6 +8765,10 @@ msgid ""
+ "<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type="
+ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>"
+ msgstr ""
++"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
++"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
++"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type="
++"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-ldap.5.xml:2832
+@@ -8181,7 +8793,7 @@ msgstr "ldap_group_search_base (cadena)"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+ #: sssd-ldap.5.xml:2854
+ msgid "<note>"
+-msgstr ""
++msgstr "<note>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+ #: sssd-ldap.5.xml:2856
+@@ -8191,11 +8803,15 @@ msgid ""
+ "memberships, even with no GID mapping. It is recommended to disable this "
+ "feature, if group names are not being displayed correctly."
+ msgstr ""
++"Si la opción <quote>ldap_use_tokengroups</quote> está habilitada, las "
++"búsquedas contra Active Directory no serán restringidas y devolverán todos "
++"los grupos miembros, incluso sin mapeo GID. Se recomienda deshabilitar esta "
++"función, si los nombres de grupo no están siendo visualizados correctamente."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+ #: sssd-ldap.5.xml:2863
+ msgid "</note>"
+-msgstr ""
++msgstr "</note>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2865
+@@ -8215,6 +8831,10 @@ msgid ""
+ "are doing.  <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/>"
+ msgstr ""
++"Estas opciones están soportadas por dominios LDAP, pero deberían ser usadas "
++"con precaución. Por favor incluyalas en su configuración si usted sabe lo "
++"que está haciendo.  <placeholder type=\"variablelist\" id=\"0\"/> "
++"<placeholder type=\"variablelist\" id=\"1\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+@@ -8246,6 +8866,13 @@ msgid ""
+ "ldap_tls_reqcert = demand\n"
+ "cache_credentials = true\n"
+ msgstr ""
++"[domain/LDAP]\n"
++"id_provider = ldap\n"
++"auth_provider = ldap\n"
++"ldap_uri = ldap://ldap.mydomain.org\n"
++"ldap_search_base = dc=mydomain,dc=org\n"
++"ldap_tls_reqcert = demand\n"
++"cache_credentials = true\n"
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+ #: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
+@@ -8258,7 +8885,7 @@ msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+-msgstr ""
++msgstr "EJEMPLO DE FILTRO DE ACCESO LDAP"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:2906
+@@ -8266,6 +8893,8 @@ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
++"El siguiente ejemplo asume que SSSD está correctamente configurado y usa "
++"ldap_access_order=lockout."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-ldap.5.xml:2911
+@@ -8282,6 +8911,16 @@ msgid ""
+ "ldap_tls_reqcert = demand\n"
+ "cache_credentials = true\n"
+ msgstr ""
++"[domain/LDAP]\n"
++"id_provider = ldap\n"
++"auth_provider = ldap\n"
++"access_provider = ldap\n"
++"ldap_access_order = lockout\n"
++"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n"
++"ldap_uri = ldap://ldap.mydomain.org\n"
++"ldap_search_base = dc=mydomain,dc=org\n"
++"ldap_tls_reqcert = demand\n"
++"cache_credentials = true\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+@@ -8420,7 +9059,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:121
+ msgid "<option>ignore_unknown_user</option>"
+-msgstr ""
++msgstr "<option>ignore_unknown_user</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:124
+@@ -8428,11 +9067,13 @@ msgid ""
+ "If this option is specified and the user does not exist, the PAM module will "
+ "return PAM_IGNORE. This causes the PAM framework to ignore this module."
+ msgstr ""
++"Si se especifica esta opción y el usuario no existe, el módulo PAM devolverá "
++"PAM_IGNORE. Esto origina que el marco de referencia PAM ignore este módulo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:131
+ msgid "<option>ignore_authinfo_unavail</option>"
+-msgstr ""
++msgstr "<option>ignore_authinfo_unavail</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:135
+@@ -8440,11 +9081,14 @@ msgid ""
+ "Specifies that the PAM module should return PAM_IGNORE if it cannot contact "
+ "the SSSD daemon. This causes the PAM framework to ignore this module."
+ msgstr ""
++"Especifica que el módulo PAM debería devolver PAM_IGNORE si no puede "
++"contactar con el demonio SSSD. Esto causa que el marco de referencia PAM "
++"ignore este módulo."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:142
+ msgid "<option>domains</option>"
+-msgstr ""
++msgstr "<option>domains</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:146
+@@ -8453,6 +9097,9 @@ msgid ""
+ "allowed to authenticate against. The format is a comma-separated list of "
+ "SSSD domain names, as specified in the sssd.conf file."
+ msgstr ""
++"Permite al administrador restringir los dominios contra los que un servicio "
++"PAM particular puede autenticarse. El formato es una lista separada por "
++"comas de nombres de dominio SSSD, como se especifica en el fichero sssd.conf."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:152
+@@ -8463,11 +9110,16 @@ msgid ""
+ "manvolnum> </citerefentry> manual page for more information on these two PAM "
+ "responder options."
+ msgstr ""
++"AVISO: Se debe usar junto con las opciones <quote>pam_trusted_users</quote> "
++"y <quote>pam_public_domains</quote>. Por favor vea la página de manual "
++"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum> </citerefentry> para mas información sobre estas dos opciones del "
++"respondedor PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:166
+ msgid "<option>allow_missing_name</option>"
+-msgstr ""
++msgstr "<option>allow_missing_name</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:170
+@@ -8475,6 +9127,9 @@ msgid ""
+ "The main purpose of this option is to let SSSD determine the user name based "
+ "on additional information, e.g. the certificate from a Smartcard."
+ msgstr ""
++"El propósito principal de esta opción es dejar que SSSD determine el nombre "
++"de usuario en base a información adicional, e.g. el certificado de una "
++"Smartcard."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+ #: pam_sss.8.xml:180
+@@ -8483,6 +9138,8 @@ msgid ""
+ "auth sufficient pam_sss.so allow_missing_name\n"
+ "                        "
+ msgstr ""
++"auth sufficient pam_sss.so allow_missing_name\n"
++"                        "
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:175
+@@ -8494,11 +9151,18 @@ msgid ""
+ "the content of the Smartcard, returns it to pam_sss which will finally put "
+ "it on the PAM stack."
+ msgstr ""
++"El caso de uso actual son los administradores de inicio de sesión que pueden "
++"monitorear un lector de tarjetas inteligentes para eventos de tarjetas. En "
++"el caso de que una Smartcard se inserte el administrador de inicio de sesión "
++"llamara a la pila PAM que incluye una línea como <placeholder type="
++"\"programlisting\" id=\"0\"/> En este caso SSSD intentará determinar el "
++"nobre de usuairo en base al contenido de la tarjeta inteligente, se lo "
++"devolverá a pam_sss quien finalmente lo pondrá en la pila PAM."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:190
+ msgid "<option>prompt_always</option>"
+-msgstr ""
++msgstr "<option>prompt_always</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:194
+@@ -8509,6 +9173,11 @@ msgid ""
+ "SSSD pam_sss might prompt for a password, a Smartcard PIN or other "
+ "credentials."
+ msgstr ""
++"Solicita siempre al usuario las credenciales. Con esta opción las "
++"credenciales pedidas por otros módulos PAM, normalmente una contraseña, "
++"serán ignoradas y pam_sss solicitará las credenciales otra vez. En base a la "
++"respuesta pre autorización de SSSD pam_sss debe solicitar una contraseña, un "
++"Smartcard PIN u otras credenciales."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: pam_sss.8.xml:207
+@@ -8580,7 +9249,7 @@ msgstr "sssd_krb5_locator_plugin"
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sssd_krb5_locator_plugin.8.xml:16
+ msgid "Kerberos locator plugin"
+-msgstr ""
++msgstr "Complemento localizador Kerberos"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:22
+@@ -8594,6 +9263,15 @@ msgid ""
+ "unexpected authentication failures and maybe even account lockings it would "
+ "be good to talk to a single KDC as long as possible."
+ msgstr ""
++"El complemento localizador Kerberos <command>sssd_krb5_locator_plugin</"
++"command> es usado por libkrb5 para encontrar KDCs en un reino Kerberos dado. "
++"SSSD proporciona dicho complemento para guiar a todos los clientes Kerberos "
++"es un sistema a un único KDC. En general, no debería importar con qué KDC "
++"está hablando un proceso de cliente.  Pero hay casos, e.g. después de un "
++"cambio de contraseña, donde no todos los KDCs etán en el mismo estado porque "
++"los nuevos datos tienen que ser replicados primero. Para evitar fallos de "
++"autenticación inesperados y quizás bloqueos de cuentas sería bueno hablar "
++"con un único KDC todo lo que sea posible."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:34
+@@ -8609,6 +9287,18 @@ msgid ""
+ "plugin. With this the plugin is still called but will provide no data to the "
+ "caller so that libkrb5 can fall back to other methods defined in krb5.conf."
+ msgstr ""
++"libkrb5 buscará el complemento localizador en el subdirectorio libkrb5 del "
++"directorio de complementos Kerberos, vea más detalles en plugin_base_dir en "
++"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
++"manvolnum> </citerefentry>. El complemento solo se puede deshabilitar "
++"borrando el fichero del complemento. No hay opción en a configuración de "
++"Kerberos para deshabilitarlo. Pero la variable de entorno "
++"SSSD_KRB5_LOCATOR_DISABLE puede ser usada para deshabilitar el complemento "
++"en comandos individuales. Alternativamente la opción SSSD "
++"krb5_use_kdcinfo=False puede ser usada para no generar los datos necesarios "
++"para el complemento. Con esto, todavía se llama al complemento, pero no "
++"proporcionará datos a la persona que llama para que libkrb5 pueda recurrir a "
++"otros métodos definidos en krb5.conf."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:50
+@@ -8620,36 +9310,43 @@ msgid ""
+ "separated with a colon, the IPv6 address has to be enclosed in squared "
+ "brackets in this case as usual. Valid entries are:"
+ msgstr ""
++"El complemento lee la información sobre los KDCs de un reino dado desde un "
++"fichero llamado <filename>kdcinfo.REALM</filename>. El fichero debería "
++"contener uno o más nombres de DNS o direcciones IP ya sea en anotación "
++"decimal con puntos IPv4 o en anotación hexadecimal IPv6.  Su puede añadir un "
++"número de puerto adicional al final separado con dos puntos, la dirección "
++"IPv6 tiene que estar encerrada entre corchetes en este caso como es usual. "
++"Las entradas válidas son:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:58
+ msgid "kdc.example.com"
+-msgstr ""
++msgstr "kdc.example.com"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:59
+ msgid "kdc.example.com:321"
+-msgstr ""
++msgstr "kdc.example.com:321"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:60
+ msgid "1.2.3.4"
+-msgstr ""
++msgstr "1.2.3.4"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:61
+ msgid "5.6.7.8:99"
+-msgstr ""
++msgstr "5.6.7.8:99"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:62
+ msgid "2001:db8:85a3::8a2e:370:7334"
+-msgstr ""
++msgstr "2001:db8:85a3::8a2e:370:7334"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:63
+ msgid "[2001:db8:85a3::8a2e:370:7334]:321"
+-msgstr ""
++msgstr "[2001:db8:85a3::8a2e:370:7334]:321"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:65
+@@ -8658,6 +9355,9 @@ msgid ""
+ "adds the address of the current KDC or domain controller SSSD is using to "
+ "this file."
+ msgstr ""
++"Krb5 auth-provider de SSSD que es utilizado por IPA y los proveedores AD que "
++"también agrega la dirección del actual KDC o controlador de dominio SSSD se "
++"utiliza para este fichero."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:70
+@@ -8671,6 +9371,15 @@ msgid ""
+ "MIT Kerberos specific master KDC. If the address contains a port number the "
+ "default KDC port 88 will be used for the latter."
+ msgstr ""
++"En entornos con KDCs de solo lectura y lectura-escritura donde los clientes "
++"esperan usar las instancias solo lectura para las operaciones generales y "
++"solo KDC de lectura-escritura para cambio de configuración como cambios de "
++"contraseña se utiliza <filename>kpasswdinfo.REALM</filename> también para "
++"identificar KDCs de lectura-escritura. Si existe este fichero para el reino "
++"dado el contenido será usado por el complemento para contestar las "
++"peticiones de un servidor kpasswd o kadmin opara el maestro específico KDC "
++"MIT Kerberos. Si la dirección contiene un número de puerto el puerto "
++"predeterminado KDC 88 será usado para los posteriores."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:85
+@@ -8699,6 +9408,9 @@ msgid ""
+ "the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the "
+ "caller."
+ msgstr ""
++"Si la variable de entorno SSSD_KRB5_LOCATOR_DISABLE está establecida a "
++"cualquier valor el complemento es deshabilitado y y devolverá "
++"KRB5_PLUGIN_NO_HANDLE al llamante."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:100
+@@ -8708,6 +9420,11 @@ msgid ""
+ "default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on "
+ "first DNS resolving failure."
+ msgstr ""
++"Si la variable de entorno SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES etá "
++"establecida a cualquier valor el complemento intentará resolver todos los "
++"nombres DNS en el fichero kdcinfo. Por defecto el complemento devuelve "
++"KRB5_PLUGIN_NO_HANDLE al llamante inmediatamente en el primer fallo "
++"resolviendo DNS."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sssd-simple.5.xml:10 sssd-simple.5.xml:16
+@@ -8887,6 +9604,9 @@ msgid ""
+ "access_provider = simple\n"
+ "simple_allow_users = user1, user2\n"
+ msgstr ""
++"[domain/example.com]\n"
++"access_provider = simple\n"
++"simple_allow_users = user1, user2\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-simple.5.xml:150
+@@ -8898,16 +9618,23 @@ msgid ""
+ "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </"
+ "citerefentry>) option."
+ msgstr ""
++"La jerarquía completa de membresía del grupo se resuelve antes de la "
++"comprobación de acceso, así incluso los grupos anidados se pueden incluir en "
++"las listas de acceso.  Por favor tenga cuidado en que la opción "
++"<quote>ldap_group_nesting_level</quote> puede impactar en los resultados y "
++"deberia ser establecidad a un valor suficiente.  Opción (<citerefentry> "
++"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </"
++"citerefentry>)."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss-certmap.5.xml:10 sss-certmap.5.xml:16
+ msgid "sss-certmap"
+-msgstr ""
++msgstr "sss-certmap"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss-certmap.5.xml:17
+ msgid "SSSD Certificate Matching and Mapping Rules"
+-msgstr ""
++msgstr "Reglas de Correspondencia y Asignación de Certificados SSSD"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss-certmap.5.xml:23
+@@ -8915,6 +9642,9 @@ msgid ""
+ "The manual page describes the rules which can be used by SSSD and other "
+ "components to match X.509 certificates and map them to accounts."
+ msgstr ""
++"La página de manual describe las reglas que pueden ser usadas por SSSD y "
++"otros componentes para corresponder con los certificados X.509 y asignarlos "
++"a cuentas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss-certmap.5.xml:28
+@@ -8929,16 +9659,26 @@ msgid ""
+ "encoded binary. If no domains are given only the local domain will be "
+ "searched."
+ msgstr ""
++"Cada regla tiene cuatro componentes, una <quote>priority</quote>, una "
++"<quote>matching rule</quote>, una <quote>mapping rule</quote> y una "
++"<quote>domain list</quote>. Todos los componentes son opcionales. Si no hay "
++"<quote>priority</quote> se añadirá la regla con el nivel de prioridad más "
++"bajo. La <quote>matching rule</quote> predeterminada hará coincidir los "
++"certificados con la clave de utilización digitalSignature y la clave de "
++"utilización extendida clientAuth. Si <quote>mapping rule</quote> está vacía "
++"los certificados serán buscados en el atributo userCertificate como DER "
++"codificado en binario. Si no se dan dominios solo se buscará en el dominio "
++"local."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sss-certmap.5.xml:41
+ msgid "RULE COMPONENTS"
+-msgstr ""
++msgstr "COMPONENTES DE LA REGLA"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sss-certmap.5.xml:43
+ msgid "PRIORITY"
+-msgstr ""
++msgstr "PRIORIDAD"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:45
+@@ -8948,6 +9688,10 @@ msgid ""
+ "missing value indicates the lowest priority. The rules processing is stopped "
+ "when a matched rule is found and no further rules are checked."
+ msgstr ""
++"Las reglas son procesados por prioridad sabiendo que el número '0' (cero) "
++"indica la prioridad más alta. Más alto en número más baja la prioridad. Un "
++"valor desaparecido indica la prioridad más baja. Las reglas de procesamiento "
++"se para cuando una regla coincidente y no se comprueban más reglas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:52
+@@ -8955,11 +9699,13 @@ msgid ""
+ "Internally the priority is treated as unsigned 32bit integer, using a "
+ "priority value larger than 4294967295 will cause an error."
+ msgstr ""
++"Internamente la prioridad se trata como un entero no firmado de 32 bitr, la "
++"utilización de in valor de prioridad superior a 4294967295 causará un error."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sss-certmap.5.xml:57
+ msgid "MATCHING RULE"
+-msgstr ""
++msgstr "REGLA DE COINCIDENCIA"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:59
+@@ -8972,11 +9718,17 @@ msgid ""
+ "Multiple keyword pattern pairs can be either joined with '&amp;&amp;' (and) "
+ "or '&#124;&#124;' (or)."
+ msgstr ""
++"La regla de coincidencia se usa para seleccionar un certificado al que sería "
++"aplicado la regla de asignación. Usa un sistema similar al usado por la "
++"opción <quote>pkinit_cert_match</quote> de MIT Kerberos. Consiste en una "
++"clave encerrada entre '&lt;' y '&gt;' ue identifica una cierta parte del "
++"certificado y un patrón para que la regla coincida. Se pueden unir varios "
++"pares de palabras claves con '&amp;&amp;' (y) o '&#124;&#124;' (o)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:71
+ msgid "&lt;SUBJECT&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SUBJECT&gt;regular-expression"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:74
+@@ -8985,6 +9737,9 @@ msgid ""
+ "matched. For the matching POSIX Extended Regular Expression syntax is used, "
+ "see regex(7)  for details."
+ msgstr ""
++"Con esto una parte o todo el nombre de sujeto del certificado pueden "
++"coincidir. Para la coincidencia se usa la sintaxis Expresión Regular "
++"Extendida POSIX, vea detalles en regex(7)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:80
+@@ -8998,16 +9753,25 @@ msgid ""
+ "confusion those attribute names are best not used or covered by a suitable "
+ "regular-expression."
+ msgstr ""
++"Para coincidir el nombre sujeto almacenado en el certificado en codificación "
++"DER ASN.1 se convierte en una cadena de acuerdo a RFC 4514. Esto significa "
++"que el componente de nombre más específico es el primero. Por favor advierta "
++"que  no todos los posibles nombres de atributo están cubiertos por RFC 4514. "
++"Los nombres incluidos son 'CN', 'L', 'ST', 'O', 'OU', 'C', 'STREET', 'DC' y "
++"'UID'. Otros nombres de atributo pueden ser mostrados de forma diferente "
++"sobre plataformas distintas y por herramientas diferentes. Para evitar la "
++"confusión es mejor que no se usen estos nombres de atributos o se cubran por "
++"una expresión regular a medida."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:93
+ msgid "Example: &lt;SUBJECT&gt;.*,DC=MY,DC=DOMAIN"
+-msgstr ""
++msgstr "Ejemplo: &lt;SUBJECT&gt;.*,DC=MY,DC=DOMAIN"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:98
+ msgid "&lt;ISSUER&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;ISSUER&gt;regular-expression"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:101
+@@ -9015,16 +9779,19 @@ msgid ""
+ "With this a part or the whole issuer name of the certificate can be matched. "
+ "All comments for &lt;SUBJECT&gt; apply her as well."
+ msgstr ""
++"Con esto, se puede hacer coincidir una parte o el nombre completo del emisor "
++"del certificado. Todos los comentarios para &lt;SUBJECT&gt; se le aplican "
++"también."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:106
+ msgid "Example: &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$"
+-msgstr ""
++msgstr "Ejemplo: &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:111
+ msgid "&lt;KU&gt;key-usage"
+-msgstr ""
++msgstr "&lt;KU&gt;key-usage"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:114
+@@ -9032,51 +9799,54 @@ msgid ""
+ "This option can be used to specify which key usage values the certificate "
+ "should have. The following values can be used in a comma separated list:"
+ msgstr ""
++"Esta opción se puede usar para especificar que valores de uso clave debe "
++"tener el certificado. Se pueden usar los siguientes valores en una lista "
++"separados por comas:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:118
+ msgid "digitalSignature"
+-msgstr ""
++msgstr "digitalSignature"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:119
+ msgid "nonRepudiation"
+-msgstr ""
++msgstr "nonRepudiation"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:120
+ msgid "keyEncipherment"
+-msgstr ""
++msgstr "keyEncipherment"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:121
+ msgid "dataEncipherment"
+-msgstr ""
++msgstr "dataEncipherment"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:122
+ msgid "keyAgreement"
+-msgstr ""
++msgstr "keyAgreement"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:123
+ msgid "keyCertSign"
+-msgstr ""
++msgstr "keyCertSign"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:124
+ msgid "cRLSign"
+-msgstr ""
++msgstr "cRLSign"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:125
+ msgid "encipherOnly"
+-msgstr ""
++msgstr "encipherOnly"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:126
+ msgid "decipherOnly"
+-msgstr ""
++msgstr "decipherOnly"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:130
+@@ -9084,16 +9854,18 @@ msgid ""
+ "A numerical value in the range of a 32bit unsigned integer can be used as "
+ "well to cover special use cases."
+ msgstr ""
++"Un valor numérico en el rango de un entero sin signo de 32 bit se puede usar "
++"también para cubrir casos de uso especiales."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:134
+ msgid "Example: &lt;KU&gt;digitalSignature,keyEncipherment"
+-msgstr ""
++msgstr "Ejemplo: &lt;KU&gt;digitalSignature,keyEncipherment"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:139
+ msgid "&lt;EKU&gt;extended-key-usage"
+-msgstr ""
++msgstr "&lt;EKU&gt;extended-key-usage"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:142
+@@ -9101,51 +9873,54 @@ msgid ""
+ "This option can be used to specify which extended key usage the certificate "
+ "should have. The following value can be used in a comma separated list:"
+ msgstr ""
++"Esta opción se puede usar para especificar que uso de clave extendida puede "
++"tener el certificado. El siguiente valor se puede usar en una lista separada "
++"por comas:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:146
+ msgid "serverAuth"
+-msgstr ""
++msgstr "serverAuth"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:147
+ msgid "clientAuth"
+-msgstr ""
++msgstr "clientAuth"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:148
+ msgid "codeSigning"
+-msgstr ""
++msgstr "codeSigning"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:149
+ msgid "emailProtection"
+-msgstr ""
++msgstr "emailProtection"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:150
+ msgid "timeStamping"
+-msgstr ""
++msgstr "timeStamping"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:151
+ msgid "OCSPSigning"
+-msgstr ""
++msgstr "OCSPSigning"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:152
+ msgid "KPClientAuth"
+-msgstr ""
++msgstr "KPClientAuth"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:153
+ msgid "pkinit"
+-msgstr ""
++msgstr "pkinit"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:154
+ msgid "msScLogin"
+-msgstr ""
++msgstr "msScLogin"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:158
+@@ -9153,16 +9928,18 @@ msgid ""
+ "Extended key usages which are not listed above can be specified with their "
+ "OID in dotted-decimal notation."
+ msgstr ""
++"La utilización de claves extendidas que no están listadas arriba pueden ser "
++"especificadas con sus OID en anotación decimal con puntos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:162
+ msgid "Example: &lt;EKU&gt;clientAuth,1.3.6.1.5.2.3.4"
+-msgstr ""
++msgstr "Ejemplo: &lt;EKU&gt;clientAuth,1.3.6.1.5.2.3.4"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:167
+ msgid "&lt;SAN&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SAN&gt;regular-expression"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:170
+@@ -9171,11 +9948,14 @@ msgid ""
+ "Kerberos principals in the PKINIT or AD NT Principal SAN as &lt;SAN:"
+ "Principal&gt; does."
+ msgstr ""
++"Para ser compatible con la utilización de MIT Kerberos esta opción "
++"coincidirá con los principios de Kerberos en PKINIT o AD NT Principal SAN "
++"como hace &lt;SAN:Principal&gt;."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:175
+ msgid "Example: &lt;SAN&gt;.*@MY\\.REALM"
+-msgstr ""
++msgstr "Ejemplo: &lt;SAN&gt;.*@MY\\.REALM"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:180
+@@ -11152,17 +11932,13 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:435
+-#, fuzzy
+-#| msgid "Default: 5 (seconds)"
+ msgid "Default: False (seconds)"
+-msgstr "Predeterminado: 5 (segundos)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:441
+-#, fuzzy
+-#| msgid "ldap_referrals (boolean)"
+ msgid "ad_gpo_ignore_unreadable (boolean)"
+-msgstr "ldap_referrals (boolean)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:444
+@@ -13388,27 +14164,17 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-#, fuzzy
+-#| msgid "krb5_ccachedir (string)"
+ msgid "krb5_kdcinfo_lookahead (string)"
+-msgstr "krb5_ccachedir (cadena)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+-#, fuzzy
+-#| msgid ""
+-#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+-#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+-#| "citerefentry> for more information on configuring Kerberos."
+ msgid ""
+ "When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
+ "handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
+ "helpful when there are too many servers discovered using SRV record."
+ msgstr ""
+-"<quote>krb5</quote> para cambiar una contraseña Kerberos. Vea <citerefentry> "
+-"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+-"citerefentry> para más información sobre configurar Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:518
+@@ -13420,27 +14186,17 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:524
+-#, fuzzy
+-#| msgid ""
+-#| "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
+-#| "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes "
+-#| "to evaluate if the password has expired."
+ msgid ""
+ "For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
+ "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
+ "servers."
+ msgstr ""
+-"<emphasis>shadow</emphasis> - Usa los atributos de estilo  "
+-"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</"
+-"manvolnum></citerefentry> para evaluar si la contraseña ha expirado."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "Predeterminado: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+@@ -14994,12 +15750,6 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:59
+-#, fuzzy
+-#| msgid ""
+-#| "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+-#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+-#| "citerefentry> manual page for details on the configuration of an SSSD "
+-#| "domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "In addition to the options listed below, generic SSSD domain options can be "
+ "set where applicable.  Refer to the section <quote>DOMAIN SECTIONS</quote> "
+@@ -15007,10 +15757,6 @@ msgid ""
+ "manvolnum> </citerefentry> manual page for details on the configuration of "
+ "an SSSD domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Vea la sección  <quote>DOMAIN SECTIONS</quote> de la página de manual "
+-"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+-"manvolnum> </citerefentry> para detalles sobre la configuración de un "
+-"dominio SSSD. <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:105
+@@ -17766,42 +18512,3 @@ msgstr ""
+ #: include/ipa_modified_defaults.xml:118
+ msgid "ldap_group_external_member = ipaExternalMember"
+ msgstr ""
+-
+-#~ msgid ""
+-#~ "You can turn off dereference lookups completely by setting the value to 0."
+-#~ msgstr ""
+-#~ "Usted puede quitar las búsquedas dereference completamente fijando el "
+-#~ "valor a 0."
+-
+-#~ msgid ""
+-#~ "(OpenSSL version) This option is currently ignored. All needed "
+-#~ "certificates must be available in the PEM file given by pam_cert_db_path."
+-#~ msgstr ""
+-#~ "(Versión OpenSSL) Esta opción se ignora actualmente. Todos los "
+-#~ "certificados necesarios deben estar disponibles en el fichero PEM "
+-#~ "indicado por pam_cert_db_path."
+-
+-#~ msgid "crl_file=/PATH/TO/CRL/FILE"
+-#~ msgstr "crl_file=/PATH/TO/CRL/FILE"
+-
+-#~ msgid ""
+-#~ "(NSS Version) This option is ignored, please see <citerefentry> "
+-#~ "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </"
+-#~ "citerefentry> how to import a Certificate Revocation List (CRL) into a "
+-#~ "NSS database."
+-#~ msgstr ""
+-#~ "(Versión NSS) Esta opción se ignora, por favor vea en <citerefentry> "
+-#~ "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </"
+-#~ "citerefentry> como importar una Lista de Revocación de Certificado (CRL) "
+-#~ "en una base de datos NSS."
+-
+-#~ msgid ""
+-#~ "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the "
+-#~ "given file during the verification of the certificate. The CRL must be "
+-#~ "given in PEM format, see <citerefentry> <refentrytitle>crl</"
+-#~ "refentrytitle> <manvolnum>1ssl</manvolnum> </citerefentry> for details."
+-#~ msgstr ""
+-#~ "(Versión OpenSSL) Usa la Lista de Revocación de Certificado (CRL) del "
+-#~ "fichero dado durante la verificación del certificado. La CRL se debe dar "
+-#~ "en formato PEM, vea detalles en <citerefentry> <refentrytitle>crl</"
+-#~ "refentrytitle> <manvolnum>1ssl</manvolnum> </citerefentry>."
+diff --git a/src/man/po/eu.po b/src/man/po/eu.po
+index 76eec8c09..602bfd63a 100644
+--- a/src/man/po/eu.po
++++ b/src/man/po/eu.po
+@@ -5,9 +5,9 @@
+ # Translators:
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2014-12-14 11:55+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Basque (http://www.transifex.com/projects/p/sssd/language/"
+diff --git a/src/man/po/fi.po b/src/man/po/fi.po
+index 6e225c2d5..9bba66a2f 100644
+--- a/src/man/po/fi.po
++++ b/src/man/po/fi.po
+@@ -1,9 +1,9 @@
+ # Toni Rantala <trantalafilo@gmail.com>, 2017. #zanata
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2017-03-24 08:46+0000\n"
+ "Last-Translator: Toni Rantala <trantalafilo@gmail.com>\n"
+ "Language-Team: Finnish\n"
+@@ -3545,12 +3545,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2999
+-#, fuzzy
+-#| msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+-msgstr "<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3062
+@@ -3997,12 +3995,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3403
+-#, fuzzy
+-#| msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "to configure password prompting, allowed options are: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+-msgstr "<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3413
+@@ -4044,12 +4040,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3415
+-#, fuzzy
+-#| msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "to configure two-factor authentication prompting, allowed options are: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+-msgstr "<placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3396
+@@ -4398,10 +4392,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: true"
+ msgid "Default: exop"
+-msgstr "Oletus:tosi"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -10008,10 +10000,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:435
+-#, fuzzy
+-#| msgid "Default: false"
+ msgid "Default: False (seconds)"
+-msgstr "Oletus:epätosi"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:441
+@@ -12044,10 +12034,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: true"
+ msgid "Default: 3:1"
+-msgstr "Oletus:tosi"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+diff --git a/src/man/po/fr.po b/src/man/po/fr.po
+index 8cb540c0e..17159c70a 100644
+--- a/src/man/po/fr.po
++++ b/src/man/po/fr.po
+@@ -14,9 +14,9 @@
+ # Jérôme Fenal <jfenal@gmail.com>, 2016. #zanata
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2016-03-19 03:04+0000\n"
+ "Last-Translator: Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>\n"
+ "Language-Team: French (http://www.transifex.com/projects/p/sssd/language/"
+@@ -3973,10 +3973,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3018
+-#, fuzzy
+-#| msgid "False"
+ msgid "false"
+-msgstr "False"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3021
+@@ -4017,16 +4015,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2999
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Options valides pour les domaines proxy. <placeholder type=\"variablelist\" "
+-"id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3062
+@@ -4442,10 +4434,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3367
+-#, fuzzy
+-#| msgid "ldap_sasl_mech (string)"
+ msgid "ldap_sasl_mech,"
+-msgstr "ldap_sasl_mech (chaîne)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3368
+@@ -4476,10 +4466,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3379
+-#, fuzzy
+-#| msgid "CONFIGURATION OPTIONS"
+ msgid "PROMPTING CONFIGURATION SECTION"
+-msgstr "OPTIONS DE CONFIGURATION"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3381
+@@ -4507,10 +4495,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3404
+-#, fuzzy
+-#| msgid "password"
+ msgid "password_prompt"
+-msgstr "password"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3405
+@@ -4519,16 +4505,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3403
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "to configure password prompting, allowed options are: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Options valides pour les domaines proxy. <placeholder type=\"variablelist\" "
+-"id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3413
+@@ -4570,16 +4550,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3415
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "to configure two-factor authentication prompting, allowed options are: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Options valides pour les domaines proxy. <placeholder type=\"variablelist\" "
+-"id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3396
+@@ -4978,10 +4952,8 @@ msgstr "Par défaut : rfc2307"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:209
+-#, fuzzy
+-#| msgid "ldap_group_modify_timestamp (string)"
+ msgid "ldap_pwmodify_mode (string)"
+-msgstr "ldap_group_modify_timestamp (chaîne)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:212
+@@ -4990,10 +4962,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:216
+-#, fuzzy
+-#| msgid "Four schema types are currently supported:"
+ msgid "Two modes are currently supported:"
+-msgstr "Quatre types de schéma sont actuellement pris en charge :"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ldap.5.xml:220
+@@ -5016,10 +4986,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: gecos"
+ msgid "Default: exop"
+-msgstr "Par défaut : gecos"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -6870,16 +6838,10 @@ msgstr "ldap_sasl_mech (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1808
+-#, fuzzy
+-#| msgid ""
+-#| "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-#| "supported."
+ msgid ""
+ "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
+ "tested and supported."
+ msgstr ""
+-"Définit le mécanisme SASL à utiliser. Actuellement, seul GSSAPI est testé et "
+-"pris en charge."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1812
+@@ -6974,10 +6936,8 @@ msgstr "ldap_krb5_keytab (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1889
+-#, fuzzy
+-#| msgid "Specify the keytab to use when using SASL/GSSAPI."
+ msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+-msgstr "Définit le fichier keytab à utiliser pour utiliser SASL/GSSAPI."
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1893
+@@ -6993,19 +6953,11 @@ msgstr "ldap_krb5_init_creds (booléen)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1902
+-#, fuzzy
+-#| msgid ""
+-#| "Specifies that the id_provider should init Kerberos credentials (TGT).  "
+-#| "This action is performed only if SASL is used and the mechanism selected "
+-#| "is GSSAPI."
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+ "GSSAPI or GSS-SPNEGO."
+ msgstr ""
+-"Définit le fait que le fournisseur d'identité doit initialiser les données "
+-"d'identification Kerberos (TGT). Cette action est effectuée seulement si "
+-"SASL est utilisé et que le mécanisme choisi est GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1914
+@@ -7014,11 +6966,9 @@ msgstr "ldap_krb5_ticket_lifetime (entier)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1917
+-#, fuzzy
+-#| msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
+ msgid ""
+ "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+-msgstr "Définit la durée de vie, en secondes, des TGT si GSSAPI est utilisé."
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+@@ -7080,10 +7030,8 @@ msgstr "krb5_realm (chaîne)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1959
+-#, fuzzy
+-#| msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
+ msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+-msgstr "Définit le DOMAINE de Kerberos (pour l'authentification SASL/GSSAPI)."
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1963
+@@ -7955,10 +7903,6 @@ msgid ""
+ "rules (which downloads all rules that have USN higher than the highest USN "
+ "of cached rules)."
+ msgstr ""
+-"La durée en secondes pendant laquelle SSSD doit attendre avant d'exécuter "
+-"une actualisation intelligente des règles sudo (qui télécharge toutes les "
+-"règles qui ont un USN supérieur à l'USN le plus élevé des règles mises en "
+-"cache)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2616
+@@ -11274,17 +11218,13 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:435
+-#, fuzzy
+-#| msgid "Default: 5 (seconds)"
+ msgid "Default: False (seconds)"
+-msgstr "Par défaut : 5 (secondes)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:441
+-#, fuzzy
+-#| msgid "ad_enable_gc (boolean)"
+ msgid "ad_gpo_ignore_unreadable (boolean)"
+-msgstr "ad_enable_gc (booléen)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:444
+@@ -13570,28 +13510,17 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-#, fuzzy
+-#| msgid "krb5_confd_path (string)"
+ msgid "krb5_kdcinfo_lookahead (string)"
+-msgstr "krb5_confd_path (chaîne)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+-#, fuzzy
+-#| msgid ""
+-#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+-#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
+-#| "more information on the locator plugin."
+ msgid ""
+ "When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
+ "handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
+ "helpful when there are too many servers discovered using SRV record."
+ msgstr ""
+-"Consulter la page de manuel de <citerefentry> "
+-"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
+-"manvolnum> </citerefentry> pour plus d'informations sur le greffon de "
+-"localisation."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:518
+@@ -13603,28 +13532,17 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:524
+-#, fuzzy
+-#| msgid ""
+-#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+-#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
+-#| "more information on the locator plugin."
+ msgid ""
+ "For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
+ "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
+ "servers."
+ msgstr ""
+-"Consulter la page de manuel de <citerefentry> "
+-"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
+-"manvolnum> </citerefentry> pour plus d'informations sur le greffon de "
+-"localisation."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "Par défaut : 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+@@ -15230,12 +15148,6 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:59
+-#, fuzzy
+-#| msgid ""
+-#| "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+-#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+-#| "citerefentry> manual page for details on the configuration of an SSSD "
+-#| "domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "In addition to the options listed below, generic SSSD domain options can be "
+ "set where applicable.  Refer to the section <quote>DOMAIN SECTIONS</quote> "
+@@ -15243,10 +15155,6 @@ msgid ""
+ "manvolnum> </citerefentry> manual page for details on the configuration of "
+ "an SSSD domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Se référer à la section <quote>SECTIONS DE DOMAINE</quote> de la page de "
+-"manuel <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+-"manvolnum> </citerefentry> pour les détails sur la configuration d'un "
+-"domaine SSSD. <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:105
+@@ -18036,9 +17944,3 @@ msgstr ""
+ #: include/ipa_modified_defaults.xml:118
+ msgid "ldap_group_external_member = ipaExternalMember"
+ msgstr ""
+-
+-#~ msgid ""
+-#~ "You can turn off dereference lookups completely by setting the value to 0."
+-#~ msgstr ""
+-#~ "Vous pouvez désactiver complètement les recherches de déréférencement  en "
+-#~ "affectant la valeur 0."
+diff --git a/src/man/po/ja.po b/src/man/po/ja.po
+index 3840c0a99..43be6dde1 100644
+--- a/src/man/po/ja.po
++++ b/src/man/po/ja.po
+@@ -6,13 +6,15 @@
+ # Tadashi Jokagi <elf@poyo.jp>, 2012
+ # Tomoyuki KATO <tomo@dream.daynight.jp>, 2012-2013
+ # carrotsoft <www.carrotsoft@gmail.com>, 2012
++# Keiko Moriguchi <kemorigu@redhat.com>, 2019. #zanata
++# Ludek Janda <ljanda@redhat.com>, 2019. #zanata
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+-"PO-Revision-Date: 2014-12-14 11:59+0000\n"
+-"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
++"PO-Revision-Date: 2019-10-07 10:35+0000\n"
++"Last-Translator: Ludek Janda <ljanda@redhat.com>\n"
+ "Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/"
+ "ja/)\n"
+ "Language: ja\n"
+@@ -3778,16 +3780,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2999
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"プロキシドメインに対して有効なオプションです。 <placeholder type="
+-"\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3062
+@@ -3864,8 +3860,8 @@ msgid ""
+ "searched for in the library are in the form of _nss_$(libName)_$(function), "
+ "for example _nss_files_getpwent."
+ msgstr ""
+-"プロキシードメインにおいて使用する NSS ライブラリーの名前です。ライブラリーに"
+-"おいて検索する NSS 関数は _nss_$(libName)_$(function) の形式です。たとえば "
++"プロキシドメインにおいて使用する NSS ライブラリーの名前です。ライブラリーにお"
++"いて検索する NSS 関数は _nss_$(libName)_$(function) の形式です。たとえば "
+ "_nss_files_getpwent です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+@@ -4195,10 +4191,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3367
+-#, fuzzy
+-#| msgid "ldap_sasl_mech (string)"
+ msgid "ldap_sasl_mech,"
+-msgstr "ldap_sasl_mech (文字列)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3368
+@@ -4229,10 +4223,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3379
+-#, fuzzy
+-#| msgid "CONFIGURATION OPTIONS"
+ msgid "PROMPTING CONFIGURATION SECTION"
+-msgstr "設定オプション"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3381
+@@ -4260,10 +4252,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3404
+-#, fuzzy
+-#| msgid "password"
+ msgid "password_prompt"
+-msgstr "password"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3405
+@@ -4272,16 +4262,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3403
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "to configure password prompting, allowed options are: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"プロキシドメインに対して有効なオプションです。 <placeholder type="
+-"\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3413
+@@ -4323,16 +4307,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3415
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "to configure two-factor authentication prompting, allowed options are: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"プロキシドメインに対して有効なオプションです。 <placeholder type="
+-"\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3396
+@@ -4694,10 +4672,8 @@ msgstr "初期値: rfc2307"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:209
+-#, fuzzy
+-#| msgid "ldap_group_modify_timestamp (string)"
+ msgid "ldap_pwmodify_mode (string)"
+-msgstr "ldap_group_modify_timestamp (文字列)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:212
+@@ -4706,10 +4682,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:216
+-#, fuzzy
+-#| msgid "The two mechanisms currently supported are:"
+ msgid "Two modes are currently supported:"
+-msgstr "現在 2 つのメカニズムがサポートされます:"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ldap.5.xml:220
+@@ -4732,10 +4706,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: gecos"
+ msgid "Default: exop"
+-msgstr "初期値: gecos"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -5741,10 +5713,11 @@ msgstr ""
+ msgid "Default: 2"
+ msgstr "初期値: 2"
+ 
++# auto translated by TM merge from project: SSSD, version: master, DocId: src/man/po/sssd-docs
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1099
+ msgid "ldap_groups_use_matching_rule_in_chain"
+-msgstr ""
++msgstr "ldap_groups_use_matching_rule_in_chain"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1102
+@@ -5778,10 +5751,11 @@ msgid ""
+ "for more details."
+ msgstr ""
+ 
++# auto translated by TM merge from project: SSSD, version: master, DocId: src/man/po/sssd-docs
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1131
+ msgid "ldap_initgroups_use_matching_rule_in_chain"
+-msgstr ""
++msgstr "ldap_initgroups_use_matching_rule_in_chain"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1134
+@@ -6482,16 +6456,10 @@ msgstr "ldap_sasl_mech (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1808
+-#, fuzzy
+-#| msgid ""
+-#| "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-#| "supported."
+ msgid ""
+ "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
+ "tested and supported."
+ msgstr ""
+-"使用する SASL メカニズムを指定します。現在 GSSAPI のみがテストされサポートさ"
+-"れます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1812
+@@ -6583,10 +6551,8 @@ msgstr "ldap_krb5_keytab (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1889
+-#, fuzzy
+-#| msgid "Specify the keytab to use when using SASL/GSSAPI."
+ msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+-msgstr "SASL/GSSAPI を使用するときに使用するキーテーブルを指定します。"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1893
+@@ -6601,19 +6567,11 @@ msgstr "ldap_krb5_init_creds (論理値)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1902
+-#, fuzzy
+-#| msgid ""
+-#| "Specifies that the id_provider should init Kerberos credentials (TGT).  "
+-#| "This action is performed only if SASL is used and the mechanism selected "
+-#| "is GSSAPI."
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+ "GSSAPI or GSS-SPNEGO."
+ msgstr ""
+-"Kerberos クレディンシャル (TGT) を初期化する id_provider を指定します。この操"
+-"作は、 SASL が使用され、選択されたメカニズムが GSSAPI である場合のみ実行され"
+-"ます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1914
+@@ -6622,11 +6580,9 @@ msgstr "ldap_krb5_ticket_lifetime (整数)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1917
+-#, fuzzy
+-#| msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
+ msgid ""
+ "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+-msgstr "GSSAPI が使用されている場合、TGT の有効期間を秒単位で指定します。"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+@@ -6679,10 +6635,8 @@ msgstr "krb5_realm (文字列)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1959
+-#, fuzzy
+-#| msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
+ msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+-msgstr "(SASL/GSSAPI 認証向け) Kerberos レルムを指定します。"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1963
+@@ -10668,17 +10622,13 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:435
+-#, fuzzy
+-#| msgid "Default: 5 (seconds)"
+ msgid "Default: False (seconds)"
+-msgstr "初期値: 5 (秒)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:441
+-#, fuzzy
+-#| msgid "ldap_referrals (boolean)"
+ msgid "ad_gpo_ignore_unreadable (boolean)"
+-msgstr "ldap_referrals (論理値)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:444
+@@ -12848,27 +12798,17 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-#, fuzzy
+-#| msgid "krb5_ccachedir (string)"
+ msgid "krb5_kdcinfo_lookahead (string)"
+-msgstr "krb5_ccachedir (文字列)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+-#, fuzzy
+-#| msgid ""
+-#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+-#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
+-#| "more information on the locator plugin."
+ msgid ""
+ "When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
+ "handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
+ "helpful when there are too many servers discovered using SRV record."
+ msgstr ""
+-"位置情報プラグインの詳細は <citerefentry> "
+-"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
+-"manvolnum> </citerefentry> マニュアルページを参照ください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:518
+@@ -12880,27 +12820,17 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:524
+-#, fuzzy
+-#| msgid ""
+-#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+-#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
+-#| "more information on the locator plugin."
+ msgid ""
+ "For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
+ "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
+ "servers."
+ msgstr ""
+-"位置情報プラグインの詳細は <citerefentry> "
+-"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
+-"manvolnum> </citerefentry> マニュアルページを参照ください。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "初期値: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+@@ -13299,32 +13229,37 @@ msgstr "ユーザーのログインのための SELinux ユーザーです。"
+ msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>"
+ msgstr ""
+ 
++# auto translated by TM merge from project: SSSD, version: rhel-8, DocId: po/sssd
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:140
+ msgid "Add an attribute/value pair. The format is attrname=value."
+-msgstr ""
++msgstr "属性/値のペアを追加します。フォーマットは attrname=value です。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_usermod.8.xml:147
+ msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>"
+ msgstr ""
+ 
++# auto translated by TM merge from project: SSSD, version: rhel-8, DocId: po/sssd
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:152
+ msgid ""
+ "Set an attribute to a name/value pair. The format is attrname=value. For "
+ "multi-valued attributes, the command replaces the values already present"
+ msgstr ""
++"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属"
++"性の場合、コマンドがすでに存在する値に置き換えられます。"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_usermod.8.xml:160
+ msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>"
+ msgstr ""
+ 
++# auto translated by TM merge from project: SSSD, version: rhel-8, DocId: po/sssd
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:165
+ msgid "Delete an attribute/value pair. The format is attrname=value."
+-msgstr ""
++msgstr "属性/値のペアを削除します。フォーマットは attrname=value です。"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss_cache.8.xml:10 sss_cache.8.xml:15
+@@ -14443,12 +14378,6 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:59
+-#, fuzzy
+-#| msgid ""
+-#| "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+-#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+-#| "citerefentry> manual page for details on the configuration of an SSSD "
+-#| "domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "In addition to the options listed below, generic SSSD domain options can be "
+ "set where applicable.  Refer to the section <quote>DOMAIN SECTIONS</quote> "
+@@ -14456,10 +14385,6 @@ msgid ""
+ "manvolnum> </citerefentry> manual page for details on the configuration of "
+ "an SSSD domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"SSSD ドメインの設定に関する詳細は <citerefentry> <refentrytitle>sssd.conf</"
+-"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルページの "
+-"<quote>ドメインセクション</quote> のセクションを参照してください。  "
+-"<placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:105
+diff --git a/src/man/po/lv.po b/src/man/po/lv.po
+index b02dc0276..26449a17f 100644
+--- a/src/man/po/lv.po
++++ b/src/man/po/lv.po
+@@ -7,9 +7,9 @@
+ # Kristaps, 2012
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2014-12-15 12:00+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Latvian (http://www.transifex.com/projects/p/sssd/language/"
+@@ -3962,10 +3962,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3379
+-#, fuzzy
+-#| msgid "CONFIGURATION OPTIONS"
+ msgid "PROMPTING CONFIGURATION SECTION"
+-msgstr "KONFIGURĒŠANAS IESPĒJAS"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3381
+@@ -3993,10 +3991,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3404
+-#, fuzzy
+-#| msgid "password"
+ msgid "password_prompt"
+-msgstr "parole"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3405
+@@ -4378,10 +4374,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:216
+-#, fuzzy
+-#| msgid "The two mechanisms currently supported are:"
+ msgid "Two modes are currently supported:"
+-msgstr "Divi pašlaik atbalstītie mehānismi ir:"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ldap.5.xml:220
+@@ -4404,10 +4398,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: 1"
+ msgid "Default: exop"
+-msgstr "Noklusējuma: 1"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -10014,10 +10006,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:435
+-#, fuzzy
+-#| msgid "Default: 0 (unlimited)"
+ msgid "Default: False (seconds)"
+-msgstr "Noklusējuma: 0 (neierobežots)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:441
+@@ -12050,10 +12040,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 1"
+ msgid "Default: 3:1"
+-msgstr "Noklusējuma: 1"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+diff --git a/src/man/po/nl.po b/src/man/po/nl.po
+index 34dc83654..9f6803fb3 100644
+--- a/src/man/po/nl.po
++++ b/src/man/po/nl.po
+@@ -6,9 +6,9 @@
+ # Wijnand Modderman-Lenstra <accounts-transifex@maze.io>, 2011
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2014-12-15 12:02+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Dutch (http://www.transifex.com/projects/p/sssd/language/"
+@@ -4446,10 +4446,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: exop"
+-msgstr "Standaard: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -12090,10 +12088,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "Standaard: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+diff --git a/src/man/po/pt.po b/src/man/po/pt.po
+index b92414a33..7aeed617b 100644
+--- a/src/man/po/pt.po
++++ b/src/man/po/pt.po
+@@ -6,9 +6,9 @@
+ # Miguel Sousa <migueljorgesousa@sapo.pt>, 2011
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2014-12-15 12:05+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Portuguese (http://www.transifex.com/projects/p/sssd/language/"
+@@ -3952,10 +3952,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3367
+-#, fuzzy
+-#| msgid "ldap_sasl_mech (string)"
+ msgid "ldap_sasl_mech,"
+-msgstr "ldap_sasl_mech (string)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3368
+@@ -3986,10 +3984,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3379
+-#, fuzzy
+-#| msgid "CONFIGURATION OPTIONS"
+ msgid "PROMPTING CONFIGURATION SECTION"
+-msgstr "OPÇÕES DE CONFIGURAÇÃO"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3381
+@@ -4418,10 +4414,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:209
+-#, fuzzy
+-#| msgid "ldap_pwd_policy (string)"
+ msgid "ldap_pwmodify_mode (string)"
+-msgstr "ldap_pwd_policy (string)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:212
+@@ -4454,10 +4448,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: exop"
+-msgstr "Padrão: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -10067,17 +10059,13 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:435
+-#, fuzzy
+-#| msgid "Default: false"
+ msgid "Default: False (seconds)"
+-msgstr "Padrão: false"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:441
+-#, fuzzy
+-#| msgid "ldap_force_upper_case_realm (boolean)"
+ msgid "ad_gpo_ignore_unreadable (boolean)"
+-msgstr "ldap_force_upper_case_realm (boolean)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:444
+@@ -12084,10 +12072,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-#, fuzzy
+-#| msgid "krb5_ccachedir (string)"
+ msgid "krb5_kdcinfo_lookahead (string)"
+-msgstr "krb5_ccachedir (string)"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+@@ -12117,10 +12103,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "Padrão: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+diff --git a/src/man/po/pt_BR.po b/src/man/po/pt_BR.po
+index c86795d95..edf92c69e 100644
+--- a/src/man/po/pt_BR.po
++++ b/src/man/po/pt_BR.po
+@@ -2,9 +2,9 @@
+ # Rodrigo de Araujo Sousa Fonseca <rodrigodearaujo@fedoraproject.org>, 2017. #zanata
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2017-01-29 10:11+0000\n"
+ "Last-Translator: Rodrigo de Araujo Sousa Fonseca "
+ "<rodrigodearaujo@fedoraproject.org>\n"
+diff --git a/src/man/po/ru.po b/src/man/po/ru.po
+index 62beb499a..93c2b7b65 100644
+--- a/src/man/po/ru.po
++++ b/src/man/po/ru.po
+@@ -6,9 +6,9 @@
+ # Artyom Kunyov <artkun@guitarplayer.ru>, 2012
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2014-12-15 12:07+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Russian (http://www.transifex.com/projects/p/sssd/language/"
+@@ -3961,10 +3961,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3379
+-#, fuzzy
+-#| msgid "CONFIGURATION OPTIONS"
+ msgid "PROMPTING CONFIGURATION SECTION"
+-msgstr "ПАРАМЕТРЫ КОНФИГУРАЦИИ"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3381
+@@ -3992,10 +3990,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3404
+-#, fuzzy
+-#| msgid "password"
+ msgid "password_prompt"
+-msgstr "пароль"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3405
+@@ -4401,10 +4397,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: gecos"
+ msgid "Default: exop"
+-msgstr "По умолчанию: gecos"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -10011,10 +10005,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:435
+-#, fuzzy
+-#| msgid "Default: false"
+ msgid "Default: False (seconds)"
+-msgstr "По умолчанию: false"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:441
+@@ -12047,10 +12039,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "По умолчанию: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+diff --git a/src/man/po/sssd-docs.pot b/src/man/po/sssd-docs.pot
+index 299245fb1..14bfb0f68 100644
+--- a/src/man/po/sssd-docs.pot
++++ b/src/man/po/sssd-docs.pot
+@@ -8,7 +8,7 @@ msgid ""
+ msgstr ""
+ "Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 15:18+0100\n"
+ "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+ "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+ "Language-Team: LANGUAGE <LL@li.org>\n"
+diff --git a/src/man/po/sv.po b/src/man/po/sv.po
+index cdab6a630..7c9ac49b7 100644
+--- a/src/man/po/sv.po
++++ b/src/man/po/sv.po
+@@ -1,10 +1,11 @@
+ # Göran Uddeborg <goeran@uddeborg.se>, 2018. #zanata
++# Göran Uddeborg <goeran@uddeborg.se>, 2019. #zanata
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+-"PO-Revision-Date: 2018-07-31 12:14+0000\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
++"PO-Revision-Date: 2019-10-07 10:10+0000\n"
+ "Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n"
+ "Language-Team: Swedish\n"
+ "Language: sv\n"
+@@ -862,11 +863,9 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:482
+-#, fuzzy
+-#| msgid "This option must be used together with ocsp_default_responder."
+ msgid ""
+ "This option must be used together with ocsp_default_responder_signing_cert."
+-msgstr "Detta alternativ måste anges tillsammans med ocsp_default_responder."
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:490
+@@ -1323,12 +1322,6 @@ msgstr "filter_users, filter_groups (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:812
+-#, fuzzy
+-#| msgid ""
+-#| "Exclude certain users or groups from being fetched from the sss NSS "
+-#| "database. This is particularly useful for system accounts. This option "
+-#| "can also be set per-domain or include fully-qualified names to filter "
+-#| "only users from the particular domain."
+ msgid ""
+ "Exclude certain users or groups from being fetched from the sss NSS "
+ "database. This is particularly useful for system accounts. This option can "
+@@ -1338,7 +1331,8 @@ msgstr ""
+ "Uteslut vissa användare eller grupper från att hämtas från sss NSS-"
+ "databasen.  Detta är särskilt användbart för systemkonton.  Detta alternativ "
+ "kan också anges per domän eller inkludera fullständigt kvalificerade namn "
+-"för att filtrera endast användare från den angivna domänen."
++"för att filtrera endast användare från den angivna domänen eller efter ett "
++"användarhuvudnamn (UPN)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:820
+@@ -2161,7 +2155,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:1394
+ msgid "pam_p11_allowed_services (integer)"
+-msgstr ""
++msgstr "pam_p11_allowed_services (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1397
+@@ -2169,6 +2163,8 @@ msgid ""
+ "A comma-separated list of PAM service names for which it will be allowed to "
+ "use Smartcards."
+ msgstr ""
++"En kommaseparerad lista av PAM-tjänstenamn för vilka det kommer vara "
++"tillåtet att använda smarta kort."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd.conf.5.xml:1412
+@@ -2177,6 +2173,8 @@ msgid ""
+ "pam_p11_allowed_services = +my_pam_service, -login\n"
+ "                            "
+ msgstr ""
++"pam_p11_allowed_services = +min_pam-tjänst, -login\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1401
+@@ -2189,57 +2187,65 @@ msgid ""
+ "<quote>my_pam_service</quote>), you would use the following configuration: "
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
++"Det är möjligt att lägga till ett annat PAM-tjänstnamn till "
++"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att "
++"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom "
++"att använda <quote>-tjänstenamn</quote>.  Till exempel, för att byta ut ett "
++"standard-PAM-tjänstenamn för autentisering med  smarta kort (t.ex. "
++"<quote>login</quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-"
++"tjänst</quote>) skulle man använda följande konfiguration: <placeholder type="
++"\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:1416 sssd-ad.5.xml:504 sssd-ad.5.xml:600 sssd-ad.5.xml:646
+ #: sssd-ad.5.xml:692 sssd-ad.5.xml:758
+ msgid "Default: the default set of PAM service names includes:"
+-msgstr ""
++msgstr "Standard: standarduppsättningen av PAM-tjänstenamn innefattar:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1421 sssd-ad.5.xml:508
+ msgid "login"
+-msgstr ""
++msgstr "login"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1426 sssd-ad.5.xml:513
+ msgid "su"
+-msgstr ""
++msgstr "su"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1431 sssd-ad.5.xml:518
+ msgid "su-l"
+-msgstr ""
++msgstr "su-l"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1436 sssd-ad.5.xml:533
+ msgid "gdm-smartcard"
+-msgstr ""
++msgstr "gdm-smartcard"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1441 sssd-ad.5.xml:528
+ msgid "gdm-password"
+-msgstr ""
++msgstr "gdm-password"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1446 sssd-ad.5.xml:538
+ msgid "kdm"
+-msgstr ""
++msgstr "kdm"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1451 sssd-ad.5.xml:767
+ msgid "sudo"
+-msgstr ""
++msgstr "sudo"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1456 sssd-ad.5.xml:772
+ msgid "sudo-i"
+-msgstr ""
++msgstr "sudo-i"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd.conf.5.xml:1461
+ msgid "gnome-screensaver"
+-msgstr ""
++msgstr "gnome-screensaver"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd.conf.5.xml:1472
+@@ -3867,6 +3873,11 @@ msgid ""
+ "consider changing the re_expression value to: <quote>((?P&lt;name&gt;.+)@(?"
+ "P&lt;domain&gt;[^@]+$))</quote>."
+ msgstr ""
++"OBS: några Active Directory-grupper, typiskt de som används för MS Exchange "
++"innehåller ett <quote>@</quote>-tecken i namnet, vilket kolliderar med "
++"standardvärdet på re_expression för AD- och IPA-leverantörer.  Överväg för "
++"att stödja dessa grupper att ändra värdet på re_expression till: <quote>((?"
++"P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2768
+@@ -4020,19 +4031,11 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2848
+-#, fuzzy
+-#| msgid ""
+-#| "With this parameter the certificate verification can be tuned with a "
+-#| "comma separated list of options. Supported options are: <placeholder type="
+-#| "\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Med denna parameter kan verifieringen av certifikatet justeras med en "
+-"kommaseparerad lista av alternativ.  Alternativ som stödjs är <placeholder "
+-"type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2883
+@@ -4166,11 +4169,6 @@ msgstr "cached_auth_timeout (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2968
+-#, fuzzy
+-#| msgid ""
+-#| "Specifies time in seconds since last successful online authentication for "
+-#| "which user will be authenticated using cached credentials while SSSD is "
+-#| "in the online mode."
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+@@ -4179,7 +4177,8 @@ msgid ""
+ msgstr ""
+ "Anger tiden i sekunder sedan senaste lyckade uppkopplade autentisering under "
+ "vilka användaren kommer autentiseras med cachade kreditiv medan SSSD är i "
+-"uppkopplad läge."
++"uppkopplat läge.  Om kreditiven är felaktiga faller SSSD tillbaka till "
++"uppkopplad autentisering."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2976
+@@ -4187,6 +4186,8 @@ msgid ""
+ "This option's value is inherited by all trusted domains. At the moment it is "
+ "not possible to set a different value per trusted domain."
+ msgstr ""
++"Detta alternativs värde ärvs av alla betrodda domäner.  För närvarande är "
++"det inte möjligt att ange olika värden för varje betrodd domän."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2981
+@@ -4212,21 +4213,16 @@ msgstr "auto_private_groups (sträng)"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3002
+ msgid "true"
+-msgstr ""
++msgstr "true"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3005
+-#, fuzzy
+-#| msgid ""
+-#| "If this option is enabled, SSSD will automatically create user private "
+-#| "groups based on user's UID number. The GID number is ignored in this case."
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+-"Om detta alternativ är aktiverat kommer SSSD automatiskt att skapa privata "
+-"användargrupper baserat på anvindarens UID-nummer.  GID-numret ignoreras i "
+-"detta fall."
++"Skapa användares privata grupp ovillkorligt från användarens UID-nummer.  "
++"GID-numret ignoreras i detta läge."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3009
+@@ -4243,10 +4239,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3018
+-#, fuzzy
+-#| msgid "False"
+ msgid "false"
+-msgstr "False"
++msgstr "false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3021
+@@ -4254,11 +4248,13 @@ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
++"Använd alltid användarens primära GID-nummer.  GID-numret måste referera "
++"till ett gruppobjekt i LDAP-databasen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3027
+ msgid "hybrid"
+-msgstr ""
++msgstr "hybrid"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3030
+@@ -4269,6 +4265,11 @@ msgid ""
+ "GID in the user entry is also used by a group object, the primary GID of the "
+ "user resolves to that group object."
+ msgstr ""
++"En primär grupp autogenereras för användarposter vars UID- och GID-nummer "
++"har samma värde och GID-numret på samma gång inte motsvarar ett verkligt "
++"gruppobjekt i LDAP.  Om värdena är samma, men det primära GID:t i "
++"användarposten även används av ett gruppobjekt slås användarens primära GID "
++"upp till det gruppobjektet. "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3043
+@@ -4276,6 +4277,8 @@ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
++"Om användarens UID och GID är olika måste GID:t motsvara en gruppost, annars "
++"kan GID:t helt enkelt inte slås upp."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3050
+@@ -4284,19 +4287,18 @@ msgid ""
+ "separate group objects for the user private groups, but also wish to retain "
+ "the existing user private groups."
+ msgstr ""
++"Denna funktion är användbar i miljöer som vill sluta underhålla separata "
++"gruppobjekt för användares privata grupper, men även vill behålla de "
++"befintliga användarnas privata grupper."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2999
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Giltiga alternativ för proxy-domäner.  <placeholder type=\"variablelist\" id="
+-"\"0\"/>"
++"Detta alternativ tar något av tre tillgängliga värden: <placeholder type="
++"\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3062
+@@ -4304,6 +4306,9 @@ msgid ""
+ "For subdomains, the default value is False for subdomains that use assigned "
+ "POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
++"För underdomäner är standardvärdet False för underdomäner som använder "
++"tilldeliade POSIX ID:n och True för underdomäner som använder automatisk ID-"
++"översättning."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd.conf.5.xml:3070
+@@ -4312,6 +4317,8 @@ msgid ""
+ "[domain/forest.domain/sub.domain]\n"
+ "auto_private_groups = false\n"
+ msgstr ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd.conf.5.xml:3076
+@@ -4321,6 +4328,9 @@ msgid ""
+ "subdomain_inherit = auto_private_groups\n"
+ "auto_private_groups = false\n"
+ msgstr ""
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3067
+@@ -4330,6 +4340,11 @@ msgid ""
+ "globally for all subdomains in the main domain section using the "
+ "subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
++"Värdet på auto_private_groups kan antingen anges per underdomän i en "
++"undersektion, till exempel: <placeholder type=\"programlisting\" id=\"0\"/> "
++"eller globalt för alla underdomäner i huvuddomänavsnittet genom att använda "
++"alternativet subdomain_inherit: <placeholder type=\"programlisting\" id="
++"\"1\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:1802
+@@ -4758,10 +4773,8 @@ msgstr "ldap_service_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3367
+-#, fuzzy
+-#| msgid "ldap_search_base,"
+ msgid "ldap_sasl_mech,"
+-msgstr "ldap_search_base,"
++msgstr "ldap_sasl_mech,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3368
+@@ -4794,10 +4807,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3379
+-#, fuzzy
+-#| msgid "CONFIGURATION OPTIONS"
+ msgid "PROMPTING CONFIGURATION SECTION"
+-msgstr "KONFIGURATIONSALTERNATIV"
++msgstr "SEKTIONEN FÖR FRÅGEKONFIGURATION"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3381
+@@ -4808,6 +4819,11 @@ msgid ""
+ "Based on the results pam_sss will prompt the user for appropriate "
+ "credentials."
+ msgstr ""
++"Om en särskild fil (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
++"filename>)  finns kommer SSSD:s PAM-modul pam_sss be SSSD att ta reda på "
++"vilka autentiseringsmetoder som är tillgängliga för användren som försöker "
++"logga in.  Baserat på resultatet kommer pam_sss fråga användaren efter "
++"tillämpliga kreditiv."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3389
+@@ -4817,66 +4833,64 @@ msgid ""
+ "select the prompting might not be suitable for all use cases. To following "
+ "options should provide a better flexibility here."
+ msgstr ""
++"Med det växande antalet autentiseringsmetoder och möjligheten att det finns "
++"flera olika för en enskild användare kan det hända att heurestiken som "
++"används av pam_sss för att välja fråga inte är lämplig för alla "
++"användarfall.  Följande alternativ bör ge en bättre flexibilitet här."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3401
+ msgid "[prompting/password]"
+-msgstr ""
++msgstr "[prompting/password]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3404
+-#, fuzzy
+-#| msgid "password"
+ msgid "password_prompt"
+-msgstr "password"
++msgstr "password_prompt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3405
+ msgid "to change the string of the password prompt"
+-msgstr ""
++msgstr "för att ändra strängen i lösenordsfrågan"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3403
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "to configure password prompting, allowed options are: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Giltiga alternativ för proxy-domäner.  <placeholder type=\"variablelist\" id="
+-"\"0\"/>"
++"för att konfigurera lösenordsfråga är de tillåtna alternativen: <placeholder "
++"type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3413
+ msgid "[prompting/2fa]"
+-msgstr ""
++msgstr "[prompting/2fa]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3417
+ msgid "first_prompt"
+-msgstr ""
++msgstr "first_prompt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3418
+ msgid "to change the string of the prompt for the first factor"
+-msgstr ""
++msgstr "för att ändra strängen som frågar efter den första faktorn"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3421
+ msgid "second_prompt"
+-msgstr ""
++msgstr "second_prompt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3422
+ msgid "to change the string of the prompt for the second factor"
+-msgstr ""
++msgstr "för att ändra strängen som frågar efter den andra faktorn"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3425
+ msgid "single_prompt"
+-msgstr ""
++msgstr "single_prompt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3426
+@@ -4885,19 +4899,18 @@ msgid ""
+ "first_prompt where it is expected that both factor are entered as a single "
+ "string"
+ msgstr ""
++"booleskt värde, om True kommer det bara vara en fråga som använder värdet på "
++"first_prompt där det förväntas att båda faktorerna matas in som en enda "
++"sträng"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3415
+-#, fuzzy
+-#| msgid ""
+-#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+-#| "\"0\"/>"
+ msgid ""
+ "to configure two-factor authentication prompting, allowed options are: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Giltiga alternativ för proxy-domäner.  <placeholder type=\"variablelist\" id="
+-"\"0\"/>"
++"för att konfigurera frågor för tvåfaktorautentisering är de tillåtna "
++"alternativen: <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3396
+@@ -4906,6 +4919,10 @@ msgid ""
+ "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
+ "\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
+ msgstr ""
++"Varje autentiseringsmetod som stödjs har sin ege konfigurationsundersektion "
++"under <quote>[prompting/…]</quote>.  För närvarande finns det: <placeholder "
++"type=\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/"
++">"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3438
+@@ -4914,6 +4931,9 @@ msgid ""
+ "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
+ "for this service."
+ msgstr ""
++"Det är möjligt att lägga till en undersektion för specifika PAM-tjänster som "
++"t.ex. <quote>[prompting/password/sshd]</quote> för att ändra frågorna "
++"enskild för denna tjänst."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+@@ -5297,32 +5317,28 @@ msgstr "Standard: rfc2307"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:209
+-#, fuzzy
+-#| msgid "ldap_user_modify_timestamp (string)"
+ msgid "ldap_pwmodify_mode (string)"
+-msgstr "ldap_user_modify_timestamp (sträng)"
++msgstr "ldap_pwmodify_mode (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:212
+ msgid "Specify the operation that is used to modify user password."
+-msgstr ""
++msgstr "Ange operationen som används för att ändra användarens lösenord."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:216
+-#, fuzzy
+-#| msgid "Four schema types are currently supported:"
+ msgid "Two modes are currently supported:"
+-msgstr "Fyra schematyper stödjs för närvarande:"
++msgstr "Två lägen stödjs för närvarande:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ldap.5.xml:220
+ msgid "exop - Password Modify Extended Operation (RFC 3062)"
+-msgstr ""
++msgstr "exop - Password Modify Extended Operation (RFC 3062)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ldap.5.xml:226
+ msgid "ldap_modify - Direct modification of userPassword (not recommended)."
+-msgstr ""
++msgstr "ldap_modify - Direkt ändring av userPassword (rekommenderas inte)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:233
+@@ -5332,13 +5348,15 @@ msgid ""
+ "connection is used to change the password therefore the user must have write "
+ "access to userPassword attribute."
+ msgstr ""
++"Obs: först etableras en ny förbindelse för att verifiera det aktuella "
++"lösenordet genom att binda som användaren som begärde lösenordsändringen.  "
++"Om det lyckas används denna förbindelse för att ändra lösenordet och därför "
++"måste användaren a skrivrätt på attributet userPassword."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: gecos"
+ msgid "Default: exop"
+-msgstr "Standard: gecos"
++msgstr "Standard: exop"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -6246,57 +6264,57 @@ msgstr "Standard: posixGroup"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:946
+ msgid "ldap_group_name (string)"
+-msgstr ""
++msgstr "ldap_group_name (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:949
+ msgid "The LDAP attribute that corresponds to the group name."
+-msgstr ""
++msgstr "LDAP-attributet som motsvarar gruppnamnet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:953
+ msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+-msgstr ""
++msgstr "Standard: cn (rfc2307, rfc2307bis och IPA), sAMAccountName (AD)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:960
+ msgid "ldap_group_gid_number (string)"
+-msgstr ""
++msgstr "ldap_group_gid_number (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:963
+ msgid "The LDAP attribute that corresponds to the group's id."
+-msgstr ""
++msgstr "LDAP-attributet som motsvarar gruppens id."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:973
+ msgid "ldap_group_member (string)"
+-msgstr ""
++msgstr "ldap_group_member (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:976
+ msgid "The LDAP attribute that contains the names of the group's members."
+-msgstr ""
++msgstr "LDAP-attributet som innehåller namnen på gruppens medlemmar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:980
+ msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
+-msgstr ""
++msgstr "Standard: memberuid (rfc2307) / member (rfc2307bis)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:986
+ msgid "ldap_group_uuid (string)"
+-msgstr ""
++msgstr "ldap_group_uuid (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:989
+ msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
+-msgstr ""
++msgstr "LDAP-attributet som innehåller UUID/GUID för ett LDAP-gruppobjekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1000
+ msgid "ldap_group_objectsid (string)"
+-msgstr ""
++msgstr "ldap_group_objectsid (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1003
+@@ -6304,16 +6322,18 @@ msgid ""
+ "The LDAP attribute that contains the objectSID of an LDAP group object. This "
+ "is usually only necessary for ActiveDirectory servers."
+ msgstr ""
++"LDAP-attributet som innehåller objectSID för ett LDAP-gruppobjekt.  Detta är "
++"normalt bara nödvändigt för Active Directory-servrar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1015
+ msgid "ldap_group_modify_timestamp (string)"
+-msgstr ""
++msgstr "ldap_group_modify_timestamp (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1028
+ msgid "ldap_group_type (integer)"
+-msgstr ""
++msgstr "ldap_group_type (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1031
+@@ -6321,6 +6341,8 @@ msgid ""
+ "The LDAP attribute that contains an integer value indicating the type of the "
+ "group and maybe other flags."
+ msgstr ""
++"LDAP-attributet som innehåller ett heltalsvärde som indikerar grupptypen och "
++"kanske ondra flaggor."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1036
+@@ -6329,16 +6351,18 @@ msgid ""
+ "group is a domain local groups and has to be filtered out for trusted "
+ "domains."
+ msgstr ""
++"Detta attribut används för närvarande bara av AD-leverantören för att avgöra "
++"om en domänlokal grupp och behöver filtreras bort för betrodda domäner."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1042
+ msgid "Default: groupType in the AD provider, otherwise not set"
+-msgstr ""
++msgstr "Standard: groupType i AD-leverantören, inte satt annars"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1049
+ msgid "ldap_group_external_member (string)"
+-msgstr ""
++msgstr "ldap_group_external_member (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1052
+@@ -6346,16 +6370,18 @@ msgid ""
+ "The LDAP attribute that references group members that are defined in an "
+ "external domain. At the moment, only IPA's external members are supported."
+ msgstr ""
++"LDAP-attributet som refererar gruppmedlemmar som är definierade i en extern "
++"domän.  För närvarande stödjs endast IPA:s externa medlemmar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1058
+ msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
+-msgstr ""
++msgstr "Standard: ipaExternalMember i IPA-leverantören, inte satt annars"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1065
+ msgid "ldap_group_nesting_level (integer)"
+-msgstr ""
++msgstr "ldap_group_nesting_level (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1068
+@@ -6364,6 +6390,9 @@ msgid ""
+ "RFC2307bis), then this option controls how many levels of nesting SSSD will "
+ "follow. This option has no effect on the RFC2307 schema."
+ msgstr ""
++"Om ldap_schema är satt till ett schemaformat som stödjer nästade grupper (t."
++"ex. RFC2307bis), då styr detta alternativ hur många nivåer av nästning SSSD "
++"kommer följa.  Detta alternativ har ingen effekt på schemat RFC2307."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1075
+@@ -6374,6 +6403,12 @@ msgid ""
+ "the deeper nesting levels.  Also, subsequent lookups for other groups may "
+ "enlarge the result set for original lookup if re-queried."
+ msgstr ""
++"Obs: detta alternativ anger den garanterade nivån av nästade grupper som "
++"skall bearbetas för en godtycklig uppslagning.  Dock <emphasis>kan</"
++"emphasis> nästade grupper utöver denna gräns returneras om tidigare "
++"uppslagningar redan har slagit upp de djupare nästningsnivåerna.  Följande "
++"uppslagningar för andra grupper kan också utöka resultatmängden för den "
++"ursprungliga uppslagningen om den slås upp igen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1084
+@@ -6384,11 +6419,16 @@ msgid ""
+ "usage of Token-Groups by setting ldap_use_tokengroups to false in order to "
+ "restrict group nesting."
+ msgstr ""
++"Om ldap_group_nesting_level sätts till 0 bearbetas inga nästade grupper "
++"alls.  Dock krävs det dessutom att användningen av Token-Groups avaktiveras "
++"vid anslutning till Active-Directory Server 2008 och senare vid användning "
++"av <quote>id_provider=ad</quote> genom att sätta ldap_use_togengroups till "
++"false för att begränsa gruppnästning."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1093
+ msgid "Default: 2"
+-msgstr ""
++msgstr "Standard: 2"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1099
+@@ -6446,122 +6486,126 @@ msgid ""
+ "This options enables or disables use of Token-Groups attribute when "
+ "performing initgroup for users from Active Directory Server 2008 and later."
+ msgstr ""
++"Detta alternativ aktiverar eller avaktiverar användningen av attributet "
++"Token-Groups när initgroup utförs för användare från Active Directory Server "
++"2008 och senare."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1166
+ msgid "Default: True for AD and IPA otherwise False."
+-msgstr ""
++msgstr "Standard: true för AD och IPA annars false."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1172
+ msgid "ldap_netgroup_object_class (string)"
+-msgstr ""
++msgstr "ldap_netgroup_object_class (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1175
+ msgid "The object class of a netgroup entry in LDAP."
+-msgstr ""
++msgstr "Objektklassen hos en nätgruppspost i LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1178
+ msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
+-msgstr ""
++msgstr "I IPA-leverantören skall ipa_netgroup_object_class användas istället."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1182
+ msgid "Default: nisNetgroup"
+-msgstr ""
++msgstr "Standard: nisNetgroup"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1188
+ msgid "ldap_netgroup_name (string)"
+-msgstr ""
++msgstr "ldap_netgroup_name (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1191
+ msgid "The LDAP attribute that corresponds to the netgroup name."
+-msgstr ""
++msgstr "LDAP-attributet som motsvarar nätgruppnamnet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1195
+ msgid "In IPA provider, ipa_netgroup_name should be used instead."
+-msgstr ""
++msgstr "I IPA-leverantören skall ipa_netgroup_name användas istället."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1205
+ msgid "ldap_netgroup_member (string)"
+-msgstr ""
++msgstr "ldap_netgroup_member (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1208
+ msgid "The LDAP attribute that contains the names of the netgroup's members."
+-msgstr ""
++msgstr "LDAP-attributet som innehåller namnen på nätgruppens medlemmar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1212
+ msgid "In IPA provider, ipa_netgroup_member should be used instead."
+-msgstr ""
++msgstr "I IPA-leverantören skall ipa_netgroup_member användas istället."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1216
+ msgid "Default: memberNisNetgroup"
+-msgstr ""
++msgstr "Standard: memberNisNetgroup"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1222
+ msgid "ldap_netgroup_triple (string)"
+-msgstr ""
++msgstr "ldap_netgroup_triple (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1225
+ msgid ""
+ "The LDAP attribute that contains the (host, user, domain) netgroup triples."
+ msgstr ""
++"LDAP-attributet som innehåller nätgrupptrippeln (värd, användare, domän)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1229 sssd-ldap.5.xml:1245
+ msgid "This option is not available in IPA provider."
+-msgstr ""
++msgstr "Detta alternativ är inte tillgängligt i IPA-leverantören."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1232
+ msgid "Default: nisNetgroupTriple"
+-msgstr ""
++msgstr "Standard: nisNetgroupTriple"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1238
+ msgid "ldap_netgroup_modify_timestamp (string)"
+-msgstr ""
++msgstr "ldap_netgroup_modify_timestamp (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1254
+ msgid "ldap_host_object_class (string)"
+-msgstr ""
++msgstr "ldap_host_object_class (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1257
+ msgid "The object class of a host entry in LDAP."
+-msgstr ""
++msgstr "Objektklassen hos en värdpost i LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1260 sssd-ldap.5.xml:1369
+ msgid "Default: ipService"
+-msgstr ""
++msgstr "Standard: ipService"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1266
+ msgid "ldap_host_name (string)"
+-msgstr ""
++msgstr "ldap_host_name (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1269 sssd-ldap.5.xml:1295
+ msgid "The LDAP attribute that corresponds to the host's name."
+-msgstr ""
++msgstr "LDAP-attributet som motsvarar värdens namn."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1279
+ msgid "ldap_host_fqdn (string)"
+-msgstr ""
++msgstr "ldap_host_fqdn (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1282
+@@ -6569,41 +6613,42 @@ msgid ""
+ "The LDAP attribute that corresponds to the host's fully-qualified domain "
+ "name."
+ msgstr ""
++"LDAP-attributet som motsvarar värdens fullständigt kvalificerade domännamn."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1286
+ msgid "Default: fqdn"
+-msgstr ""
++msgstr "Standard: fqdn"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1292
+ msgid "ldap_host_serverhostname (string)"
+-msgstr ""
++msgstr "ldap_host_serverhostname (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1299
+ msgid "Default: serverHostname"
+-msgstr ""
++msgstr "Standard: serverHostname"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1305
+ msgid "ldap_host_member_of (string)"
+-msgstr ""
++msgstr "ldap_host_member_of (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1308
+ msgid "The LDAP attribute that lists the host's group memberships."
+-msgstr ""
++msgstr "LDAP-attributet som räknar upp värdens gruppmedlemskap."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1318
+ msgid "ldap_host_search_base (string)"
+-msgstr ""
++msgstr "ldap_host_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1321
+ msgid "Optional. Use the given string as search base for host objects."
+-msgstr ""
++msgstr "Frivillig.  Använd den givna strängen som en sökbas för värdobjekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1325 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378
+@@ -6612,46 +6657,48 @@ msgid ""
+ "See <quote>ldap_search_base</quote> for information about configuring "
+ "multiple search bases."
+ msgstr ""
++"Se <quote>ldap_search_base</quote> för information om konfiguration av "
++"multipla sökbaser."
+ 
+ #. type: Content of: <listitem><para>
+ #: sssd-ldap.5.xml:1330 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27
+ msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
+-msgstr ""
++msgstr "Standard: värdet på <emphasis>ldap_search_base</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1337
+ msgid "ldap_host_ssh_public_key (string)"
+-msgstr ""
++msgstr "ldap_host_ssh_public_key (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1340
+ msgid "The LDAP attribute that contains the host's SSH public keys."
+-msgstr ""
++msgstr "LDAP-attributet som innehåller värdens publika SSH-nycklar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1350
+ msgid "ldap_host_uuid (string)"
+-msgstr ""
++msgstr "ldap_host_uuid (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1353
+ msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object."
+-msgstr ""
++msgstr "LDAP-attributet som innehåller UUID/GUID för ett LDAP-värdobjekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1363
+ msgid "ldap_service_object_class (string)"
+-msgstr ""
++msgstr "ldap_service_object_class (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1366
+ msgid "The object class of a service entry in LDAP."
+-msgstr ""
++msgstr "Objektklassen hos en servicepost i LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1375
+ msgid "ldap_service_name (string)"
+-msgstr ""
++msgstr "ldap_service_name (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1378
+@@ -6659,47 +6706,48 @@ msgid ""
+ "The LDAP attribute that contains the name of service attributes and their "
+ "aliases."
+ msgstr ""
++"LDAP-attributet som innehåller namnet på tjänsteattribut och deras alias."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1388
+ msgid "ldap_service_port (string)"
+-msgstr ""
++msgstr "ldap_service_port (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1391
+ msgid "The LDAP attribute that contains the port managed by this service."
+-msgstr ""
++msgstr "LDAP-attributet som innehåller porten som hanteras av denna tjänst."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1395
+ msgid "Default: ipServicePort"
+-msgstr ""
++msgstr "Standard: ipServicePort"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1401
+ msgid "ldap_service_proto (string)"
+-msgstr ""
++msgstr "ldap_service_proto (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1404
+ msgid ""
+ "The LDAP attribute that contains the protocols understood by this service."
+-msgstr ""
++msgstr "LDAP-attributet som innehåller protokollen som denna tjänst förstår."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1408
+ msgid "Default: ipServiceProtocol"
+-msgstr ""
++msgstr "Standard: ipServiceProtocol"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1414
+ msgid "ldap_service_search_base (string)"
+-msgstr ""
++msgstr "ldap_service_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1419
+ msgid "ldap_search_timeout (integer)"
+-msgstr ""
++msgstr "ldap_search_timeout (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1422
+@@ -6708,6 +6756,8 @@ msgid ""
+ "before they are cancelled and cached results are returned (and offline mode "
+ "is entered)"
+ msgstr ""
++"Anger tiden (i sekunder) som ldap-sökningar tillåts köra före de annuleras "
++"och cachade resultat returneras (och går in i frånkopplat läge)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1428
+@@ -6716,11 +6766,14 @@ msgid ""
+ "will likely be replaced at some point by a series of timeouts for specific "
+ "lookup types."
+ msgstr ""
++"Obs: detta alternativ kan komma att ändras i framtida versioner av SSSD.  "
++"Det kommer sannolikt ersättas vid någon tidpunkt med en serie tidsgränser "
++"för specifika uppslagningstyper."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1440
+ msgid "ldap_enumeration_search_timeout (integer)"
+-msgstr ""
++msgstr "ldap_enumeration_search_timeout (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1443
+@@ -6729,11 +6782,14 @@ msgid ""
+ "enumerations are allowed to run before they are cancelled and cached results "
+ "are returned (and offline mode is entered)"
+ msgstr ""
++"Anger tiden (i sekunder) som ldap-sökningar för användar- och "
++"gruppuppräkningar tillåts köra före de annuleras och cachade resultat "
++"returneras (och går in i frånkopplat läge)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1456
+ msgid "ldap_network_timeout (integer)"
+-msgstr ""
++msgstr "ldap_network_timeout (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1459
+@@ -6745,11 +6801,17 @@ msgid ""
+ "<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
+ "citerefentry> returns in case of no activity."
+ msgstr ""
++"Anger tidsgränsen (i sekunder) efter vilken <citerefentry> "
++"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
++"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
++"manvolnum> </citerefentry> som följer efter en <citerefentry> "
++"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
++"citerefentry> returnerar om inget händer."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1482
+ msgid "ldap_opt_timeout (integer)"
+-msgstr ""
++msgstr "ldap_opt_timeout (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1485
+@@ -6759,11 +6821,16 @@ msgid ""
+ "communicating with the KDC in case of SASL bind, the timeout of an LDAP bind "
+ "operation, password change extended operation and the StartTLS operation."
+ msgstr ""
++"Anger en tid (i sekunder) efter vilken anrop till synkrona LDAP API:er "
++"kommer avbrytas om det inte kommer något svar.  Styr även tidsgränsen vid "
++"kommunikation med KDC:n i fallet SASL-bindningar, tidsgränsen för en LDAP-"
++"bindningsoperation, utökad operation för lösenordsändring och StartTLS-"
++"operationen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1500
+ msgid "ldap_connection_expire_timeout (integer)"
+-msgstr ""
++msgstr "ldap_connection_expire_timeout (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1503
+@@ -6773,16 +6840,20 @@ msgid ""
+ "in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. "
+ "the TGT lifetime)  will be used."
+ msgstr ""
++"Anger en tidsgräns (i sekunder) som en förbindelse med en LDAP-server kommer "
++"underhållas.  Efter den tiden kommer förbindelsen återetableras.  Om den "
++"används parallellt md SASL/GSSAPI kommer den tidigare av de två värdena "
++"(detta värde eller TGT-livslängden) användas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1511 sssd-ldap.5.xml:2620
+ msgid "Default: 900 (15 minutes)"
+-msgstr ""
++msgstr "Standard: 900 (15 minuter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1517
+ msgid "ldap_page_size (integer)"
+-msgstr ""
++msgstr "ldap_page_size (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1520
+@@ -6790,16 +6861,18 @@ msgid ""
+ "Specify the number of records to retrieve from LDAP in a single request. "
+ "Some LDAP servers enforce a maximum limit per-request."
+ msgstr ""
++"Ange antalet poster som skall hämtas från LDAP i en enskild begäran.  Några "
++"LDAP-servrar framtvingar en maximal gräns per begäran."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1525
+ msgid "Default: 1000"
+-msgstr ""
++msgstr "Standard: 1000"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1531
+ msgid "ldap_disable_paging (boolean)"
+-msgstr ""
++msgstr "ldap_disable_paging (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1534
+@@ -6808,6 +6881,9 @@ msgid ""
+ "server reports that it supports the LDAP paging control in its RootDSE but "
+ "it is not enabled or does not behave properly."
+ msgstr ""
++"Avaktivera flödesstyrningen (paging) av LDAP.  Detta alternativ bör användas "
++"om LDAP-servern rapporterar att den stödjer LDAP-flödesstyrning i sin "
++"RootDSE men det inte är aktiverat eller inte fungerar som det skall."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1540
+@@ -6815,6 +6891,9 @@ msgid ""
+ "Example: OpenLDAP servers with the paging control module installed on the "
+ "server but not enabled will report it in the RootDSE but be unable to use it."
+ msgstr ""
++"Exempel: OpenLDAP-servrar med flödesstyrningsmodulen installerad på servern "
++"men inte aktiverad kommer rapportera det i RootDSE:n men inte kunna använda "
++"den."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1546
+@@ -6823,16 +6902,19 @@ msgid ""
+ "a time on a single connection. On busy clients, this can result in some "
+ "requests being denied."
+ msgstr ""
++"Exempel: 389 DS har ett fel där den endast kan stödja en flödesstyrning åt "
++"gången på en enskild förbindelse.  På aktiva klienter kan detta resultera i "
++"att några begäranden nekas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1558
+ msgid "ldap_disable_range_retrieval (boolean)"
+-msgstr ""
++msgstr "ldap_disable_range_retrieval (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1561
+ msgid "Disable Active Directory range retrieval."
+-msgstr ""
++msgstr "Avaktivera Active Directory intervallhämtning."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1564
+@@ -6843,11 +6925,17 @@ msgid ""
+ "extension. This option disables parsing of the range extension, therefore "
+ "large groups will appear as having no members."
+ msgstr ""
++"Active Directory begränsar antalet medlemmar som kan hämtas i en enskild "
++"uppslagning med policyn MaxValRange (vilket som standard är 1500 "
++"medlemmar).  Om en grupp innehåller fler medlemmar skulle svaret innehålla "
++"en AD-specifik intervallutökning.  Detta alternativ avaktiverar tolkning av "
++"intervallutökningar, därför kommer stora grupper förefalla inte ha några "
++"medlemmar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1579
+ msgid "ldap_sasl_minssf (integer)"
+-msgstr ""
++msgstr "ldap_sasl_minssf (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1582
+@@ -6856,16 +6944,19 @@ msgid ""
+ "security level necessary to establish the connection. The values of this "
+ "option are defined by OpenLDAP."
+ msgstr ""
++"Vid kommunikation med en LDAP-server med SASL, ange den minsta "
++"säkerhetsnivån som är nödvändig för att etablera förbindelsen.  Värdet på "
++"detta alternativ är definierat av OpenLDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1588
+ msgid "Default: Use the system default (usually specified by ldap.conf)"
+-msgstr ""
++msgstr "Standard: använd systemstandard (vanligen angivet i ldap.conf)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1595
+ msgid "ldap_deref_threshold (integer)"
+-msgstr ""
++msgstr "ldap_deref_threshold (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1598
+@@ -6874,6 +6965,9 @@ msgid ""
+ "cache in order to trigger a dereference lookup. If less members are missing, "
+ "they are looked up individually."
+ msgstr ""
++"Ange antalet gruppmedlemmar som måste saknas i den interna cachen för att "
++"orsaka en derefereringsuppslagning.  Om färre medlemmar saknas slås de up "
++"individuellt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1604
+@@ -6885,6 +6979,12 @@ msgid ""
+ "the server supports it and advertises the dereference control in the rootDSE "
+ "object."
+ msgstr ""
++"Du kan slå av derefereringsuppslagningar helt genom att sätta värdet till "
++"0.  Observera att det finns några kodvägar i SSSD, som IPA HBAC-"
++"leverantören, som endast är implementerade med derefereringsanropet, så att "
++"även med dereferens uttryckligen avaktiverat kommer dessa delar åndå använda "
++"dereferenser om servern stödjer det och annonserar derefereringsstyrning i "
++"rootDSE-objektet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1615
+@@ -6894,6 +6994,10 @@ msgid ""
+ "methods. The currently supported servers are 389/RHDS, OpenLDAP and Active "
+ "Directory."
+ msgstr ""
++"En derefereringsuppslagning är ett sätt att hämta alla gruppmedlemmar i ett "
++"enda LDAP-anrop.  Olika LDAP-servrar kan implementera olika "
++"derefereringsmetoder.  De servrar som stödjs för närvarande är 389(RHDS, "
++"OpenLDAP och Active Directory."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1623
+@@ -6902,11 +7006,14 @@ msgid ""
+ "filter, then the dereference lookup performance enhancement will be disabled "
+ "regardless of this setting."
+ msgstr ""
++"<emphasis>Obs:</emphasis> om någon av sökbaserna anger ett sökfilter, då "
++"kommer prestandaförbättringen med derefereringsuppslagningar avaktiveras "
++"oavsett denna inställning."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1636
+ msgid "ldap_tls_reqcert (string)"
+-msgstr ""
++msgstr "ldap_tls_reqcert (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1639
+@@ -6914,6 +7021,8 @@ msgid ""
+ "Specifies what checks to perform on server certificates in a TLS session, if "
+ "any. It can be specified as one of the following values:"
+ msgstr ""
++"Anger vilka kontroller som utförs av servercertifikat i en TLS-session, om "
++"några.  Det kan anges som ett av följande värden:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1645
+@@ -6921,6 +7030,8 @@ msgid ""
+ "<emphasis>never</emphasis> = The client will not request or check any server "
+ "certificate."
+ msgstr ""
++"<emphasis>never</emphasis> = Klienten kommer inte begära eller kontrollera "
++"några servercertifikat."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1649
+@@ -6929,6 +7040,9 @@ msgid ""
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+ "is provided, it will be ignored and the session proceeds normally."
+ msgstr ""
++"<emphasis>allow</emphasis> = Servercertifikatet begärs.  Om inget certifikat "
++"tillhandahålls fortsätter sessionen normalt.  Om ett felaktigt certifikat "
++"tillhandahålls kommer det ignoreras och sessionen fortsätta normalt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1656
+@@ -6937,6 +7051,9 @@ msgid ""
+ "certificate is provided, the session proceeds normally. If a bad certificate "
+ "is provided, the session is immediately terminated."
+ msgstr ""
++"<emphasis>try</emphasis> = Servercertifikatet begärs.  Om inget certifikat "
++"tillhandahålls fortsätter sessionen normalt.  Om ett felaktigt certifikat "
++"tillhandahålls avslutas sessionen omedelbart."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1662
+@@ -6945,21 +7062,24 @@ msgid ""
+ "certificate is provided, or a bad certificate is provided, the session is "
+ "immediately terminated."
+ msgstr ""
++"<emphasis>demand</emphasis> = Servercertifikatet begärs.  Om inget "
++"certifikat tillhandahålls eller ett felaktigt certifikat tillhandahålls "
++"avslutas sessionen omedelbart."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1668
+ msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+-msgstr ""
++msgstr "<emphasis>hard</emphasis> = Samma som <quote>demand</quote>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1672
+ msgid "Default: hard"
+-msgstr ""
++msgstr "Standard: hard"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1678
+ msgid "ldap_tls_cacert (string)"
+-msgstr ""
++msgstr "ldap_tls_cacert (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1681
+@@ -6967,6 +7087,8 @@ msgid ""
+ "Specifies the file that contains certificates for all of the Certificate "
+ "Authorities that <command>sssd</command> will recognize."
+ msgstr ""
++"Anger filen som innehåller certifikat för alla Certifikatauktoriteterna som "
++"<command>sssd</command> kommer godkänna."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1686 sssd-ldap.5.xml:1704 sssd-ldap.5.xml:1745
+@@ -6974,11 +7096,13 @@ msgid ""
+ "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
+ "conf</filename>"
+ msgstr ""
++"Standard: använd standardvärden för OpenLDAP, typiskt i <filename>/etc/"
++"openldap/ldap.conf</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1693
+ msgid "ldap_tls_cacertdir (string)"
+-msgstr ""
++msgstr "ldap_tls_cacertdir (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1696
+@@ -6988,31 +7112,36 @@ msgid ""
+ "be the hash of the certificate followed by '.0'.  If available, "
+ "<command>cacertdir_rehash</command> can be used to create the correct names."
+ msgstr ""
++"Anger sökvägen till en katalog som innehåller certifikat för "
++"Certifikatauktoriteter i individuella filer.  Typiskt måste filnamnen vara "
++"konstrollsummor av certifikaten följda av ”.0”.  Om det är tillgängligt kan "
++"<command>cacertdir_rehash</command> användas för att skapa de korrekta "
++"namnen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1711
+ msgid "ldap_tls_cert (string)"
+-msgstr ""
++msgstr "ldap_tls_cert (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1714
+ msgid "Specifies the file that contains the certificate for the client's key."
+-msgstr ""
++msgstr "Anger filen som innehåller certifikatet för klientens nyckel."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1724
+ msgid "ldap_tls_key (string)"
+-msgstr ""
++msgstr "ldap_tls_key (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1727
+ msgid "Specifies the file that contains the client's key."
+-msgstr ""
++msgstr "Anger filen som innehåller klientens nyckel."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1736
+ msgid "ldap_tls_cipher_suite (string)"
+-msgstr ""
++msgstr "ldap_tls_cipher_suite (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1739
+@@ -7021,11 +7150,14 @@ msgid ""
+ "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+ "<manvolnum>5</manvolnum></citerefentry> for format."
+ msgstr ""
++"Anger acceptabla chiffersviter.  Typiskt är detta en kolonseparerad lista.  "
++"Se <citerefentry><refentrytitle>ldap.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> för formatet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1752
+ msgid "ldap_id_use_start_tls (boolean)"
+-msgstr ""
++msgstr "ldap_id_use_start_tls (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1755
+@@ -7033,11 +7165,13 @@ msgid ""
+ "Specifies that the id_provider connection must also use <systemitem class="
+ "\"protocol\">tls</systemitem> to protect the channel."
+ msgstr ""
++"Anger att id-leverantörsförbindelsen också måste använda <systemitem class="
++"\"protocol\">tls</systemitem> för att skydda kanalen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1765
+ msgid "ldap_id_mapping (boolean)"
+-msgstr ""
++msgstr "ldap_id_mapping (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1768
+@@ -7046,16 +7180,20 @@ msgid ""
+ "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+ "on ldap_user_uid_number and ldap_group_gid_number."
+ msgstr ""
++"Anger att SSSD skall försöka översätta användar- och grupp-ID:n från "
++"attributen ldap_user_objectsid och ldap_group_objectsid istället för att "
++"förlita sig på ldap_user_uid_number och ldap_group_gid_number."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1774
+ msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+ msgstr ""
++"För närvarande stödjer denna funktion endast Active Direcotory objectSID"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1784
+ msgid "ldap_min_id, ldap_max_id (integer)"
+-msgstr ""
++msgstr "ldap_min_id, ldap_max_id (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1787
+@@ -7067,16 +7205,23 @@ msgid ""
+ "can be set to restrict the allowed range for the IDs which are read directly "
+ "from the server. Sub-domains can then pick other ranges to map IDs."
+ msgstr ""
++"I kontrast mot den SID-baserade ID-översättningen som används om "
++"ldap_id_mapping är satt till sant är det tillåtna ID-intervallet för "
++"ldap_user_uid_number och ldap_group_gid_number obegränsat. I en uppsättning "
++"med underdomäner/betrodda domäner kan detta leda till ID-kollisioner.  För "
++"att undvika kollisioner kan ldap_min_id och ldap_max_id sättas till att "
++"begränsa det tillåtna intervallet för ID:na som läses direkt från servern.  "
++"Underdomäner kan sedan välja andra intervall för att översätta ID:n."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1799
+ msgid "Default: not set (both options are set to 0)"
+-msgstr ""
++msgstr "Standard: inte satt (båda alternativen är satta till 0)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1805
+ msgid "ldap_sasl_mech (string)"
+-msgstr ""
++msgstr "ldap_sasl_mech (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1808
+@@ -7084,6 +7229,8 @@ msgid ""
+ "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
+ "tested and supported."
+ msgstr ""
++"Ange SASL-mekanismen att använda.  För närvarande testas och stödjs endast "
++"GSSAPI och GSS-SPNEGO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1812
+@@ -7095,11 +7242,16 @@ msgid ""
+ "<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+ "manvolnum></citerefentry> for details."
+ msgstr ""
++"Om bakänden stödjer underdomäner ärvs automatiskt värdet av ldap_sasl_mech "
++"till underdomänerna.  Om ett annat värde behövs för en underdomän kan det "
++"skrivas över genom att sätta ldap_sasl_mech för denna underdomän explicit.  "
++"Se avsnittet SEKTIONEN BETRODDA DOMÄNER i <citerefentry><refentrytitle>sssd."
++"conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry> för detaljer."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1828
+ msgid "ldap_sasl_authid (string)"
+-msgstr ""
++msgstr "ldap_sasl_authid (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd-ldap.5.xml:1840
+@@ -7113,6 +7265,13 @@ msgid ""
+ "host/*\n"
+ "                            "
+ msgstr ""
++"värdnamn@RIKE\n"
++"netbiosnamn$@RIKE\n"
++"host/värdnamn@RIKE\n"
++"*$@RIKE\n"
++"host/*@RIKE\n"
++"host/*\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1831
+@@ -7125,16 +7284,24 @@ msgid ""
+ "used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are "
+ "found, the first principal in keytab is returned."
+ msgstr ""
++"Ange SASL-auktoriseringes-id:t att använda.  När GSSAPI/GSS-SPNEGO används "
++"representerar detta Kerberos-huvudmannen som används för autentisering till "
++"katalogen.  Detta alternativ kan antingen innehålla den fullständiga "
++"huvudmannen (till exempel host/minvärd@EXEMPEL.SE) eller bara "
++"huvudmannanamnet (till exempel host/minvärd).  Som standard är värdet inte "
++"satt och följande huvudmän används: <placeholder type=\"programlisting\" id="
++"\"0\"/>  Om ingen av dem kan hittas returneras den första huvudmannen i "
++"keytab."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1851
+ msgid "Default: host/hostname@REALM"
+-msgstr ""
++msgstr "Standard: host/värdnamn@RIKE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1857
+ msgid "ldap_sasl_realm (string)"
+-msgstr ""
++msgstr "ldap_sasl_realm (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1860
+@@ -7143,16 +7310,19 @@ msgid ""
+ "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+ "well, this option is ignored."
+ msgstr ""
++"Ange SASL-riket att använda.  När det inte anges får detta alternativ "
++"standardvärdet från krb5_realm.  Om ldap_sasl_authid också innehåller riket "
++"ignoreras detta alternativ."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1866
+ msgid "Default: the value of krb5_realm."
+-msgstr ""
++msgstr "Standard: värdet på krb5_realm."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1872
+ msgid "ldap_sasl_canonicalize (boolean)"
+-msgstr ""
++msgstr "ldap_sasl_canonicalize (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1875
+@@ -7160,31 +7330,35 @@ msgid ""
+ "If set to true, the LDAP library would perform a reverse lookup to "
+ "canonicalize the host name during a SASL bind."
+ msgstr ""
++"Om satt till sant kommer LDAP-biblioteket utföra en omvänd uppslagning för "
++"att ta fram värdnamnets kanoniska form under en SASL-bindning"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1880
+ msgid "Default: false;"
+-msgstr ""
++msgstr "Standard: false;"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1886
+ msgid "ldap_krb5_keytab (string)"
+-msgstr ""
++msgstr "ldap_krb5_keytab (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1889
+ msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+ msgstr ""
++"Ange den keytab som skall användas vid användning av SASL/GSSAPI/GSS-SPNEGO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1893
+ msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+ msgstr ""
++"Standard: Systemets keytab, normalt <filename>/etc/krb5.keytab</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1899
+ msgid "ldap_krb5_init_creds (boolean)"
+-msgstr ""
++msgstr "ldap_krb5_init_creds (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1902
+@@ -7193,27 +7367,31 @@ msgid ""
+ "action is performed only if SASL is used and the mechanism selected is "
+ "GSSAPI or GSS-SPNEGO."
+ msgstr ""
++"Anger att id-leverantören skall initiiera Kerberoskreditiv (TGT).  Denna "
++"åtgärd utförs endast om SASL används och den valda mekanismen är GSSAPI "
++"eller GSS-SPNEGO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1914
+ msgid "ldap_krb5_ticket_lifetime (integer)"
+-msgstr ""
++msgstr "ldap_krb5_ticket_lifetime (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1917
+ msgid ""
+ "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+ msgstr ""
++"Anger livslängden i sekunder på TGT:n om GSSAPI eller GSS-SPNEGO används."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+ msgid "Default: 86400 (24 hours)"
+-msgstr ""
++msgstr "Standard: 86400 (24 timmar)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1927 sssd-krb5.5.xml:74
+ msgid "krb5_server, krb5_backup_server (string)"
+-msgstr ""
++msgstr "krb5_server, krb5_backup_server (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1930
+@@ -7251,26 +7429,30 @@ msgid ""
+ "While the legacy name is recognized for the time being, users are advised to "
+ "migrate their config files to use <quote>krb5_server</quote> instead."
+ msgstr ""
++"Dettas alternativ hade namnet <quote>krb5_kdcip</quote> i tidigare utgåvor "
++"av SSSD.  Medan det äldre namnet känns igen tills vidare rekommenderas "
++"användare att migrera sina konfigurationsfiler till att använda "
++"<quote>krb5_server</quote> istället."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1956 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
+ msgid "krb5_realm (string)"
+-msgstr ""
++msgstr "krb5_realm (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1959
+ msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+-msgstr ""
++msgstr "Ange Kerberos-RIKE (för SASL/GSSAPI/GSS-SPNEGO aut)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1963
+ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+-msgstr ""
++msgstr "Standard: Systemstandard, se <filename>/etc/krb5.conf</filename>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1969 sssd-krb5.5.xml:462
+ msgid "krb5_canonicalize (boolean)"
+-msgstr ""
++msgstr "krb5_canonicalize (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1972
+@@ -7278,11 +7460,13 @@ msgid ""
+ "Specifies if the host principal should be canonicalized when connecting to "
+ "LDAP server. This feature is available with MIT Kerberos >= 1.7"
+ msgstr ""
++"Anger om värdens huvudman skall göras kononisk vid anslutning till LDAP-"
++"servern.  Denna funktion är tillgänglig med MIT Kerberos ≥ 1.7"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1984 sssd-krb5.5.xml:477
+ msgid "krb5_use_kdcinfo (boolean)"
+-msgstr ""
++msgstr "krb5_use_kdcinfo (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1987 sssd-krb5.5.xml:480
+@@ -7293,6 +7477,11 @@ msgid ""
+ "<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+ "citerefentry> configuration file."
+ msgstr ""
++"Anger om SSSD skall instruera Kerberos-biblioteken om vilket rike och vilka "
++"KDC:er som skall användas.  Detta alternativ är på som standard, om du "
++"avaktiverar det behöver du konfigurera Kerberos-biblioteket i "
++"konfigurationsfilen <citerefentry> <refentrytitle>krb5.conf</refentrytitle> "
++"<manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1998 sssd-krb5.5.xml:491
+@@ -7301,11 +7490,14 @@ msgid ""
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
+ "information on the locator plugin."
+ msgstr ""
++"Se manualsidan <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> för mer information "
++"om lokaliseringsinsticksmodulen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2012
+ msgid "ldap_pwd_policy (string)"
+-msgstr ""
++msgstr "ldap_pwd_policy (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2015
+@@ -7313,6 +7505,8 @@ msgid ""
+ "Select the policy to evaluate the password expiration on the client side. "
+ "The following values are allowed:"
+ msgstr ""
++"Välj policyn för att utvärdera utgång av lösenord på klientsidan.  Följande "
++"värden är tillåtna:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2020
+@@ -7320,6 +7514,8 @@ msgid ""
+ "<emphasis>none</emphasis> - No evaluation on the client side. This option "
+ "cannot disable server-side password policies."
+ msgstr ""
++"<emphasis>none</emphasis> – Ingen utvärdering på klientsidan.  Detta "
++"alternativ kan inte avaktivera lösenordspolicyer på serversidan."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2025
+@@ -7328,6 +7524,9 @@ msgid ""
+ "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
+ "evaluate if the password has expired."
+ msgstr ""
++"<emphasis>shadow</emphasis> – Använd attribut i stilen "
++"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry> för att utvärdera om lösenordet har gått ut."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2031
+@@ -7336,6 +7535,9 @@ msgid ""
+ "to determine if the password has expired. Use chpass_provider=krb5 to update "
+ "these attributes when the password is changed."
+ msgstr ""
++"<emphasis>mit_kerberos</emphasis> – Använd attributen som används av MIT "
++"Kerberos för att avgöra om lösenordet har gått ut.  Använd "
++"chpass_provider=krb5 för att uppdatera dessa attribut när läsenordet ändras."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2040
+@@ -7343,16 +7545,18 @@ msgid ""
+ "<emphasis>Note</emphasis>: if a password policy is configured on server "
+ "side, it always takes precedence over policy set with this option."
+ msgstr ""
++"<emphasis>Obs</emphasis>: om en lösenordspolicy konfigureras på serversidan "
++"kommer den alltid gå före framför policyn som sätts med detta alternativ."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2048
+ msgid "ldap_referrals (boolean)"
+-msgstr ""
++msgstr "ldap_referrals (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2051
+ msgid "Specifies whether automatic referral chasing should be enabled."
+-msgstr ""
++msgstr "Anger huruvida automatisk uppföljning av referenser skall aktiveras."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2055
+@@ -7360,6 +7564,8 @@ msgid ""
+ "Please note that sssd only supports referral chasing when it is compiled "
+ "with OpenLDAP version 2.4.13 or higher."
+ msgstr ""
++"Observera att sssd endast stödjer uppföljning av referenser när den är "
++"kompilerad med OpenLDAP version 2.4.13 eller senare."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2060
+@@ -7369,11 +7575,15 @@ msgid ""
+ "does not in fact require the use of referrals, setting this option to false "
+ "might bring a noticeable performance improvement."
+ msgstr ""
++"Att följa upp referenser kan orsaka en prestandaförlust i miljöer som "
++"använder dem mycket, ett notabelt exempel är Microsoft Active Directory.  Om "
++"din uppsättning inte faktiskt behöver använda referenser kan att sätta detta "
++"alternativ till falskt medföra en märkbar prestandaförbättring."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2074
+ msgid "ldap_dns_service_name (string)"
+-msgstr ""
++msgstr "ldap_dns_service_name (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2077
+@@ -7384,12 +7594,12 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2081
+ msgid "Default: ldap"
+-msgstr ""
++msgstr "Standard: ldap"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2087
+ msgid "ldap_chpass_dns_service_name (string)"
+-msgstr ""
++msgstr "ldap_chpass_dns_service_name (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2090
+@@ -7408,7 +7618,7 @@ msgstr "Standard: inte satt, d.v.s. tjänsteupptäckt är avaktiverat"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2101
+ msgid "ldap_chpass_update_last_change (bool)"
+-msgstr ""
++msgstr "ldap_chpass_update_last_change (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2104
+@@ -7416,11 +7626,13 @@ msgid ""
+ "Specifies whether to update the ldap_user_shadow_last_change attribute with "
+ "days since the Epoch after a password change operation."
+ msgstr ""
++"Anger huruvida attributet ldap_user_shadow_last_change skall uppdateras med "
++"dagar sedan epoken efter en ändring av lösenord."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2116
+ msgid "ldap_access_filter (string)"
+-msgstr ""
++msgstr "ldap_access_filter (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2119
+@@ -7437,11 +7649,23 @@ msgid ""
+ "<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</"
+ "manvolnum> </citerefentry>."
+ msgstr ""
++"Om man använder access_provider = ldap och ldap_access_order = filter "
++"(standard) är detta alternativ nödvändigt.  Det anger ett LDAP-"
++"sökfilterkriterium som måste uppfyllas för att användaren skall ges åtkomst "
++"till denna värd.  Om access_provider = ldap, ldap_access_order = filter och "
++"detta alternativ inte är satt kommer det resultera i att alla användare "
++"nekas åtkomst.  Använd access_provider = permit för att ändra detta "
++"standardbeteende.  Observera att detta filter endast tillämpas på LDAP-"
++"användarposten och därmed filter baserade på nestade grupper kanske inte "
++"fungerar (t.ex. attributet memberOf i AD-poster pekar endast på direkta "
++"föräldrar).  Om filtrering baserad på nästade grupper behövs, se "
++"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</"
++"manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2139
+ msgid "Example:"
+-msgstr ""
++msgstr "Exempel:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+ #: sssd-ldap.5.xml:2142
+@@ -7451,6 +7675,9 @@ msgid ""
+ "ldap_access_filter = (employeeType=admin)\n"
+ "                        "
+ msgstr ""
++"access_provider = ldap\n"
++"ldap_access_filter = (employeeType=admin)\n"
++"                        "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2146
+@@ -7458,6 +7685,8 @@ msgid ""
+ "This example means that access to this host is restricted to users whose "
+ "employeeType attribute is set to \"admin\"."
+ msgstr ""
++"Detta exempel betyder att åtkomst till denna värd är begränsad till "
++"användare vars attribut employeeType är satt till ”admin”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2151
+@@ -7467,16 +7696,20 @@ msgid ""
+ "access during their last login, they will continue to be granted access "
+ "while offline and vice versa."
+ msgstr ""
++"Frånkopplad cachning för denna funktion är begränsad till att avgöra "
++"huruvida användarens senaste uppkopplade inloggning tilläts "
++"åtkomsträttigheter.  Om de tilläts vid senaste inloggningen kommmer de "
++"fortsätta ges åtkomst under frånkoppling, och vice versa."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2159 sssd-ldap.5.xml:2216
+ msgid "Default: Empty"
+-msgstr ""
++msgstr "Standard: Empty"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2165
+ msgid "ldap_account_expire_policy (string)"
+-msgstr ""
++msgstr "ldap_account_expire_policy (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2168
+@@ -7484,6 +7717,8 @@ msgid ""
+ "With this option a client side evaluation of access control attributes can "
+ "be enabled."
+ msgstr ""
++"Med detta alternativ kan en utvärdering på klientsidan av "
++"åtkomststyrningsattribut aktiveras."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2172
+@@ -7492,11 +7727,14 @@ msgid ""
+ "i.e. the LDAP server should deny the bind request with a suitable error code "
+ "even if the password is correct."
+ msgstr ""
++"Observera att det alltid är rekommenderat att använda åtkomstkontroll på "
++"serversidan, d.v.s. LDAP-servern skall neka bindningsbegäran med en passande "
++"felkod även om lösenordet är korrekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2179
+ msgid "The following values are allowed:"
+-msgstr ""
++msgstr "Följande värden är tillåtna:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2182
+@@ -7504,6 +7742,8 @@ msgid ""
+ "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+ "determine if the account is expired."
+ msgstr ""
++"<emphasis>shadow</emphasis>: använd värdet på ldap_user_shadow_expire för "
++"att avgöra om kontot har gått ut."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2187
+@@ -7513,6 +7753,10 @@ msgid ""
+ "set. If the attribute is missing access is granted. Also the expiration time "
+ "of the account is checked."
+ msgstr ""
++"<emphasis>ad</emphasis>: använd värdet på 32-bitarsfältet "
++"ldap_user_ad_user_account_control och tillåt åtkomst om den andra biten är "
++"satt eller inte.  Om attributet saknas tillåts åtkomst.  Utgångstiden för "
++"kontot kontrolleras också."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2194
+@@ -7521,6 +7765,9 @@ msgid ""
+ "emphasis>: use the value of ldap_ns_account_lock to check if access is "
+ "allowed or not."
+ msgstr ""
++"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
++"emphasis>: använd värdet på ldap_ns_account_lock för att avgöra om åtkomst "
++"tillåts eller inte."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2200
+@@ -7530,6 +7777,10 @@ msgid ""
+ "ldap_user_nds_login_expiration_time are used to check if access is allowed. "
+ "If both attributes are missing access is granted."
+ msgstr ""
++"<emphasis>nds</emphasis>: värdena på ldap_user_nds_login_allowed_time_map, "
++"ldap_user_nds_login_disabled och ldap_user_nds_login_expiration_time används "
++"för att avgöra om åtkomst tillåts.  Om båda attributen saknas tillåts "
++"åtkomst."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2209
+@@ -7538,21 +7789,25 @@ msgid ""
+ "emphasis> include <quote>expire</quote> in order for the "
+ "ldap_account_expire_policy option to work."
+ msgstr ""
++"Observera att konfigurationsalternativet ldap_access_order <emphasis>måste</"
++"emphasis> innehålla <quote>expire</quote> för att alternativet "
++"ldap_account_expire_policy skall fungera."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2222
+ msgid "ldap_access_order (string)"
+-msgstr ""
++msgstr "ldap_access_order (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2225
+ msgid "Comma separated list of access control options.  Allowed values are:"
+ msgstr ""
++"Kommaseparerad lista över åtkomststyrningsalternativ.  Tillåtna värden är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2229
+ msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+-msgstr ""
++msgstr "<emphasis>filter</emphasis>: använd ldap_access_filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2232
+@@ -7563,6 +7818,11 @@ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work."
+ msgstr ""
++"<emphasis>lockout</emphasis>: använd kontolåsning.  Om satt nekar detta "
++"alternativ åtkomst ifall ldap-attributet ”pwdAccountLockedTime” finns och "
++"har värdet ”000001010000Z”. Se alternativet ldap_pwdlockout_dn.  Observera "
++"att ”access_provider = ldap” måste vara satt för att denna funktion skall "
++"fungera."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2242
+@@ -7570,6 +7830,9 @@ msgid ""
+ "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
+ "quote> option and might be removed in a future release.  </emphasis>"
+ msgstr ""
++"<emphasis>Observera att detta alternativ ersätts av alternativet "
++"<quote>ppolicy</quote> och kan komma att tas bort i en framtida utgåva.</"
++"emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2249
+@@ -7583,11 +7846,19 @@ msgid ""
+ "the option ldap_pwdlockout_dn.  Please note that 'access_provider = ldap' "
+ "must be set for this feature to work."
+ msgstr ""
++"<emphasis>ppolicy</emphasis>: använd kontolåsning.  Om satt nekar detta "
++"alternativ åtkomst ifall ldap-attributet ”pwdAccountLockedTime” finns och "
++"har värdet ”000001010000Z” eller representerar en tidpunkt i det förgångna.  "
++"Värdet på attributet ”pwdAccountLockedTime” måste sluta med ”Z”, som "
++"markerar tidszonen UTC.  Andra tidszoner stödjs för närvarande inte och "
++"kommer resultera i ”access-denied” när användare försöker logga in.  Se "
++"alternativet ldap_pwdlockout_dn.  Observera att ”access_provider = ldap” "
++"måste vara satt för att denna funktion skall fungera."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2266
+ msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+-msgstr ""
++msgstr "<emphasis>expire</emphasis>: använd ldap_account_expire_policy"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2270
+@@ -7598,6 +7869,11 @@ msgid ""
+ "authentication is based on using a different method than passwords - for "
+ "example SSH keys."
+ msgstr ""
++"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
++"pwd_expire_policy_renew: </emphasis>  Dessa alternativ är användbara om "
++"användare vill bli varnade att lösenordet är på gång att gå ut och "
++"autentisering är baserat på användning av en annan metod än lösenord – till "
++"exempel SSH-nycklar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2280
+@@ -7608,12 +7884,18 @@ msgid ""
+ "pwd_expire_policy_renew - user is prompted to change his password "
+ "immediately."
+ msgstr ""
++"Skillnadem mellan dessa alternativ är åtgärden som vidtas om användarens "
++"lösenord gått ut: pwd_expire_policy_reject – användaren nekas att logga in, "
++"pwd_expire_policy_warn – användaren kan fortfarande logga in, "
++"pwd_expire_policy_renew – användaren ombeds ändra sitt lösenord omedelbart."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2288
+ msgid ""
+ "Note If user password is expired no explicit message is prompted by SSSD."
+ msgstr ""
++"Observera att om användarlösenordet har gått ut ges inget särskilt "
++"meddelande av SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2292
+@@ -7621,6 +7903,9 @@ msgid ""
+ "Please note that 'access_provider = ldap' must be set for this feature to "
+ "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
+ msgstr ""
++"Observera att ”access_provider = ldap” måste vara satt för att denna "
++"funktion skall fungera.  ”ldap_pwd_policy” måste också vara satt till en "
++"lämplig lösenordspolicy."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2297
+@@ -7628,11 +7913,14 @@ msgid ""
+ "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+ "to determine access"
+ msgstr ""
++"<emphasis>authorized_service</emphasis>: använd attrobitet authorizedService "
++"för att avgöra åtkomst"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2302
+ msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+ msgstr ""
++"<emphasis>host</emphasis>: använd attributet host för att avgöra åtkomst"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2306
+@@ -7640,6 +7928,8 @@ msgid ""
+ "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+ "remote host can access"
+ msgstr ""
++"<emphasis>rhost</emphasis>: använd attrobitet rhost för att avgöra huruvida "
++"fjärrvärdar kan få åtkomst"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2310
+@@ -7647,11 +7937,14 @@ msgid ""
+ "Please note, rhost field in pam is set by application, it is better to check "
+ "what the application sends to pam, before enabling this access control option"
+ msgstr ""
++"Observera, rhost-fältet i pam sätts av programmet, det är bättre att "
++"kontrollera vad programmet skickar till pam, före detta alternativ för "
++"åtkomstkontroll aktiveras"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2315
+ msgid "Default: filter"
+-msgstr ""
++msgstr "Standard: filter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2318
+@@ -7659,11 +7952,13 @@ msgid ""
+ "Please note that it is a configuration error if a value is used more than "
+ "once."
+ msgstr ""
++"Observera att det är ett konfigurationsfel om ett värde används mer än en "
++"gång."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2325
+ msgid "ldap_pwdlockout_dn (string)"
+-msgstr ""
++msgstr "ldap_pwdlockout_dn (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2328
+@@ -7673,21 +7968,25 @@ msgid ""
+ "lockout checking will yield access denied as ppolicy attributes on LDAP "
+ "server cannot be checked properly."
+ msgstr ""
++"Detta alternativ anger DN för lösenordspolicyposten på LDAP-servern.  Notera "
++"att frånvaro av detta alternativ i sssd.conf när kontroll av kontolåsning är "
++"aktiverat kommer att resultera i nekad åtkomst eftersom ppolicy-attribut på "
++"LDAP-servern inte kan kontrolleras ordentligt. "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2336
+ msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+-msgstr ""
++msgstr "Exempel: cn=ppolicy,ou=policies,dc=exempel,dc=se"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2339
+ msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+-msgstr ""
++msgstr "Standard: cn=ppolicy,ou=policies,$ldap_search_base"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2345
+ msgid "ldap_deref (string)"
+-msgstr ""
++msgstr "ldap_deref (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2348
+@@ -7695,11 +7994,13 @@ msgid ""
+ "Specifies how alias dereferencing is done when performing a search. The "
+ "following options are allowed:"
+ msgstr ""
++"Anger hur dereferering av alias görs när sökningar utförs.  Följande "
++"alternativ är tillåtna:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2353
+ msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+-msgstr ""
++msgstr "<emphasis>never</emphasis>: Alias är aldrig derefererade."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2357
+@@ -7707,6 +8008,8 @@ msgid ""
+ "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+ "the base object, but not in locating the base object of the search."
+ msgstr ""
++"<emphasis>searching</emphasis>: Alias derefereras i underordnade till "
++"basobjektet, men inte vid lokalisering basobjektet för sökningen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2362
+@@ -7714,6 +8017,8 @@ msgid ""
+ "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+ "the base object of the search."
+ msgstr ""
++"<emphasis>finding</emphasis>: Alias derefereras endast vid lokalisering av "
++"basobjektet för sökningen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2367
+@@ -7721,6 +8026,8 @@ msgid ""
+ "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+ "in locating the base object of the search."
+ msgstr ""
++"<emphasis>always</emphasis>: Alias derefereras både i sökning och i "
++"lokalisering av basobjektet för sökningen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2372
+@@ -7728,11 +8035,13 @@ msgid ""
+ "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+ "client libraries)"
+ msgstr ""
++"Standard: Tomt (detta hanteras som <emphasis>never</emphasis> av LDAP-"
++"klientbiblioteken)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2380
+ msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+-msgstr ""
++msgstr "ldap_rfc2307_fallback_to_local_users (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2383
+@@ -7740,6 +8049,8 @@ msgid ""
+ "Allows to retain local users as members of an LDAP group for servers that "
+ "use the RFC2307 schema."
+ msgstr ""
++"Tillåter att behålla lokala användare som medlemmar i en LDAP-grupp för "
++"servrar som använder schemat RFC2307."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2387
+@@ -7751,6 +8062,12 @@ msgid ""
+ "memberships as soon as nsswitch tries to fetch information about the user "
+ "via getpw*() or initgroups() calls."
+ msgstr ""
++"I en del miljöer där schemat RFC2307 används görs lokala användare till "
++"medlemmar i LDAP-grupper genom att lägga till deras namn till attributet "
++"memberUid.  Den interna konsistensen i domänen bryts när detta görs, så SSSD "
++"skulle normalt ta bort de ”saknade” användarna från de cachade "
++"gruppmedlemskapen så fort nsswitch försöker hämta information om användaren "
++"via anrop av getpw*() eller initgroups()."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2398
+@@ -7759,11 +8076,14 @@ msgid ""
+ "them so that later initgroups() calls will augment the local users with the "
+ "additional LDAP groups."
+ msgstr ""
++"Detta alternativ faller tillbaka på att kontrollera om lokala användare är "
++"refererade, och cachar dem så att senare anrop av initgroups() kommer utöka "
++"de lokala användarna med de extra LDAP-grupperna."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2410 sssd-ifp.5.xml:136
+ msgid "wildcard_limit (integer)"
+-msgstr ""
++msgstr "wildcard_limit (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2413
+@@ -7771,16 +8091,19 @@ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup."
+ msgstr ""
++"Anger en övre gräns på antalet poster som hämtas under en uppslagning med "
++"jokertecken."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2417
+ msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+ msgstr ""
++"För närvarande stödjer endast respondenten InfoPipe jockeruppslagningar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2421
+ msgid "Default: 1000 (often the size of one page)"
+-msgstr ""
++msgstr "Standard: 1000 (ofta storleken på en sida)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:51
+@@ -7791,11 +8114,16 @@ msgid ""
+ "manvolnum> </citerefentry> manual page for full details.  <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+ msgstr ""
++"Alla de vanliga konfigurationsalternativen som gäller SSSD-domäner gäller "
++"även LDAP-domäner.  Se avsnittet <quote>DOMÄNSEKTIONER</quote> av "
++"manualsidan <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
++"<manvolnum>5</manvolnum> </citerefentry> för fullständiga detaljer.  "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-ldap.5.xml:2431
+ msgid "SUDO OPTIONS"
+-msgstr ""
++msgstr "SUDOALTERNATIV"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:2433
+@@ -7804,51 +8132,54 @@ msgid ""
+ "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+ "<manvolnum>5</manvolnum> </citerefentry>."
+ msgstr ""
++"De detaljerade instruktionerna för att konfigurera sudo-leverantören finns i "
++"manualsidan <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
++"<manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2444
+ msgid "ldap_sudorule_object_class (string)"
+-msgstr ""
++msgstr "ldap_sudorule_object_class (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2447
+ msgid "The object class of a sudo rule entry in LDAP."
+-msgstr ""
++msgstr "Objektklassen hos en sudo-regelpost i LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2450
+ msgid "Default: sudoRole"
+-msgstr ""
++msgstr "Standard: sudoRole"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2456
+ msgid "ldap_sudorule_name (string)"
+-msgstr ""
++msgstr "ldap_sudorule_name (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2459
+ msgid "The LDAP attribute that corresponds to the sudo rule name."
+-msgstr ""
++msgstr "LDAP-attributet som motsvarar sudo-regelnamnet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2469
+ msgid "ldap_sudorule_command (string)"
+-msgstr ""
++msgstr "ldap_sudorule_command (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2472
+ msgid "The LDAP attribute that corresponds to the command name."
+-msgstr ""
++msgstr "LDAP-attributet som motsvarar kommandonamnet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2476
+ msgid "Default: sudoCommand"
+-msgstr ""
++msgstr "Standard: sudoCommand"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2482
+ msgid "ldap_sudorule_host (string)"
+-msgstr ""
++msgstr "ldap_sudorule_host (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2485
+@@ -7856,16 +8187,18 @@ msgid ""
+ "The LDAP attribute that corresponds to the host name (or host IP address, "
+ "host IP network, or host netgroup)"
+ msgstr ""
++"LDAP-attributet som motsvarar värdnamnet (eller värdens IP-adress, värdens "
++"IP-nätverk eller värdens nätgrupp)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2490
+ msgid "Default: sudoHost"
+-msgstr ""
++msgstr "Standard: sudoHost"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2496
+ msgid "ldap_sudorule_user (string)"
+-msgstr ""
++msgstr "ldap_sudorule_user (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2499
+@@ -7873,31 +8206,33 @@ msgid ""
+ "The LDAP attribute that corresponds to the user name (or UID, group name or "
+ "user's netgroup)"
+ msgstr ""
++"LDAP-attributet som motsvarar användarnamnet (eller UID, gruppnamnet eller "
++"användarens nätgrupp)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2503
+ msgid "Default: sudoUser"
+-msgstr ""
++msgstr "Standard: sudoUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2509
+ msgid "ldap_sudorule_option (string)"
+-msgstr ""
++msgstr "ldap_sudorule_option (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2512
+ msgid "The LDAP attribute that corresponds to the sudo options."
+-msgstr ""
++msgstr "LDAP-attributet som motsvarar sudo-alternativen.."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2516
+ msgid "Default: sudoOption"
+-msgstr ""
++msgstr "Standard: sudoOption"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2522
+ msgid "ldap_sudorule_runasuser (string)"
+-msgstr ""
++msgstr "ldap_sudorule_runasuser (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2525
+@@ -7905,16 +8240,17 @@ msgid ""
+ "The LDAP attribute that corresponds to the user name that commands may be "
+ "run as."
+ msgstr ""
++"LDAP-attributet som motsvarar användarnamnet som kommandon får köras som."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2529
+ msgid "Default: sudoRunAsUser"
+-msgstr ""
++msgstr "Standard: sudoRunAsUser"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2535
+ msgid "ldap_sudorule_runasgroup (string)"
+-msgstr ""
++msgstr "ldap_sudorule_runasgroup (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2538
+@@ -7922,16 +8258,18 @@ msgid ""
+ "The LDAP attribute that corresponds to the group name or group GID that "
+ "commands may be run as."
+ msgstr ""
++"LDAP-attributet som motsvarar gruppnamnet eller grupp-GID:t som kommandon "
++"får köras som."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2542
+ msgid "Default: sudoRunAsGroup"
+-msgstr ""
++msgstr "Standard: sudoRunAsGroup"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2548
+ msgid "ldap_sudorule_notbefore (string)"
+-msgstr ""
++msgstr "ldap_sudorule_notbefore (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2551
+@@ -7939,16 +8277,17 @@ msgid ""
+ "The LDAP attribute that corresponds to the start date/time for when the sudo "
+ "rule is valid."
+ msgstr ""
++"LDAP-attributet som motsvarar startdagen/-tiden då sudo-regeln är giltig."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2555
+ msgid "Default: sudoNotBefore"
+-msgstr ""
++msgstr "Standard: sudoNotBefore"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2561
+ msgid "ldap_sudorule_notafter (string)"
+-msgstr ""
++msgstr "ldap_sudorule_notafter (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2564
+@@ -7956,31 +8295,33 @@ msgid ""
+ "The LDAP attribute that corresponds to the expiration date/time, after which "
+ "the sudo rule will no longer be valid."
+ msgstr ""
++"LDAP-attributet som motsvarar utgångsdagen/-tiden då  sudo-regeln inte "
++"längre är giltig."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2569
+ msgid "Default: sudoNotAfter"
+-msgstr ""
++msgstr "Standard: sudoNotAfter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2575
+ msgid "ldap_sudorule_order (string)"
+-msgstr ""
++msgstr "ldap_sudorule_order (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2578
+ msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+-msgstr ""
++msgstr "LDAP-attributet som motsvarar ordningsindexet för regeln."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2582
+ msgid "Default: sudoOrder"
+-msgstr ""
++msgstr "Standard: sudoOrder"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2588
+ msgid "ldap_sudo_full_refresh_interval (integer)"
+-msgstr ""
++msgstr "ldap_sudo_full_refresh_interval (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2591
+@@ -7988,6 +8329,9 @@ msgid ""
+ "How many seconds SSSD will wait between executing a full refresh of sudo "
+ "rules (which downloads all rules that are stored on the server)."
+ msgstr ""
++"Hur många sekunder SSSD kommer vänta mellan körningar av fullständiga "
++"uppdateringar av sudo-regler (som hämtar alla regler som är lagrade på "
++"servern)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2596
+@@ -7995,16 +8339,18 @@ msgid ""
+ "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
+ "emphasis>"
+ msgstr ""
++"Värdet måste vara större än <emphasis>ldap_sudo_smart_refresh_interval </"
++"emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2601
+ msgid "Default: 21600 (6 hours)"
+-msgstr ""
++msgstr "Standard: 21600 (6 timmar)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2607
+ msgid "ldap_sudo_smart_refresh_interval (integer)"
+-msgstr ""
++msgstr "ldap_sudo_smart_refresh_interval (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2610
+@@ -8020,11 +8366,13 @@ msgid ""
+ "If USN attributes are not supported by the server, the modifyTimestamp "
+ "attribute is used instead."
+ msgstr ""
++"Om USN-attribut inte stödjs av servern används attributet modifyTimestamp "
++"istället."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2626
+ msgid "ldap_sudo_use_host_filter (boolean)"
+-msgstr ""
++msgstr "ldap_sudo_use_host_filter (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2629
+@@ -8032,11 +8380,13 @@ msgid ""
+ "If true, SSSD will download only rules that are applicable to this machine "
+ "(using the IPv4 or IPv6 host/network addresses and hostnames)."
+ msgstr ""
++"Om sann kommer SSSD hämta endast regler som är tillämpliga för denna maskin "
++"(genom användning av IPv4- och IPv6-värd-/-nätverksadresser och värdnamn)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2640
+ msgid "ldap_sudo_hostnames (string)"
+-msgstr ""
++msgstr "ldap_sudo_hostnames (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2643
+@@ -8044,6 +8394,8 @@ msgid ""
+ "Space separated list of hostnames or fully qualified domain names that "
+ "should be used to filter the rules."
+ msgstr ""
++"Mellanrumsseparerad lista över värdnamn eller fullständigt kvalificerade "
++"domännamn som skall användas för att filtrera reglerna."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2648
+@@ -8051,6 +8403,8 @@ msgid ""
+ "If this option is empty, SSSD will try to discover the hostname and the "
+ "fully qualified domain name automatically."
+ msgstr ""
++"Om detta alternativ är tomt kommer SSSD försöka upptäcka värdnamnet och det "
++"fullständigt kvalificerade domännamnet automatiskt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2653 sssd-ldap.5.xml:2676 sssd-ldap.5.xml:2694
+@@ -8059,16 +8413,18 @@ msgid ""
+ "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
+ "emphasis> then this option has no effect."
+ msgstr ""
++"Om <emphasis>ldap_sudo_use_host_filter</emphasis> är <emphasis>false</"
++"emphasis> har detta alternativ ingen effekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2658 sssd-ldap.5.xml:2681
+ msgid "Default: not specified"
+-msgstr ""
++msgstr "Standard: inte angivet"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2664
+ msgid "ldap_sudo_ip (string)"
+-msgstr ""
++msgstr "ldap_sudo_ip (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2667
+@@ -8076,6 +8432,8 @@ msgid ""
+ "Space separated list of IPv4 or IPv6 host/network addresses that should be "
+ "used to filter the rules."
+ msgstr ""
++"Mellanrumsseparerad lista över IPv4- eller IPv6 värd-/nätverksadresser som "
++"skall användas för att filtrera reglerna."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2672
+@@ -8083,11 +8441,13 @@ msgid ""
+ "If this option is empty, SSSD will try to discover the addresses "
+ "automatically."
+ msgstr ""
++"Om detta alternativ är tomt kommer SSSD försöka upptäcka adresser "
++"automatiskt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2687
+ msgid "ldap_sudo_include_netgroups (boolean)"
+-msgstr ""
++msgstr "ldap_sudo_include_netgroups (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2690
+@@ -8095,11 +8455,13 @@ msgid ""
+ "If true then SSSD will download every rule that contains a netgroup in "
+ "sudoHost attribute."
+ msgstr ""
++"Om sant kommer SSSD hämta varje regel som innehåller en nätgrupp i "
++"attributet sudoHost."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2705
+ msgid "ldap_sudo_include_regexp (boolean)"
+-msgstr ""
++msgstr "ldap_sudo_include_regexp (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2708
+@@ -8107,6 +8469,8 @@ msgid ""
+ "If true then SSSD will download every rule that contains a wildcard in "
+ "sudoHost attribute."
+ msgstr ""
++"Om sant kommer SSSD hämta varje regel som innehåller ett jokertecken i "
++"attributet sudoHost."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:2724
+@@ -8116,11 +8480,15 @@ msgid ""
+ "<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </"
+ "citerefentry>"
+ msgstr ""
++"Denna manualsida beskriver endast attributnamnsöversättningar.  För "
++"detaljerade beskrivningar av semantiken hos sudo-relaterade attribut, se "
++"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</"
++"manvolnum> </citerefentry>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-ldap.5.xml:2734
+ msgid "AUTOFS OPTIONS"
+-msgstr ""
++msgstr "AUTOFSALTERNATIV"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:2736
+@@ -8128,57 +8496,59 @@ msgid ""
+ "Some of the defaults for the parameters below are dependent on the LDAP "
+ "schema."
+ msgstr ""
++"Några av standardvärdena för parametrar nedan är beroende på LDAP-schemat."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2742
+ msgid "ldap_autofs_map_master_name (string)"
+-msgstr ""
++msgstr "ldap_autofs_map_master_name (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2745
+ msgid "The name of the automount master map in LDAP."
+-msgstr ""
++msgstr "Namnet på automount master-kartan i LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2748
+ msgid "Default: auto.master"
+-msgstr ""
++msgstr "Standard: auto.master"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2755
+ msgid "ldap_autofs_map_object_class (string)"
+-msgstr ""
++msgstr "ldap_autofs_map_object_class (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2758
+ msgid "The object class of an automount map entry in LDAP."
+-msgstr ""
++msgstr "Objektklassen hos en automatmonteringskartepost i LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2761
+ msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+-msgstr ""
++msgstr "Standard: nisMap (rfc2307, autofs_provider=ad), annars automountMap"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2769
+ msgid "ldap_autofs_map_name (string)"
+-msgstr ""
++msgstr "ldap_autofs_map_name (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2772
+ msgid "The name of an automount map entry in LDAP."
+-msgstr ""
++msgstr "Namnet på en automatmonteringskartepost i LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2775
+ msgid ""
+ "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
+ msgstr ""
++"Standard: nisMapName (rfc2307, autofs_provider=ad), annars automountMapName"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2783
+ msgid "ldap_autofs_entry_object_class (string)"
+-msgstr ""
++msgstr "ldap_autofs_entry_object_class (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2786
+@@ -8186,16 +8556,18 @@ msgid ""
+ "The object class of an automount entry in LDAP. The entry usually "
+ "corresponds to a mount point."
+ msgstr ""
++"Objektklassen hos en automatmonteringspost i LDAP.  Posten motsvarar "
++"vanligen en monteringspunkt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2791
+ msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+-msgstr ""
++msgstr "Standard: nisObject (rfc2307, autofs_provider=ad), annars automount"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2799
+ msgid "ldap_autofs_entry_key (string)"
+-msgstr ""
++msgstr "ldap_autofs_entry_key (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2802 sssd-ldap.5.xml:2817
+@@ -8203,16 +8575,18 @@ msgid ""
+ "The key of an automount entry in LDAP. The entry usually corresponds to a "
+ "mount point."
+ msgstr ""
++"Nyckeln till en automatmonteringspost i LDAP.  Posten motsvarar vanligen en "
++"monteringspunkt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2806
+ msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+-msgstr ""
++msgstr "Standard: cn (rfc2307, autofs_provider=ad), annars automountKey"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2814
+ msgid "ldap_autofs_entry_value (string)"
+-msgstr ""
++msgstr "ldap_autofs_entry_value (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:2821
+@@ -8220,6 +8594,8 @@ msgid ""
+ "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+ "automountInformation"
+ msgstr ""
++"Standard: nisMapEntry (rfc2307, autofs_provider=ad), annars "
++"automountInformation"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:2740
+@@ -8229,31 +8605,35 @@ msgid ""
+ "<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type="
+ "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>"
+ msgstr ""
+-
++"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
++"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
++"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type="
++"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>"
++
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-ldap.5.xml:2832
+ msgid "ADVANCED OPTIONS"
+-msgstr ""
++msgstr "AVANCERADE ALTERNATIV"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2839
+ msgid "ldap_netgroup_search_base (string)"
+-msgstr ""
++msgstr "ldap_netgroup_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2844
+ msgid "ldap_user_search_base (string)"
+-msgstr ""
++msgstr "ldap_user_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2849
+ msgid "ldap_group_search_base (string)"
+-msgstr ""
++msgstr "ldap_group_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+ #: sssd-ldap.5.xml:2854
+ msgid "<note>"
+-msgstr ""
++msgstr "<note>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+ #: sssd-ldap.5.xml:2856
+@@ -8263,21 +8643,25 @@ msgid ""
+ "memberships, even with no GID mapping. It is recommended to disable this "
+ "feature, if group names are not being displayed correctly."
+ msgstr ""
++"Om alternativet <quote>ldap_use_tokengroups</quote> är aktiverat kommer "
++"sökningarna i Active Directory inte vara begränsade och returnera alla "
++"gruppmedlemskap, även utan någon GID-översättning. Det rekommenderas att "
++"avaktivera denna funktion om gruppnamn inte visas korrekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist>
+ #: sssd-ldap.5.xml:2863
+ msgid "</note>"
+-msgstr ""
++msgstr "</note>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2865
+ msgid "ldap_sudo_search_base (string)"
+-msgstr ""
++msgstr "ldap_sudo_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:2870
+ msgid "ldap_autofs_search_base (string)"
+-msgstr ""
++msgstr "ldap_autofs_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:2834
+@@ -8287,13 +8671,17 @@ msgid ""
+ "are doing.  <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
+ "\"variablelist\" id=\"1\"/>"
+ msgstr ""
++"Dessa alternativ stödjs av LDAP-domäner, men de skall användas med "
++"försiktighet.  Inkludera dem endast i din konfiguration om du vet vad du "
++"gör.  <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
++"\"variablelist\" id=\"1\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-ldap.5.xml:2885 sssd-simple.5.xml:131 sssd-ipa.5.xml:828
+ #: sssd-ad.5.xml:1082 sssd-krb5.5.xml:604 sss_rpcidmapd.5.xml:98
+ #: sssd-files.5.xml:103 sssd-session-recording.5.xml:144
+ msgid "EXAMPLE"
+-msgstr ""
++msgstr "EXEMPEL"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:2887
+@@ -8302,6 +8690,8 @@ msgid ""
+ "set to one of the domains in the <replaceable>[domains]</replaceable> "
+ "section."
+ msgstr ""
++"Följande exempel antar att SSSD är korrekt konfigurerat och att LDAP är satt "
++"till en av domänerna i avsnittet <replaceable>[domains]</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-ldap.5.xml:2893
+@@ -8315,6 +8705,13 @@ msgid ""
+ "ldap_tls_reqcert = demand\n"
+ "cache_credentials = true\n"
+ msgstr ""
++"[domain/LDAP]\n"
++"id_provider = ldap\n"
++"auth_provider = ldap\n"
++"ldap_uri = ldap://ldap.mindomän.se\n"
++"ldap_search_base = dc=mindomän,dc=se\n"
++"ldap_tls_reqcert = demand\n"
++"cache_credentials = true\n"
+ 
+ #. type: Content of: <refsect1><refsect2><para>
+ #: sssd-ldap.5.xml:2892 sssd-ldap.5.xml:2910 sssd-simple.5.xml:139
+@@ -8322,12 +8719,12 @@ msgstr ""
+ #: sssd-files.5.xml:110 sssd-session-recording.5.xml:150
+ #: include/ldap_id_mapping.xml:105
+ msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+-msgstr ""
++msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-ldap.5.xml:2904
+ msgid "LDAP ACCESS FILTER EXAMPLE"
+-msgstr ""
++msgstr "LDAP-ÅTKOMSTFILTEREXEMPEL"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:2906
+@@ -8335,6 +8732,8 @@ msgid ""
+ "The following example assumes that SSSD is correctly configured and to use "
+ "the ldap_access_order=lockout."
+ msgstr ""
++"Följande exempel antar att SSSD är korrekt konfigurerat och att "
++"ldap_access_order=lockout används."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-ldap.5.xml:2911
+@@ -8351,12 +8750,22 @@ msgid ""
+ "ldap_tls_reqcert = demand\n"
+ "cache_credentials = true\n"
+ msgstr ""
++"[domain/LDAP]\n"
++"id_provider = ldap\n"
++"auth_provider = ldap\n"
++"access_provider = ldap\n"
++"ldap_access_order = lockout\n"
++"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mindomän,dc=se\n"
++"ldap_uri = ldap://ldap.mindomän.se\n"
++"ldap_search_base = dc=mindomän,dc=se\n"
++"ldap_tls_reqcert = demand\n"
++"cache_credentials = true\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-ldap.5.xml:2926 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+ #: sssd-ad.5.xml:1105 sssd.8.xml:230 sss_seed.8.xml:163
+ msgid "NOTES"
+-msgstr ""
++msgstr "NOTER"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ldap.5.xml:2928
+@@ -8366,16 +8775,20 @@ msgid ""
+ "<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
+ "distribution."
+ msgstr ""
++"Beskrivningarna av en del konfigurationsalternativ i denna manualsida är "
++"baserade på manualsidan <citerefentry> <refentrytitle>ldap.conf</"
++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> från distributionen "
++"OpenLDAP 2.4."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: pam_sss.8.xml:11 pam_sss.8.xml:16
+ msgid "pam_sss"
+-msgstr ""
++msgstr "pam_sss"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: pam_sss.8.xml:17
+ msgid "PAM module for SSSD"
+-msgstr ""
++msgstr "PAM-modul för SSSD"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: pam_sss.8.xml:22
+@@ -8399,21 +8812,24 @@ msgid ""
+ "Services daemon (SSSD). Errors and results are logged through "
+ "<command>syslog(3)</command> with the LOG_AUTHPRIV facility."
+ msgstr ""
++"<command>pam_sss.so</command> är PAM-gränssnittet till System Security "
++"Services daemon (SSSD).  Fel och resultat loggas via <command>syslog(3)</"
++"command> med funktionen LOG_AUTHPRIV."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:68
+ msgid "<option>quiet</option>"
+-msgstr ""
++msgstr "<option>quiet</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:71
+ msgid "Suppress log messages for unknown users."
+-msgstr ""
++msgstr "Umdertryck loggmeddelanden om okända användare."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:76
+ msgid "<option>forward_pass</option>"
+-msgstr ""
++msgstr "<option>forward_pass</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:79
+@@ -8421,11 +8837,13 @@ msgid ""
+ "If <option>forward_pass</option> is set the entered password is put on the "
+ "stack for other PAM modules to use."
+ msgstr ""
++"Om <option>forward_pass</option> är satt läggs det inskrivna lösenordet på "
++"stacken så att andra PAM-moduler kan använda det."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:86
+ msgid "<option>use_first_pass</option>"
+-msgstr ""
++msgstr "<option>use_first_pass</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:89
+@@ -8434,11 +8852,14 @@ msgid ""
+ "modules password and will never prompt the user - if no password is "
+ "available or the password is not appropriate, the user will be denied access."
+ msgstr ""
++"Argumentet use_first_pass tvingar modulen att använda tidigare stackade "
++"modulers lösenord och kommer aldrig fråga användaren – om inget lösenord är "
++"tillgängligt eller lösenordet inte stämmer kommer användaren nekas åtkomst."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:97
+ msgid "<option>use_authtok</option>"
+-msgstr ""
++msgstr "<option>use_authtok</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:100
+@@ -8446,11 +8867,13 @@ msgid ""
+ "When password changing enforce the module to set the new password to the one "
+ "provided by a previously stacked password module."
+ msgstr ""
++"Vid lösenordsändring tvinga modulen till att sätta det nya lösenordet till "
++"det som gavs av en tidigare stackad lösenordsmodul."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:107
+ msgid "<option>retry=N</option>"
+-msgstr ""
++msgstr "<option>retry=N</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:110
+@@ -8458,6 +8881,8 @@ msgid ""
+ "If specified the user is asked another N times for a password if "
+ "authentication fails. Default is 0."
+ msgstr ""
++"Om angivet frågas användaren ytterligare N gånger om ett lösenord ifall "
++"autentiseringen misslyckas.  Standard är 0."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:112
+@@ -8466,11 +8891,15 @@ msgid ""
+ "calling PAM handles the user dialog on its own. A typical example is "
+ "<command>sshd</command> with <option>PasswordAuthentication</option>."
+ msgstr ""
++"Observera att detta alternativ kanske inte fungerar som förväntat ifall "
++"programmet som anropar PAM hanterar användaredialogen själv.  Ett typiskt "
++"exempel är <command>sshd</command> med <option>PasswordAuthentication</"
++"option>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:121
+ msgid "<option>ignore_unknown_user</option>"
+-msgstr ""
++msgstr "<option>ignore_unknown_user</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:124
+@@ -8478,11 +8907,13 @@ msgid ""
+ "If this option is specified and the user does not exist, the PAM module will "
+ "return PAM_IGNORE. This causes the PAM framework to ignore this module."
+ msgstr ""
++"Om detta alternativ anges och användaren inte finns kommer PAM-modulen "
++"returnera PAM_IGNORE.  Detta får PAM-ramverket att ignorera denna modul."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:131
+ msgid "<option>ignore_authinfo_unavail</option>"
+-msgstr ""
++msgstr "<option>ignore_authinfo_unavail</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:135
+@@ -8490,11 +8921,13 @@ msgid ""
+ "Specifies that the PAM module should return PAM_IGNORE if it cannot contact "
+ "the SSSD daemon. This causes the PAM framework to ignore this module."
+ msgstr ""
++"Anger att PAM-modulen skall returnera PAM_IGNORE om det inte kan kontakta "
++"SSSD-demonen.  Detta får PAM-ramverket att ignorera denna modul."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:142
+ msgid "<option>domains</option>"
+-msgstr ""
++msgstr "<option>domains</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:146
+@@ -8503,6 +8936,9 @@ msgid ""
+ "allowed to authenticate against. The format is a comma-separated list of "
+ "SSSD domain names, as specified in the sssd.conf file."
+ msgstr ""
++"Tillåter administratören att begränsa domänerna en viss PAM-tjänst tillåts "
++"autentisera emot.  Formatet är en kommaseparerad lista över SSSD-domännamn "
++"som de specificeras i filen sssd.conf."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:152
+@@ -8513,11 +8949,15 @@ msgid ""
+ "manvolnum> </citerefentry> manual page for more information on these two PAM "
+ "responder options."
+ msgstr ""
++"OBS: Måste användas tillsammans med flaggorna <quote>pam_trusted_users</"
++"quote> och <quote>pam_public_domains</quote>.  Se manualsidan <citerefentry> "
++"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry> för mer information om dessa två PAM-respondentalternativ."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:166
+ msgid "<option>allow_missing_name</option>"
+-msgstr ""
++msgstr "<option>allow_missing_name</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:170
+@@ -8525,6 +8965,8 @@ msgid ""
+ "The main purpose of this option is to let SSSD determine the user name based "
+ "on additional information, e.g. the certificate from a Smartcard."
+ msgstr ""
++"Huvudsyftet med denna flagga är att låta SSSD avgöra användarnamnet baserat "
++"på ytterligare information, t.ex. certifikatet från ett smartkort."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+ #: pam_sss.8.xml:180
+@@ -8533,6 +8975,8 @@ msgid ""
+ "auth sufficient pam_sss.so allow_missing_name\n"
+ "                        "
+ msgstr ""
++"auth sufficient pam_sss.so allow_missing_name\n"
++"                        "
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:175
+@@ -8544,11 +8988,17 @@ msgid ""
+ "the content of the Smartcard, returns it to pam_sss which will finally put "
+ "it on the PAM stack."
+ msgstr ""
++"Det aktuella användningsfallet är inloggningshanterare som kan övervaka en "
++"smartkortläsare om korthändelser.  Ifall en smartkort sätts in kommer "
++"inloggningshanteraren anropa en PAM-stack som innehåller en rad som "
++"<placeholder type=\"programlisting\" id=\"0\"/> I detta fall kommer SSSD "
++"färsäla avgära användarnamnet baserat på innehållet på smartkortet, "
++"returnerar det till pam_sss som slutligen kommer läga det på PAM-stacken."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: pam_sss.8.xml:190
+ msgid "<option>prompt_always</option>"
+-msgstr ""
++msgstr "<option>prompt_always</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: pam_sss.8.xml:194
+@@ -8559,11 +9009,16 @@ msgid ""
+ "SSSD pam_sss might prompt for a password, a Smartcard PIN or other "
+ "credentials."
+ msgstr ""
++"Fråga alltid användaren om kreditiv.  Med denna flagga kommer kreditiv "
++"begärda av andra PAM-moduler, typiskt ett lösenord, ignoreras och pam_sss "
++"kommer fråga efter kreditiv igen.  Baserat på förautentiseringssvaret från "
++"SSSD kan pam_sss komma att fråga efter ett lösenord, ett smartkorts-PIN "
++"eller andra kreditiv."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: pam_sss.8.xml:207
+ msgid "MODULE TYPES PROVIDED"
+-msgstr ""
++msgstr "TILLHANDAHÅLLNA MODULTYPER"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: pam_sss.8.xml:208
+@@ -8571,11 +9026,13 @@ msgid ""
+ "All module types (<option>account</option>, <option>auth</option>, "
+ "<option>password</option> and <option>session</option>) are provided."
+ msgstr ""
++"Alla modultyper (<option>account</option>, <option>auth</option>, "
++"<option>password</option> och <option>session</option>) tillhandahålls."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: pam_sss.8.xml:214
+ msgid "FILES"
+-msgstr ""
++msgstr "FILER"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: pam_sss.8.xml:215
+@@ -8584,6 +9041,10 @@ msgid ""
+ "does not support password resets, an individual message can be displayed. "
+ "This message can e.g. contain instructions about how to reset a password."
+ msgstr ""
++"Om en återställning av lösenord av root misslyckas, för att motsvarande SSSD-"
++"leverantör inte stödjer återställning av lösenord, kan ett individuellt "
++"meddelande visas.  Detta meddelande kan t.ex. innehålla instruktioner hur "
++"man återställer ett lösenord."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: pam_sss.8.xml:220
+@@ -8596,6 +9057,13 @@ msgid ""
+ "the owner of the files and only root may have read and write permissions "
+ "while all other users must have only read permissions."
+ msgstr ""
++"Meddelandet läses från filen <filename>pam_sss_pw_reset_message.LOK</"
++"filename> där LOK står för en lokalsträng som den returneras av "
++"<citerefentry> <refentrytitle>setlocale</refentrytitle><manvolnum>3</"
++"manvolnum> </citerefentry>.  Om det inte finns någon matchande fil visas "
++"innehållet i <filename>pam_sss_pw_reset_message.txt</filename>.  Root måste "
++"vara ägaren av filerna och endast root får ha läs- och skrivrättigheter "
++"medan alla andra användare endast får ha läsrättigheter."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: pam_sss.8.xml:230
+@@ -8604,16 +9072,19 @@ msgid ""
+ "DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
+ "displayed."
+ msgstr ""
++"Man letar efter dessa filer i katalogen <filename>/etc/sssd/customize/"
++"DOMÄNNAMN/</filename>.  Om ingen matchande fil finns visas ett allmänt "
++"meddelande."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
+ msgid "sssd_krb5_locator_plugin"
+-msgstr ""
++msgstr "sssd_krb5_locator_plugin"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sssd_krb5_locator_plugin.8.xml:16
+ msgid "Kerberos locator plugin"
+-msgstr ""
++msgstr "Kerberos lokaliseringsinsticksmodul"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:22
+@@ -8627,6 +9098,15 @@ msgid ""
+ "unexpected authentication failures and maybe even account lockings it would "
+ "be good to talk to a single KDC as long as possible."
+ msgstr ""
++"Kerberos lokaliseringsinsticksmodul <command>sssd_krb5_locator_plugin</"
++"command> används av libkrb5 för att hitta KDC:er för ett givet Kerberos-"
++"rike.  SSSD tillhandahåller en sådan insticksmodul för att styra alla "
++"Kerberos-klienter på ett system till en ensam KDC.  I allmänhet skall det "
++"inte ha någon betydelse vilken KDC en klientprocess pratar med.  Men det "
++"finns fall, t.ex. efter en lösenordsändring, då inte alla KDC:er är i samma "
++"tillstånd för att den nya datan måste spridas först.  För att undvika "
++"oväntade autentiseringsfel och kanske även kontolåsningar kan det vara bra "
++"att prata med en enskild KDC så länge som möjligt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:34
+@@ -8642,6 +9122,18 @@ msgid ""
+ "plugin. With this the plugin is still called but will provide no data to the "
+ "caller so that libkrb5 can fall back to other methods defined in krb5.conf."
+ msgstr ""
++"libkrb5 kommer söka efter lokaliseringsinsticksmodulen i underkatalogen "
++"libkrb5 till Kerberos katalog för insticksmoduler, se plugin_base_dir i "
++"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
++"manvolnum> </citerefentry> för detaljer.  Insticksmodulen kan endast "
++"avaktiveras genom att ta bort filen med insticksmodulen.  Det finns ingen "
++"möjlighet att avaktivera den i Kerberos konfiguration.  Men miljövariabeln "
++"SSSD_KRB5_LOCATOR_DISABLE kan användas för att avaktivera insticksmodulen "
++"för individuella kommandon.  Alternativt kan SSSD-alternativet "
++"krb5_use_kdcinfo=False användas för att inte generera de data som behövs av "
++"insticksmodulen.  Med denna anropas fortfarande intsticksmodulen men den "
++"tillhandahåller inga data till anroparen så att libkrb5 kan falla tillbaka "
++"på andra metoder som är definierade i krb5.conf."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:50
+@@ -8653,36 +9145,42 @@ msgid ""
+ "separated with a colon, the IPv6 address has to be enclosed in squared "
+ "brackets in this case as usual. Valid entries are:"
+ msgstr ""
++"Insticksmodulen läser information om KDC:erna för ett givet rike från en fil "
++"som heter <filename>kdcinfo.RIKE</filename>.  Filen skall innehålla ett "
++"eller flera DNS-namn eller IP-adresser antingen i punktad decimal IPv4-"
++"notation eller den hexadecimal IPv6-nodationen.  Ett frivilligt portnummer "
++"kan läggas till på slutet separerat av ett kolon, IPv6-adressen måste "
++"inneslutas i hakparenteser i detta fall som vanligt.  Giltiga poster är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:58
+ msgid "kdc.example.com"
+-msgstr ""
++msgstr "kdc.exempel.se"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:59
+ msgid "kdc.example.com:321"
+-msgstr ""
++msgstr "kdc.exempel.se:321"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:60
+ msgid "1.2.3.4"
+-msgstr ""
++msgstr "1.2.3.4"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:61
+ msgid "5.6.7.8:99"
+-msgstr ""
++msgstr "5.6.7.8:99"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:62
+ msgid "2001:db8:85a3::8a2e:370:7334"
+-msgstr ""
++msgstr "2001:db8:85a3::8a2e:370:7334"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:63
+ msgid "[2001:db8:85a3::8a2e:370:7334]:321"
+-msgstr ""
++msgstr "[2001:db8:85a3::8a2e:370:7334]:321"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:65
+@@ -8691,6 +9189,9 @@ msgid ""
+ "adds the address of the current KDC or domain controller SSSD is using to "
+ "this file."
+ msgstr ""
++"SSSD:s krb5-autentiseringsleverantör som också används av IPA- och AD-"
++"leverantörerna lägger till adresser till den aktuella KDC- eller "
++"domänkontrollern SSSD använder till denna fil. "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:70
+@@ -8704,6 +9205,16 @@ msgid ""
+ "MIT Kerberos specific master KDC. If the address contains a port number the "
+ "default KDC port 88 will be used for the latter."
+ msgstr ""
++"I miljöer med KDC:er som endast är för läsning och för läsning och skrivning "
++"där klienter förväntas använda instanser endast för läsning för allmänna "
++"operationer och endast KDC:n för läsning och skrivning för "
++"konfigurationsändringar som lösenordsändringar används även en "
++"<filename>kpasswdinfo.RIKE</filename> för att identifiera KDC:er för läsning "
++"och skrivning.  Om denna fill fins för det givna riket kommer innehållet "
++"användas av insticksmodulen för att svara på begäranden om en kpasswd- eller "
++"kadmin-server eller om den huvud-KDC:n spedifik för MIT Kerberos.  Om "
++"adressen innehåller ett portnummer kommer standard-KDC-porten 88 användas "
++"för det senare."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:85
+@@ -8712,6 +9223,10 @@ msgid ""
+ "<command>sssd_krb5_locator_plugin</command> is not available on your system "
+ "you have to edit /etc/krb5.conf to reflect your Kerberos setup."
+ msgstr ""
++"Inte alla Kerberosimplementationer stödjer användningen av insticksmoduler.  "
++"Om <command>sssd_krb5_locator_plugin</command> inte är gilltänglig på ditt "
++"system måste du redigera /etc/krb5.conf för att avspegla din "
++"Kerberosuppsättning."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:91
+@@ -8719,6 +9234,8 @@ msgid ""
+ "If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
+ "debug messages will be sent to stderr."
+ msgstr ""
++"Om miljövariabeln SSSD_KRB5_LOCATOR_DEBUG är satt till något värde kommer "
++"felsökningsmeddelanden skrivas till standard fel."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:95
+@@ -8727,6 +9244,9 @@ msgid ""
+ "the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the "
+ "caller."
+ msgstr ""
++"Om miljövariabeln SSSD_KRB5_LOCATOR_DISABLE är satt till något värde "
++"avaktiveras insticksmodulen och kommer bara returnera KRB5_PLUGIN_NO_HANDLE "
++"till anroparen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:100
+@@ -8736,16 +9256,20 @@ msgid ""
+ "default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on "
+ "first DNS resolving failure."
+ msgstr ""
++"Om miljövariabeln SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES är satt till något "
++"värde kommer insticksmodulen försöka slå upp alla DNS-namn i filen kdcinfo.  "
++"Som standard returneras KRB5_PLUGIN_NO_HANDLE till anroparen omedelbart vid "
++"den första misslyckade DNS-uppslagningen."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sssd-simple.5.xml:10 sssd-simple.5.xml:16
+ msgid "sssd-simple"
+-msgstr ""
++msgstr "sssd-simple"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sssd-simple.5.xml:17
+ msgid "the configuration file for SSSD's 'simple' access-control provider"
+-msgstr ""
++msgstr "konfigurationsfilen för SSSD:s åtkomststyrningleverantör ”simple”"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-simple.5.xml:24
+@@ -8757,6 +9281,12 @@ msgid ""
+ "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+ "citerefentry> manual page."
+ msgstr ""
++"Denna manualsida besriver konfigurationen av åtkomststyrningsleverantören "
++"simple till <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</"
++"manvolnum> </citerefentry>.  För en detaljerad referens om syntaxen, se "
++"avsnittet <quote>FILFORMAT</quote> i manualsidan <citerefentry> "
++"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-simple.5.xml:38
+@@ -8764,11 +9294,14 @@ msgid ""
+ "The simple access provider grants or denies access based on an access or "
+ "deny list of user or group names. The following rules apply:"
+ msgstr ""
++"Åtkomstleverantören simple tillåter eller nekar åtkomst baserat på en "
++"åtkomst- eller nekandelista över användar- eller gruppnamn.  Följande regler "
++"är tillämpliga:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd-simple.5.xml:43
+ msgid "If all lists are empty, access is granted"
+-msgstr ""
++msgstr "Om alla listor är timma tillåts åtkomst"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd-simple.5.xml:47
+@@ -8776,6 +9309,9 @@ msgid ""
+ "If any list is provided, the order of evaluation is allow,deny. This means "
+ "that any matching deny rule will supersede any matched allow rule."
+ msgstr ""
++"Om någon lista tillhandahålls är evalueringsordningen allow,deny.  Detta "
++"betyder att en deny-regel som matchar kommer gå före en eventuell matchande "
++"allow-regel."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd-simple.5.xml:54
+@@ -8783,6 +9319,8 @@ msgid ""
+ "If either or both \"allow\" lists are provided, all users are denied unless "
+ "they appear in the list."
+ msgstr ""
++"Om antingen den ena eller båda ”tillåtelselistorna” tillhandahålls nekas "
++"alla användare om de inte förekommer i listan."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd-simple.5.xml:60
+@@ -8790,31 +9328,33 @@ msgid ""
+ "If only \"deny\" lists are provided, all users are granted access unless "
+ "they appear in the list."
+ msgstr ""
++"Om endast ”nekandelistor” tillhandahålls tillåts alla användare åtkomst om "
++"de inte förekommer i listan."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-simple.5.xml:78
+ msgid "simple_allow_users (string)"
+-msgstr ""
++msgstr "simple_allow_users (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-simple.5.xml:81
+ msgid "Comma separated list of users who are allowed to log in."
+-msgstr ""
++msgstr "Kommaseparerad lista över användare som tillåts att logga in."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-simple.5.xml:88
+ msgid "simple_deny_users (string)"
+-msgstr ""
++msgstr "simple_deny_users (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-simple.5.xml:91
+ msgid "Comma separated list of users who are explicitly denied access."
+-msgstr ""
++msgstr "Kommaseparerad lista över användare som explicit nekas åtkomst."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-simple.5.xml:97
+ msgid "simple_allow_groups (string)"
+-msgstr ""
++msgstr "simple_allow_groups (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-simple.5.xml:100
+@@ -8822,11 +9362,13 @@ msgid ""
+ "Comma separated list of groups that are allowed to log in. This applies only "
+ "to groups within this SSSD domain. Local groups are not evaluated."
+ msgstr ""
++"Kommaseparerad lista över grupper som tillåts logga in.  Detta är endast "
++"tillämpligt på grupper i denna SSSD-domän.  Lokala grupper utvärderas inte."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-simple.5.xml:108
+ msgid "simple_deny_groups (string)"
+-msgstr ""
++msgstr "simple_deny_groups (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-simple.5.xml:111
+@@ -8835,6 +9377,8 @@ msgid ""
+ "applies only to groups within this SSSD domain. Local groups are not "
+ "evaluated."
+ msgstr ""
++"Kommaseparerad lista över grupper som nekas åtkost.  Detta är endast "
++"tillämpligt på grupper i denna SSSD-domän.  Lokala grupper utvärderas inte."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+@@ -8844,6 +9388,10 @@ msgid ""
+ "citerefentry> manual page for details on the configuration of an SSSD "
+ "domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
++"Se <quote>DOMÄNSEKTIONER</quote> i manualsidan <citerefentry> "
++"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry> för detaljer om konfigurationen av en SSSD-domän.  "
++"<placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-simple.5.xml:120
+@@ -8852,6 +9400,9 @@ msgid ""
+ "entirely. Beware of this while generating parameters for the simple provider "
+ "using automated scripts."
+ msgstr ""
++"Att inte ange några värden för någon av listorna är likvärdigt med att hoppa "
++"över det helt.  Var medveten om detta när parametrar genereras för "
++"leverantören simple med automatiserade skript."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-simple.5.xml:125
+@@ -8859,6 +9410,8 @@ msgid ""
+ "Please note that it is an configuration error if both, simple_allow_users "
+ "and simple_deny_users, are defined."
+ msgstr ""
++"Observera att det är ett konfigurationsfel om båda, simple_allow_users och "
++"simple_deny_users, är definierade."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-simple.5.xml:133
+@@ -8867,6 +9420,10 @@ msgid ""
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+ "This examples shows only the simple access provider-specific options."
+ msgstr ""
++"Följande exempel antar att SSSD är korrekt konfigurerat och att exempel.se "
++"är en av domänerna i avsnittet <replaceable>[sssd]</replaceable>.  Dessa "
++"exempel visar endast alternativ som är specifika för åtkomstleverantören "
++"simple."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-simple.5.xml:140
+@@ -8876,6 +9433,9 @@ msgid ""
+ "access_provider = simple\n"
+ "simple_allow_users = user1, user2\n"
+ msgstr ""
++"[domain/exempel.se]\n"
++"access_provider = simple\n"
++"simple_allow_users = användare1, användare2\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-simple.5.xml:150
+@@ -8887,16 +9447,22 @@ msgid ""
+ "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </"
+ "citerefentry>) option."
+ msgstr ""
++"Den fullständiga gruppmedlemsskapshierarkin löses upp före "
++"åtkomstkontrollen, alltså kan även nästade grupper inkluderas i "
++"åtkomstlistorna.  Var medveten om att alternativet "
++"<quote>ldap_group_nesting_level</quote> kan påverka resultaten och skall "
++"sättas till ett tillräckligt värde.  (<citerefentry> <refentrytitle>sssd-"
++"ldap</refentrytitle><manvolnum>5</manvolnum> </citerefentry>)"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss-certmap.5.xml:10 sss-certmap.5.xml:16
+ msgid "sss-certmap"
+-msgstr ""
++msgstr "sss-certmap"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss-certmap.5.xml:17
+ msgid "SSSD Certificate Matching and Mapping Rules"
+-msgstr ""
++msgstr "SSSD:s certifikatmatchnings- och -mappningsregler"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss-certmap.5.xml:23
+@@ -8904,6 +9470,8 @@ msgid ""
+ "The manual page describes the rules which can be used by SSSD and other "
+ "components to match X.509 certificates and map them to accounts."
+ msgstr ""
++"Manualsidan beskriver reglerna som kan användas av SSSD och andra "
++"komponenter för att matcha X.509-certifikat och koppla dem till konton."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss-certmap.5.xml:28
+@@ -8918,16 +9486,25 @@ msgid ""
+ "encoded binary. If no domains are given only the local domain will be "
+ "searched."
+ msgstr ""
++"Varje regel har fyra komponenter, en <quote>prioritet</quote>, en "
++"<quote>matchningsregel</quote>, en <quote>mappningsregel</quote> och en "
++"<quote>domänlista</quote>.  Alla komponenter är frivilliga.  En saknad "
++"<quote>prioritet</quote> kommer lägga till regel med den lägsta "
++"prioriteten.  Standard-<quote>matchningsregeln</quote> kommer matcha "
++"certifikat med digitalSignature-nyckelanvändning och clientAuth-"
++"utökadnyckelanvändning.  Om <quote>mappningsregeln</quote> är tom kommer "
++"certifikaten sökas efter i attrubutet userCertificate som DER-kodade "
++"binärer.  Om inga domäner anges kommer endast den lokala domänen sökas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sss-certmap.5.xml:41
+ msgid "RULE COMPONENTS"
+-msgstr ""
++msgstr "REGELKOMPONENTER"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sss-certmap.5.xml:43
+ msgid "PRIORITY"
+-msgstr ""
++msgstr "PRIORITET"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:45
+@@ -8937,6 +9514,10 @@ msgid ""
+ "missing value indicates the lowest priority. The rules processing is stopped "
+ "when a matched rule is found and no further rules are checked."
+ msgstr ""
++"Reglerna bearbetas i prioritetsordning där ”0” (noll) indikerar den högsta "
++"prioriteten.  Ju högre talet är desto lägre är prioriteten.  Ett saknat "
++"värde indikerar den lägsta prioriteten.  Regelbearbetningen stoppas när en "
++"regel som matchar hittas och inga ytterligare regler kontrolleras."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:52
+@@ -8944,11 +9525,13 @@ msgid ""
+ "Internally the priority is treated as unsigned 32bit integer, using a "
+ "priority value larger than 4294967295 will cause an error."
+ msgstr ""
++"Internt  behandlas prioriteten som teckenlösa 32-bitars heltal, att använda "
++"ett prioritetsvärde större än 4294967295 kommer orsaka ett fel."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sss-certmap.5.xml:57
+ msgid "MATCHING RULE"
+-msgstr ""
++msgstr "MATCHNINGSREGEL"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:59
+@@ -8961,11 +9544,18 @@ msgid ""
+ "Multiple keyword pattern pairs can be either joined with '&amp;&amp;' (and) "
+ "or '&#124;&#124;' (or)."
+ msgstr ""
++"Matchningsregeln används för att välja ett certifikat som "
++"översättningsregeln skall tillämpas på.  Det använder ett system liknande "
++"det som används av alternativet <quote>pkinit_cert_match</quote> i MIT "
++"Kerberos.  Det består av ett nyckelord omgivet av ”&lt;” och ”&gt;” som "
++"identifierar en specifik del av certifikatet och ett mönster som skall "
++"finnas för att regeln skall matcha.  Flera nyckelord/mönster-par  kan "
++"antingen sammanfogas med ”&amp;&amp;” (och) eller ”&#124;&#124;” (eller)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:71
+ msgid "&lt;SUBJECT&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SUBJECT&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:74
+@@ -8974,6 +9564,9 @@ msgid ""
+ "matched. For the matching POSIX Extended Regular Expression syntax is used, "
+ "see regex(7)  for details."
+ msgstr ""
++"Med denna kan en del eller hela certifikatets subject-namn matchas.  För "
++"matchningen används POSIX syntax för utökade reguljära uttryck, se regex(7) "
++"för detaljer."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:80
+@@ -8987,16 +9580,21 @@ msgid ""
+ "confusion those attribute names are best not used or covered by a suitable "
+ "regular-expression."
+ msgstr ""
++"För matchningen konverteras subject-namnet lagrat i certifikatet i DER-kodad "
++"ASN.1 till en sträng i enlighet med RFC 4514.  Detta betyder att den mest "
++"specifika namnkomponenten kommer först.  Observera att inte alla möjliga "
++"attributnamn täcks av RFC 4514.  De inkluderade namnen är ”CN”, ”L”, ”ST”, "
++"”O”, ”OU”, ”C”, ”STREET”, ”DC” och ”UID”. "
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:93
+ msgid "Example: &lt;SUBJECT&gt;.*,DC=MY,DC=DOMAIN"
+-msgstr ""
++msgstr "Exempel: &lt;SUBJECT&gt;.*,DC=MIN,DC=DOMÄN"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:98
+ msgid "&lt;ISSUER&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;ISSUER&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:101
+@@ -9004,16 +9602,18 @@ msgid ""
+ "With this a part or the whole issuer name of the certificate can be matched. "
+ "All comments for &lt;SUBJECT&gt; apply her as well."
+ msgstr ""
++"Med denna kan en del eller hela certifikatets issuer-namn matchas.  Alla "
++"kommentarer för &lt;SUBJECT&gt; är tillämpliga här också."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:106
+ msgid "Example: &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$"
+-msgstr ""
++msgstr "Exempel: &lt;ISSUER&gt;^CN=Min-CA,DC=MIN,DC=DOMÄN$"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:111
+ msgid "&lt;KU&gt;key-usage"
+-msgstr ""
++msgstr "&lt;KU&gt;nyckelanvändning"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:114
+@@ -9021,51 +9621,54 @@ msgid ""
+ "This option can be used to specify which key usage values the certificate "
+ "should have. The following values can be used in a comma separated list:"
+ msgstr ""
++"Detta alternativ kan användas för att specificera vilka "
++"nyckelanvändningsvärden certifikatet skall ha.  Följande värden kan användas "
++"i en kommaseparerad lista:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:118
+ msgid "digitalSignature"
+-msgstr ""
++msgstr "digitalSignature"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:119
+ msgid "nonRepudiation"
+-msgstr ""
++msgstr "nonRepudiation"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:120
+ msgid "keyEncipherment"
+-msgstr ""
++msgstr "keyEncipherment"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:121
+ msgid "dataEncipherment"
+-msgstr ""
++msgstr "dataEncipherment"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:122
+ msgid "keyAgreement"
+-msgstr ""
++msgstr "keyAgreement"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:123
+ msgid "keyCertSign"
+-msgstr ""
++msgstr "keyCertSign"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:124
+ msgid "cRLSign"
+-msgstr ""
++msgstr "cRLSign"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:125
+ msgid "encipherOnly"
+-msgstr ""
++msgstr "encipherOnly"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:126
+ msgid "decipherOnly"
+-msgstr ""
++msgstr "decipherOnly"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:130
+@@ -9073,16 +9676,18 @@ msgid ""
+ "A numerical value in the range of a 32bit unsigned integer can be used as "
+ "well to cover special use cases."
+ msgstr ""
++"Ett numeriskt värde i intervallet hos ett 32-bitars teckenlöst heltal kan "
++"användas också för att täcka speciella användningsfall."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:134
+ msgid "Example: &lt;KU&gt;digitalSignature,keyEncipherment"
+-msgstr ""
++msgstr "Exempel: &lt;KU&gt;digitalSignature,keyEncipherment"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:139
+ msgid "&lt;EKU&gt;extended-key-usage"
+-msgstr ""
++msgstr "&lt;EKU&gt;utökad-nyckel-användning"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:142
+@@ -9090,51 +9695,54 @@ msgid ""
+ "This option can be used to specify which extended key usage the certificate "
+ "should have. The following value can be used in a comma separated list:"
+ msgstr ""
++"Detta alternativ kan användas för att specificera vilka utökade-nyckel-"
++"användningsvärden certifikatet skall ha.  Följande värden kan användas i en "
++"kommaseparerad lista:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:146
+ msgid "serverAuth"
+-msgstr ""
++msgstr "serverAuth"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:147
+ msgid "clientAuth"
+-msgstr ""
++msgstr "clientAuth"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:148
+ msgid "codeSigning"
+-msgstr ""
++msgstr "codeSigning"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:149
+ msgid "emailProtection"
+-msgstr ""
++msgstr "emailProtection"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:150
+ msgid "timeStamping"
+-msgstr ""
++msgstr "timeStamping"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:151
+ msgid "OCSPSigning"
+-msgstr ""
++msgstr "OCSPSigning"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:152
+ msgid "KPClientAuth"
+-msgstr ""
++msgstr "KPClientAuth"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:153
+ msgid "pkinit"
+-msgstr ""
++msgstr "pkinit"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sss-certmap.5.xml:154
+ msgid "msScLogin"
+-msgstr ""
++msgstr "msScLogin"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:158
+@@ -9142,16 +9750,18 @@ msgid ""
+ "Extended key usages which are not listed above can be specified with their "
+ "OID in dotted-decimal notation."
+ msgstr ""
++"Användningar av utökade nycklar som inte listas ovanför kan specificeras med "
++"sina OID:er i punktad decimal notation."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:162
+ msgid "Example: &lt;EKU&gt;clientAuth,1.3.6.1.5.2.3.4"
+-msgstr ""
++msgstr "Exempel: &lt;EKU&gt;clientAuth,1.3.6.1.5.2.3.4"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:167
+ msgid "&lt;SAN&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SAN&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:170
+@@ -9160,61 +9770,64 @@ msgid ""
+ "Kerberos principals in the PKINIT or AD NT Principal SAN as &lt;SAN:"
+ "Principal&gt; does."
+ msgstr ""
++"För att vara kompatibel med användningen av MIT Kerberos kommer detta "
++"alternativ matcha Kerberos-huvudmän i PKINIT eller AD NT-Principal SAN som "
++"&lt;SAN:Principal&gt; gör."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:175
+ msgid "Example: &lt;SAN&gt;.*@MY\\.REALM"
+-msgstr ""
++msgstr "Exempel: &lt;SAN&gt;.*@MITT\\.RIKE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:180
+ msgid "&lt;SAN:Principal&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SAN:Principal&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:183
+ msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN."
+-msgstr ""
++msgstr "Matcha Kerberos-huvudmännen i PKINIT eller AD NT Principal "
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:187
+ msgid "Example: &lt;SAN:Principal&gt;.*@MY\\.REALM"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:Principal&gt;.*@MITT\\.RIKE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:192
+ msgid "&lt;SAN:ntPrincipalName&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SAN:ntPrincipalName&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:195
+ msgid "Match the Kerberos principals from the AD NT Principal SAN."
+-msgstr ""
++msgstr "Matcha Kerberhos-huvudmän från AD NT Principal SAN."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:199
+ msgid "Example: &lt;SAN:ntPrincipalName&gt;.*@MY.AD.REALM"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:ntPrincipalName&gt;.*@MITT.AD.RIKE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:204
+ msgid "&lt;SAN:pkinit&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SAN:pkinit&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:207
+ msgid "Match the Kerberos principals from the PKINIT SAN."
+-msgstr ""
++msgstr "Matcha Kerberos-huvudmän från PKINIT SAN."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:210
+ msgid "Example: &lt;SAN:ntPrincipalName&gt;.*@MY\\.PKINIT\\.REALM"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:ntPrincipalName&gt;.*@MITT\\.PKINIT\\.RIKE"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:215
+ msgid "&lt;SAN:dotted-decimal-oid&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SAN:dotted-decimal-oid&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:218
+@@ -9223,16 +9836,19 @@ msgid ""
+ "decimal notation, interpret it as string and try to match it against the "
+ "regular expression."
+ msgstr ""
++"Ta värdet från otherName SAN-komponenten som anges av OID:n i punktad "
++"decimal notation, tolka den som en sträng och försök att matcha den mot det "
++"reguljära uttrycket."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:224
+ msgid "Example: &lt;SAN:1.2.3.4&gt;test"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:1.2.3.4&gt;test"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:229
+ msgid "&lt;SAN:otherName&gt;base64-string"
+-msgstr ""
++msgstr "&lt;SAN:otherName&gt;base64-sträng"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:232
+@@ -9242,61 +9858,65 @@ msgid ""
+ "otherName components with special encodings which could not be treated as "
+ "strings."
+ msgstr ""
++"Gör en binär matchning med den base64-kodade klicken mot alla otherName SAN-"
++"komponenter.  Med detta alternativ är det möjligt att macha mot anpassade "
++"otherName-komponenter med speciella kodningar som inte kan hanteras som "
++"strängar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:239
+ msgid "Example: &lt;SAN:otherName&gt;MTIz"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:otherName&gt;MTIz"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:244
+ msgid "&lt;SAN:rfc822Name&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SAN:rfc822Name&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:247
+ msgid "Match the value of the rfc822Name SAN."
+-msgstr ""
++msgstr "Matcha värdet på rfc822Name SAN."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:250
+ msgid "Example: &lt;SAN:rfc822Name&gt;.*@email\\.domain"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:rfc822Name&gt;.*@epost\\.domän"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:255
+ msgid "&lt;SAN:dNSName&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SAN:dNSName&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:258
+ msgid "Match the value of the dNSName SAN."
+-msgstr ""
++msgstr "Matcha värdet på dNSName SAN."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:261
+ msgid "Example: &lt;SAN:dNSName&gt;.*\\.my\\.dns\\.domain"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:dNSName&gt;.*\\.min\\.dns\\.domän"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:266
+ msgid "&lt;SAN:x400Address&gt;base64-string"
+-msgstr ""
++msgstr "&lt;SAN:x400Address&gt;base64-sträng"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:269
+ msgid "Binary match the value of the x400Address SAN."
+-msgstr ""
++msgstr "Matcha binärt värdet på x400Address SAN."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:272
+ msgid "Example: &lt;SAN:x400Address&gt;MTIz"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:x400Address&gt;MTIz"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:277
+ msgid "&lt;SAN:directoryName&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SAN:directoryName&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:280
+@@ -9304,82 +9924,86 @@ msgid ""
+ "Match the value of the directoryName SAN. The same comments as given for &lt;"
+ "ISSUER&gt; and &lt;SUBJECT&gt; apply here as well."
+ msgstr ""
++"Matcha värdet på directoryName SAN.  Samma kommentarer som gavs för &lt;"
++"ISSUER&gt; och &lt;SUBJECT&gt; gäller här också."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:285
+ msgid "Example: &lt;SAN:directoryName&gt;.*,DC=com"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:directoryName&gt;.*,DC=com"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:290
+ msgid "&lt;SAN:ediPartyName&gt;base64-string"
+-msgstr ""
++msgstr "&lt;SAN:ediPartyName&gt;base64-sträng"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:293
+ msgid "Binary match the value of the ediPartyName SAN."
+-msgstr ""
++msgstr "Matcha binärt värdet på ediPartyName SAN."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:296
+ msgid "Example: &lt;SAN:ediPartyName&gt;MTIz"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:ediPartyName&gt;MTIz"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:301
+ msgid "&lt;SAN:uniformResourceIdentifier&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SAN:uniformResourceIdentifier&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:304
+ msgid "Match the value of the uniformResourceIdentifier SAN."
+-msgstr ""
++msgstr "Matcha värdet på uniformResourceIdentifier SAN."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:307
+ msgid "Example: &lt;SAN:uniformResourceIdentifier&gt;URN:.*"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:uniformResourceIdentifier&gt;URN:.*"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:312
+ msgid "&lt;SAN:iPAddress&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SAN:iPAddress&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:315
+ msgid "Match the value of the iPAddress SAN."
+-msgstr ""
++msgstr "Matcha värdet på iPAddress SAN."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:318
+ msgid "Example: &lt;SAN:iPAddress&gt;192\\.168\\..*"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:iPAddress&gt;192\\.168\\..*"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:323
+ msgid "&lt;SAN:registeredID&gt;regular-expression"
+-msgstr ""
++msgstr "&lt;SAN:registeredID&gt;reguljärt-uttryck"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:326
+ msgid "Match the value of the registeredID SAN as dotted-decimal string."
+-msgstr ""
++msgstr "Matcha värdet på registeredID SAN som punktad decimal sträng."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:330
+ msgid "Example: &lt;SAN:registeredID&gt;1\\.2\\.3\\..*"
+-msgstr ""
++msgstr "Exempel: &lt;SAN:registeredID&gt;1\\.2\\.3\\..*"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:68
+ msgid ""
+ "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
++"De tillgängliga alternativen är: <placeholder type=\"variablelist\" id=\"0\"/"
++">"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sss-certmap.5.xml:338
+ msgid "MAPPING RULE"
+-msgstr ""
++msgstr "MAPPNINGSREGEL"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:340
+@@ -9388,6 +10012,9 @@ msgid ""
+ "accounts. A Smartcard with the certificate and the matching private key can "
+ "then be used to authenticate as one of those accounts."
+ msgstr ""
++"Mappningsregeln används för att koppla ett certifikat med ett eller flera "
++"konton.  Ett smartkort med certifik och den matchande privata nyckeln kan då "
++"användas för autentisering som ett av dessa konton."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:345
+@@ -9400,6 +10027,14 @@ msgid ""
+ "caller will embed it in another filter to do the actual search. Because of "
+ "this the filter string should start and stop with '(' and ')' respectively."
+ msgstr ""
++"För närvarande stödjer SSSD egentligen bara LDAP för att slå upp "
++"användarinformation (undantaget är proxy-leverantören som inte är relevant "
++"här.  På grund av detta är mappningsregeln baserad på syntaxen för LDAP-"
++"sökfilter med mallar för att lägga till certifikatinnehåll till filtret.  "
++"Det antas att filtret endast kommer innehålla de specifika data som behövs "
++"för mappningen och att anroparen kommer bädda in dem i ett annat filter för "
++"att göra den egentliga sökningen.  Därför skall filtersträngen börja och "
++"sluta med ”(” respektive ”)”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:355
+@@ -9409,6 +10044,10 @@ msgid ""
+ "'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute "
+ "for IPA can be used."
+ msgstr ""
++"I allmänhet rekommenderas det att använda attribut från certifikatet och "
++"lägga till dem till speciella attribut till LDAP-användarobjektet.  T.ex. "
++"kan attributet ”altSecurityIdentities” i AD eller attributet "
++"”ipaCertMapData” i IPA användas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:361
+@@ -9419,11 +10058,16 @@ msgid ""
+ "would break the mapping. On the other hand it would be hard to break the "
+ "mapping on purpose for a specific user."
+ msgstr ""
++"Detta bör hellre användas än att läsa användarspecifik data från "
++"certifikatet som t.ex. en e-postadress och söka efter den i LDAP-servern.  "
++"Anledningen är att användarspecifika data i LDAP kan ändras av olika "
++"anledningar vilket skulle göra sönder mappningen.  Å andra sidan skulle det "
++"vara svårt att bryta mappningen avsiktligt för en specifik användare."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:376
+ msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
+-msgstr ""
++msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:379
+@@ -9432,6 +10076,9 @@ msgid ""
+ "RFC 4514. If X.500 ordering (most specific RDN comes last) an option with "
+ "the '_x500' prefix should be used."
+ msgstr ""
++"Mallen kommer lägga till den fullständiga utgivar-DN:en konverterad till en "
++"strän enligt RFC 4514.  OM X.500-ordning (mest speccifik RDN kommer sist) "
++"skall ett alternativ med prefixet ”_x500” användas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:385 sss-certmap.5.xml:411
+@@ -9439,6 +10086,8 @@ msgid ""
+ "The conversion options starting with 'ad_' will use attribute names as used "
+ "by AD, e.g. 'S' instead of 'ST'."
+ msgstr ""
++"Konverteringsalternativen som börjar med ”ad_” kommer använda attribut som "
++"de används av AD, t.ex. ”S” istället för ”ST”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:389 sss-certmap.5.xml:415
+@@ -9446,6 +10095,8 @@ msgid ""
+ "The conversion options starting with 'nss_' will use attribute names as used "
+ "by NSS."
+ msgstr ""
++"Konverteringsalternativen som börjar med ”nss_” kommer använda attributnamn "
++"som de används av NSS."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:393 sss-certmap.5.xml:419
+@@ -9453,6 +10104,8 @@ msgid ""
+ "The default conversion option is 'nss', i.e. attribute names according to "
+ "NSS and LDAP/RFC 4514 ordering."
+ msgstr ""
++"Standard för konverteringsalternativ är ”nss”, d.v.s. attributnamn enligt "
++"NSS och LDAP/RFC 4514-ordning."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:397
+@@ -9460,11 +10113,13 @@ msgid ""
+ "Example: (ipacertmapdata=X509:&lt;I&gt;{issuer_dn!ad}&lt;S&gt;{subject_dn!"
+ "ad})"
+ msgstr ""
++"Exempel: (ipacertmapdata=X509:&lt;I&gt;{issuer_dn!ad}&lt;S&gt;{subject_dn!"
++"ad})"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:402
+ msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
+-msgstr ""
++msgstr "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:405
+@@ -9473,6 +10128,9 @@ msgid ""
+ "RFC 4514. If X.500 ordering (most specific RDN comes last) an option with "
+ "the '_x500' prefix should be used."
+ msgstr ""
++"Mallen kommer lägga till den fullständiga subjekt-DN:en konverterad till en "
++"strän enligt RFC 4514.  OM X.500-ordning (mest speccifik RDN kommer sist) "
++"skall ett alternativ med prefixet ”_x500” användas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:423
+@@ -9480,11 +10138,13 @@ msgid ""
+ "Example: (ipacertmapdata=X509:&lt;I&gt;{issuer_dn!nss_x500}&lt;S&gt;"
+ "{subject_dn!nss_x500})"
+ msgstr ""
++"Exempel: (ipacertmapdata=X509:&lt;I&gt;{issuer_dn!nss_x500}&lt;S&gt;"
++"{subject_dn!nss_x500})"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:428
+ msgid "{cert[!(bin|base64)]}"
+-msgstr ""
++msgstr "{cert[!(bin|base64)]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:431
+@@ -9495,16 +10155,21 @@ msgid ""
+ "hex sequence is the default and can e.g. be used with the LDAP attribute "
+ "'userCertificate;binary'."
+ msgstr ""
++"Denna mall kommer lägga till hela det DER-kodade certifikatet som än sträng "
++"till sökfiltret.  Beroende på konverteringsalternativen konverteras antingen "
++"certifikatet till en hex-sekvens med styrtecken ”\\xx” eller till base64.  "
++"Hex-strängen med styrtecken är standard och kan t.ex. användas med LDAP-"
++"attributet ”userCertificate;binary”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:439
+ msgid "Example: (userCertificate;binary={cert!bin})"
+-msgstr ""
++msgstr "Exempel: (userCertificate;binary={cert!bin})"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:444
+ msgid "{subject_principal[.short_name]}"
+-msgstr ""
++msgstr "{subject_principal[.short_name]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:447
+@@ -9513,6 +10178,9 @@ msgid ""
+ "SAN used by pkinit or the one used by AD. The 'short_name' component "
+ "represents the first part of the principal before the '@' sign."
+ msgstr ""
++"Denna mall kommer lägga Kerberos-huvudmannen som hämtas antingen från den "
++"SAN som används av pkinit eller den som används av AD.  Komponenten "
++"”short_name” representerar första delen av huvudmannen före tecknet ”@”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:453 sss-certmap.5.xml:481
+@@ -9520,11 +10188,13 @@ msgid ""
+ "Example: (|(userPrincipal={subject_principal})"
+ "(samAccountName={subject_principal.short_name}))"
+ msgstr ""
++"Exempel: (|(userPrincipal={subject_principal})"
++"(samAccountName={subject_principal.short_name}))"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:458
+ msgid "{subject_pkinit_principal[.short_name]}"
+-msgstr ""
++msgstr "{subject_pkinit_principal[.short_name]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:461
+@@ -9533,6 +10203,9 @@ msgid ""
+ "by pkinit. The 'short_name' component represents the first part of the "
+ "principal before the '@' sign."
+ msgstr ""
++"Denna mall kommer lägga Kerberos-huvudmannen som hämtas från den SAN som "
++"används av pkinit.  Komponenten ”short_name” representerar första delen av "
++"huvudmannen före tecknet ”@”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:467
+@@ -9540,11 +10213,13 @@ msgid ""
+ "Example: (|(userPrincipal={subject_pkinit_principal})"
+ "(uid={subject_pkinit_principal.short_name}))"
+ msgstr ""
++"Exempel: (|(userPrincipal={subject_pkinit_principal})"
++"(uid={subject_pkinit_principal.short_name}))"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:472
+ msgid "{subject_nt_principal[.short_name]}"
+-msgstr ""
++msgstr "{subject_nt_principal[.short_name]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:475
+@@ -9553,11 +10228,14 @@ msgid ""
+ "by AD. The 'short_name' component represent the first part of the principal "
+ "before the '@' sign."
+ msgstr ""
++"Denna mall kommer lägga Kerberos-huvudmannen som hämtas från den SAN som "
++"används av AD.  Komponenten ”short_name” representerar första delen av "
++"huvudmannen före tecknet ”@”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:486
+ msgid "{subject_rfc822_name[.short_name]}"
+-msgstr ""
++msgstr "{subject_rfc822_name[.short_name]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:489
+@@ -9566,6 +10244,9 @@ msgid ""
+ "component of the SAN, typically an email address. The 'short_name' component "
+ "represents the first part of the address before the '@' sign."
+ msgstr ""
++"Denna mall kommer lägga till strängen som lagras i komponenten rfc822Name "
++"SAN:en, normalt en e-postadress.  Komponenten ”short_name” representerar "
++"första delen av huvudmannen före tecknet ”@”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:495
+@@ -9573,11 +10254,13 @@ msgid ""
+ "Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name."
+ "short_name}))"
+ msgstr ""
++"Exempel: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name."
++"short_name}))"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:500
+ msgid "{subject_dns_name[.short_name]}"
+-msgstr ""
++msgstr "{subject_dns_name[.short_name]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:503
+@@ -9586,17 +10269,22 @@ msgid ""
+ "of the SAN, typically a fully-qualified host name.  The 'short_name' "
+ "component represents the first part of the name before the first '.' sign."
+ msgstr ""
++"Denna mall kommer lägga till strängen som lagras i komponenten dNSName SAN:"
++"en, normalt ett fullständigt kvalificerat värdnamn.  Komponenten "
++"”short_name” representerar första delen av huvudmannen före  det första ”.”-"
++"tecknet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:509
+ msgid ""
+ "Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))"
+ msgstr ""
++"Exempel: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:514
+ msgid "{subject_uri}"
+-msgstr ""
++msgstr "{subject_uri}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:517
+@@ -9604,16 +10292,18 @@ msgid ""
+ "This template will add the string which is stored in the "
+ "uniformResourceIdentifier component of the SAN."
+ msgstr ""
++"Denna mall kommer lägga till strängen som lagras i komponenten "
++"uniformResourceIdentifier i SAN:en."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:521
+ msgid "Example: (uri={subject_uri})"
+-msgstr ""
++msgstr "Exempel: (uri={subject_uri})"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:526
+ msgid "{subject_ip_address}"
+-msgstr ""
++msgstr "{subject_ip_address}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:529
+@@ -9621,16 +10311,18 @@ msgid ""
+ "This template will add the string which is stored in the iPAddress component "
+ "of the SAN."
+ msgstr ""
++"Denna mall kommer lägga till strängen som lagras i komponenten iPAddress i "
++"SAN:en."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:533
+ msgid "Example: (ip={subject_ip_address})"
+-msgstr ""
++msgstr "Exempel: (ip={subject_ip_address})"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:538
+ msgid "{subject_x400_address}"
+-msgstr ""
++msgstr "{subject_x400_address}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:541
+@@ -9638,17 +10330,20 @@ msgid ""
+ "This template will add the value which is stored in the x400Address "
+ "component of the SAN as escaped hex sequence."
+ msgstr ""
++"Denna mall kommer lägga till värdet som lagras i komponenten x400Address i "
++"SAN:en som en hex-sekvens med styrtecken."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:546
+ msgid "Example: (attr:binary={subject_x400_address})"
+-msgstr ""
++msgstr "Exempel: (attr:binary={subject_x400_address})"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:551
+ msgid ""
+ "{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
+ msgstr ""
++"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:554
+@@ -9656,16 +10351,18 @@ msgid ""
+ "This template will add the DN string of the value which is stored in the "
+ "directoryName component of the SAN."
+ msgstr ""
++"Denna mall kommer lägga till DN-strängen för värdet som lagras i komponenten "
++"directoryName i SAN:en."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:558
+ msgid "Example: (orig_dn={subject_directory_name})"
+-msgstr ""
++msgstr "Exempel: (orig_dn={subject_directory_name})"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:563
+ msgid "{subject_ediparty_name}"
+-msgstr ""
++msgstr "{subject_ediparty_name}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:566
+@@ -9673,16 +10370,18 @@ msgid ""
+ "This template will add the value which is stored in the ediPartyName "
+ "component of the SAN as escaped hex sequence."
+ msgstr ""
++"Denna mall kommer lägga till värdet som lagras i komponenten ediPartyName i "
++"SAN:en som en hex-sekvens med styrtecken."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:571
+ msgid "Example: (attr:binary={subject_ediparty_name})"
+-msgstr ""
++msgstr "Exempel: (attr:binary={subject_ediparty_name})"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sss-certmap.5.xml:576
+ msgid "{subject_registered_id}"
+-msgstr ""
++msgstr "{subject_registered_id}"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:579
+@@ -9690,11 +10389,13 @@ msgid ""
+ "This template will add the OID which is stored in the registeredID component "
+ "of the SAN as a dotted-decimal string."
+ msgstr ""
++"Denna mall kommer lägga till OID:n som lagras i komponenten registeredID i "
++"SAN:en som en punktad decimal sträng."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sss-certmap.5.xml:584
+ msgid "Example: (oid={subject_registered_id})"
+-msgstr ""
++msgstr "Exempel: (oid={subject_registered_id})"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:369
+@@ -9705,11 +10406,16 @@ msgid ""
+ "conversion/formatting option separated by a '!'.  Allowed values are: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
++"Mallarna för att lägga till certifikatdata till sökfiltret baseras på "
++"formateringssträngar i Python-stil.  De består av ett nyckelord i "
++"krullparenteser med en valfri underkomponentspecificerare separerad av en "
++"”.” eller ett valfri konverterings-/formateringsalternativ separerat av ett "
++"”!”.  Tillåtna värden är: <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sss-certmap.5.xml:592
+ msgid "DOMAIN LIST"
+-msgstr ""
++msgstr "DOMÄNLISTA"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sss-certmap.5.xml:594
+@@ -9718,16 +10424,20 @@ msgid ""
+ "only searched in the local domain but in the listed domains as well as long "
+ "as they are know by SSSD. Domains not know to SSSD will be ignored."
+ msgstr ""
++"Om domänlistan inte är tom söks inte användare mappade till ett givet "
++"certifikat bara i den lokala domänen utan i de listade domänerna också "
++"förutsatt att de är kända av SSSD.  Domäner som SSSD inte känner till kommer "
++"ignoreras."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16
+ msgid "sssd-ipa"
+-msgstr ""
++msgstr "sssd-ipa"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sssd-ipa.5.xml:17
+ msgid "SSSD IPA provider"
+-msgstr ""
++msgstr "SSSD IPA-leverantör"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:23
+@@ -9738,6 +10448,11 @@ msgid ""
+ "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+ msgstr ""
++"Denna manualsida besriver konfigurationen av leverantören IPA till "
++"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
++"</citerefentry>.  För en detaljerad referens om syntaxen, se avsnittet "
++"<quote>FILFORMAT</quote> i manualsidan <citerefentry> <refentrytitle>sssd."
++"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:36
+@@ -9747,6 +10462,11 @@ msgid ""
+ "requires that the machine be joined to the IPA domain; configuration is "
+ "almost entirely self-discovered and obtained directly from the server."
+ msgstr ""
++"IPA-leverantören är en bakände som används för att ansluta till en IPA-"
++"server.  (Se webbsidan freeipa.org för information om IPA-servrar.)  "
++"Leverantören förutsätter att maskinen är inlagt i IPA-domänen; "
++"konfigurationen är nästan helt självupptäckande och hämtas direkt från "
++"servern."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:43
+@@ -9759,6 +10479,14 @@ msgid ""
+ "options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+ "However, it is neither necessary nor recommended to set these options."
+ msgstr ""
++"IPA-leverantören gör att SSSD kan använda identitetsleverantören "
++"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
++"manvolnum> </citerefentry> och autentiseringsleverantören <citerefentry> "
++"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry> med optimeringar för IPA-miljöer.  IPA-leverantören tar samma "
++"alternativ som aänvänds av leverantörerna sssd-ldap och sssd-krb5 med några "
++"undantag.  Dock är det varken nödvändigt eller lämpligt att sätta dessa "
++"alternativ."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:57
+@@ -9767,6 +10495,9 @@ msgid ""
+ "default options with some exceptions, the differences are listed in the "
+ "<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+ msgstr ""
++"IPA-leverantören kopierar i huvudsak standardalternativen för de "
++"traditionella leverantörerna ldap och krb5 med några undantag.  Skillnaderna "
++"listas i avsnittet <quote>ÄNDRADE STANDARDINSTÄLLNINGAR</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:62
+@@ -9775,6 +10506,10 @@ msgid ""
+ "control)  rules. Please refer to freeipa.org for more information about "
+ "HBAC. No configuration of access provider is required on the client side."
+ msgstr ""
++"Som en åtkomstleverantör använder leverantören IPA HBAC-regler (host-based "
++"access control, värdbaserad åtkomstkontroll).  Se freeipa.org för mer "
++"information om HBAC.  Ingen konfiguration av åtkomstleverantören behövs på "
++"klientsidan."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:67
+@@ -9783,6 +10518,9 @@ msgid ""
+ "configured in sssd.conf then the id_provider must also be set to <quote>ipa</"
+ "quote>."
+ msgstr ""
++"Om <quote>auth_provider=ipa</quote> eller <quote>access_provider=ipa</quote> "
++"konfigureras i sssd.conf måste id-leverantören också sättas till <quote>ipa</"
++"quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:73
+@@ -9791,11 +10529,15 @@ msgid ""
+ "from trusted realms contain a PAC. To make configuration easier the PAC "
+ "responder is started automatically if the IPA ID provider is configured."
+ msgstr ""
++"IPA-leverantörer kommer använda PAC-respondenten om Kerberos-biljetter för "
++"användare för betrodda riken innehåller en PAC.  För att göra "
++"konfigurationen enklare startas PAC-respondenten automatiskt om ID-"
++"leverantören IPA är konfigurerad."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:89
+ msgid "ipa_domain (string)"
+-msgstr ""
++msgstr "ipa_domain (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:92
+@@ -9803,11 +10545,13 @@ msgid ""
+ "Specifies the name of the IPA domain.  This is optional. If not provided, "
+ "the configuration domain name is used."
+ msgstr ""
++"Anger namnet på IPA-domänen.  Detta är frivilligt.  Om det inte anges "
++"används namnet på den konfigurerade domänen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:100
+ msgid "ipa_server, ipa_backup_server (string)"
+-msgstr ""
++msgstr "ipa_server, ipa_backup_server (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:103
+@@ -9827,7 +10571,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:116
+ msgid "ipa_hostname (string)"
+-msgstr ""
++msgstr "ipa_hostname (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:119
+@@ -9836,11 +10580,14 @@ msgid ""
+ "fully qualified name used in the IPA domain to identify this host.  The "
+ "hostname must be fully qualified."
+ msgstr ""
++"Valfri.  Kan sättas på maskiner där hostname(5) inte avspeglar det "
++"fullständigt kvalificerade namnet som används i IPA-domänen för att "
++"identifiera denna värd.  Värdnamnet måste vara fullständigt kvalificerat."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:128 sssd-ad.5.xml:907
+ msgid "dyndns_update (boolean)"
+-msgstr ""
++msgstr "dyndns_update (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:131
+@@ -9851,6 +10598,11 @@ msgid ""
+ "updates, if it is not otherwise specified by using the <quote>dyndns_iface</"
+ "quote> option."
+ msgstr ""
++"Valfritt.  Detta alternativ säger till SSSD att automatiskt uppdatera DNS-"
++"servern som är inbyggd i FreeIPA med IP-adressen för denna klient.  "
++"Uppdateringen säkras med GSS-TSIG.  IP-adressen för IPA-LDAP-förbindelsen "
++"används för uppdateringar, om det inte specificeras på annat sätt med "
++"alternativet <quote>dyndns_iface</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:140 sssd-ad.5.xml:921
+@@ -9858,6 +10610,8 @@ msgid ""
+ "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+ "the default Kerberos realm must be set properly in /etc/krb5.conf"
+ msgstr ""
++"OBS: på äldre system (såsom RHEL 5) måste standardriket för Kerberos sättas "
++"i /etc/krb5.conf för att detta beteende skall fungera pålitligt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:145
+@@ -9866,11 +10620,14 @@ msgid ""
+ "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
+ "emphasis> in their config file."
+ msgstr ""
++"OBS: även om det fortfarande är möjligt att använda det gamla alternativet "
++"<emphasis>ipa_dyndns_update</emphasis> bör användare migrera till att "
++"använda <emphasis>dyndns_update</emphasis> i sin konfigurationsfil."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:157 sssd-ad.5.xml:932
+ msgid "dyndns_ttl (integer)"
+-msgstr ""
++msgstr "dyndns_ttl (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:160 sssd-ad.5.xml:935
+@@ -9879,6 +10636,9 @@ msgid ""
+ "dyndns_update is false this has no effect. This will override the TTL "
+ "serverside if set by an administrator."
+ msgstr ""
++"TTL:en att använda för klientens DNS-post vid uppdatering.  Om dyndns_update "
++"är falsk har detta ingen effekt.  Detta kommer åsidosätta TTL på serversidan "
++"om det är satt av en administratör."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:165
+@@ -9887,16 +10647,19 @@ msgid ""
+ "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
+ "emphasis> in their config file."
+ msgstr ""
++"OBS: även om det fortfarande är möjligt att använda det gamla alternativet "
++"<emphasis>ipa_dyndns_ttl</emphasis> bör användare migrera till att använda "
++"<emphasis>dyndns_ttl</emphasis> i sin konfigurationsfil."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:171
+ msgid "Default: 1200 (seconds)"
+-msgstr ""
++msgstr "Default: 1200 (sekunder)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:177 sssd-ad.5.xml:946
+ msgid "dyndns_iface (string)"
+-msgstr ""
++msgstr "dyndns_iface (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:180 sssd-ad.5.xml:949
+@@ -9906,6 +10669,10 @@ msgid ""
+ "updates. Special value <quote>*</quote> implies that IPs from all interfaces "
+ "should be used."
+ msgstr ""
++"Valfri.  Endast tillämpligt när dyndns_update är sann.  Väl gränssnittet "
++"eller en lista av gränssnitt vars IP-adresser skall användas för dynamiska "
++"DNS-uppdateringar.  Specialvärdet <quote>*</quote> betyder att IP:n från "
++"alla gränssnitt skall användas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:187
+@@ -9914,6 +10681,9 @@ msgid ""
+ "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
+ "emphasis> in their config file."
+ msgstr ""
++"OBS: även om det fortfarande är möjligt att använda det gamla alternativet "
++"<emphasis>ipa_dyndns_iface</emphasis> bör användare migrera till att använda "
++"<emphasis>dyndns_iface</emphasis> i sin konfigurationsfil."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:193
+@@ -9921,16 +10691,18 @@ msgid ""
+ "Default: Use the IP addresses of the interface which is used for IPA LDAP "
+ "connection"
+ msgstr ""
++"Standard: använd IP-adresser för gränssnittet som används för IPA LDAP-"
++"förbindelsen"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:197 sssd-ad.5.xml:960
+ msgid "Example: dyndns_iface = em1, vnet1, vnet2"
+-msgstr ""
++msgstr "Exempel: dyndns_iface = em1, vnet1, vnet2"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:203 sssd-ad.5.xml:1011
+ msgid "dyndns_auth (string)"
+-msgstr ""
++msgstr "dyndns_auth (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:206 sssd-ad.5.xml:1014
+@@ -9939,16 +10711,19 @@ msgid ""
+ "updates with the DNS server, insecure updates can be sent by setting this "
+ "option to 'none'."
+ msgstr ""
++"Huruvida verktyget nsupdate skall använda GSS-TSIG-autentisering för säkra "
++"uppdateringar av DNS-servern, osäkra uppdateringar kan skickas genom att "
++"sätta detta alternativ till ”none”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:212 sssd-ad.5.xml:1020
+ msgid "Default: GSS-TSIG"
+-msgstr ""
++msgstr "Standard: GSS-TSIG"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:218
+ msgid "ipa_enable_dns_sites (boolean)"
+-msgstr ""
++msgstr "ipa_enable_dns_sites (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:221 sssd-ad.5.xml:213
+@@ -9977,7 +10752,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:244 sssd-ad.5.xml:966
+ msgid "dyndns_refresh_interval (integer)"
+-msgstr ""
++msgstr "dyndns_refresh_interval (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:247
+@@ -9986,11 +10761,14 @@ msgid ""
+ "automatic update performed when the back end goes online.  This option is "
+ "optional and applicable only when dyndns_update is true."
+ msgstr ""
++"Hur ofta bakänden skall utföra periodiska DNS-uppdateringar utöver den "
++"automatiska uppdateringen som utförs när bakänden kopplar upp.  Detta "
++"alternativ är valfritt och tillämpligt endast när dyndns_update är sann."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:260 sssd-ad.5.xml:984
+ msgid "dyndns_update_ptr (bool)"
+-msgstr ""
++msgstr "dyndns_update_ptr (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:263 sssd-ad.5.xml:987
+@@ -9998,6 +10776,8 @@ msgid ""
+ "Whether the PTR record should also be explicitly updated when updating the "
+ "client's DNS records.  Applicable only when dyndns_update is true."
+ msgstr ""
++"Huruvida PTR-posten också skall uppdateras explicit när klientens DNS-post "
++"uppdateras.  Tillämpligt endast när dyndsn_update är sann."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:268
+@@ -10005,16 +10785,18 @@ msgid ""
+ "This option should be False in most IPA deployments as the IPA server "
+ "generates the PTR records automatically when forward records are changed."
+ msgstr ""
++"Detta alternativ är False i de flesta IPA-installationer eftersom IPA-"
++"servern genererar PTR-posterna automatiskt när framåtposterna ändras."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:274
+ msgid "Default: False (disabled)"
+-msgstr ""
++msgstr "Standard: False (avaktiverat)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:280 sssd-ad.5.xml:998
+ msgid "dyndns_force_tcp (bool)"
+-msgstr ""
++msgstr "dyndns_force_tcp (bool)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:283 sssd-ad.5.xml:1001
+@@ -10022,16 +10804,18 @@ msgid ""
+ "Whether the nsupdate utility should default to using TCP for communicating "
+ "with the DNS server."
+ msgstr ""
++"Huruvida nsupdate-verktyget som standard skall använda TCP för kommunikation "
++"med DNS-servern."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:287 sssd-ad.5.xml:1005
+ msgid "Default: False (let nsupdate choose the protocol)"
+-msgstr ""
++msgstr "Standard: False (låt nsupdate välja protokollet)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:293 sssd-ad.5.xml:1026
+ msgid "dyndns_server (string)"
+-msgstr ""
++msgstr "dyndns_server (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:296 sssd-ad.5.xml:1029
+@@ -10039,6 +10823,8 @@ msgid ""
+ "The DNS server to use when performing a DNS update. In most setups, it's "
+ "recommended to leave this option unset."
+ msgstr ""
++"DNS-servern som skall användas när en uppdatering av DNS utförs.  I de "
++"flesta uppsättningar rekommenderas det att låta detta alternativ vara osatt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:301 sssd-ad.5.xml:1034
+@@ -10046,6 +10832,8 @@ msgid ""
+ "Setting this option makes sense for environments where the DNS server is "
+ "different from the identity server."
+ msgstr ""
++"Att sätta detta alternativ är meningsfullt i miljöer där DNS-servern är "
++"skild från identitetsservern."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:306 sssd-ad.5.xml:1039
+@@ -10053,16 +10841,19 @@ msgid ""
+ "Please note that this option will be only used in fallback attempt when "
+ "previous attempt using autodetected settings failed."
+ msgstr ""
++"Observera att detta alternativ bara kommer användas i försök att falla "
++"tillbaka på när tidigare försök som använder automatiskt upptäckta "
++"inställningar misslyckas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:311 sssd-ad.5.xml:1044
+ msgid "Default: None (let nsupdate choose the server)"
+-msgstr ""
++msgstr "Standard: Ingen (låt nsupdate välja servern)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:317
+ msgid "ipa_deskprofile_search_base (string)"
+-msgstr ""
++msgstr "ipa_deskprofile_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:320
+@@ -10070,86 +10861,93 @@ msgid ""
+ "Optional. Use the given string as search base for Desktop Profile related "
+ "objects."
+ msgstr ""
++"Frivillig.  Använd den givna strängen som sökbas för "
++"skrivbordsprofilrelaterade objekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337
+ msgid "Default: Use base DN"
+-msgstr ""
++msgstr "Standard: använd bas-DN"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:330
+ msgid "ipa_hbac_search_base (string)"
+-msgstr ""
++msgstr "ipa_hbac_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:333
+ msgid "Optional. Use the given string as search base for HBAC related objects."
+ msgstr ""
++"Frivillig.  Använd den givna strängen som sökbas för HBAC-relaterade objekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:343
+ msgid "ipa_host_search_base (string)"
+-msgstr ""
++msgstr "ipa_host_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:346
+ msgid "Deprecated. Use ldap_host_search_base instead."
+-msgstr ""
++msgstr "Undanbedes.  Använd ldap_host_search_base istället."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:352
+ msgid "ipa_selinux_search_base (string)"
+-msgstr ""
++msgstr "ipa_selinux_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:355
+ msgid "Optional. Use the given string as search base for SELinux user maps."
+ msgstr ""
++"Frivillig.  Använd den givna strängen som en sökbas för SELinux-"
++"användaröversättningar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:371
+ msgid "ipa_subdomains_search_base (string)"
+-msgstr ""
++msgstr "ipa_subdomains_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:374
+ msgid "Optional. Use the given string as search base for trusted domains."
+ msgstr ""
++"Frivillig.  Använd den givna strängen som en sökbas för betrodda domäner."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:383
+ msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
+-msgstr ""
++msgstr "Standard: värdet på <emphasis>cn=trusts,%basedn</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:390
+ msgid "ipa_master_domain_search_base (string)"
+-msgstr ""
++msgstr "ipa_master_domain_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:393
+ msgid "Optional. Use the given string as search base for master domain object."
+ msgstr ""
++"Frivillig.  Använd den givna strängen som en sökbas för huvuddomänobjekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:402
+ msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
+-msgstr ""
++msgstr "Standard: värdet av <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:409
+ msgid "ipa_views_search_base (string)"
+-msgstr ""
++msgstr "ipa_views_search_base (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:412
+ msgid "Optional. Use the given string as search base for views containers."
+-msgstr ""
++msgstr "Frivillig.  Använd den givna strängen som en sökbas för vybehållare."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:421
+ msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
+-msgstr ""
++msgstr "Standard: värdet av <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:431
+@@ -10157,6 +10955,8 @@ msgid ""
+ "The name of the Kerberos realm. This is optional and defaults to the value "
+ "of <quote>ipa_domain</quote>."
+ msgstr ""
++"Namnet på Kerberos-riket.  Detta är frivilligt och som standard blir det "
++"värdet av <quote>ipa_domain</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:435
+@@ -10164,11 +10964,13 @@ msgid ""
+ "The name of the Kerberos realm has a special meaning in IPA - it is "
+ "converted into the base DN to use for performing LDAP operations."
+ msgstr ""
++"Namnet på Kerberos-riket har en speciell betydelse i IPA – det konverteras "
++"till bas-DN:en för att användas när  LDAP-operationer utförs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:443 sssd-ad.5.xml:1053
+ msgid "krb5_confd_path (string)"
+-msgstr ""
++msgstr "krb5_confd_path (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:446 sssd-ad.5.xml:1056
+@@ -10176,6 +10978,8 @@ msgid ""
+ "Absolute path of a directory where SSSD should place Kerberos configuration "
+ "snippets."
+ msgstr ""
++"Absolut sökväg till en katalog där SSSD skall placera konfigurtionsstycken "
++"för Kerberos."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:450 sssd-ad.5.xml:1060
+@@ -10183,17 +10987,21 @@ msgid ""
+ "To disable the creation of the configuration snippets set the parameter to "
+ "'none'."
+ msgstr ""
++"För att förhindra att konfigurationsstycken skapas, sätt parametern till "
++"”none”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:454 sssd-ad.5.xml:1064
+ msgid ""
+ "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+ msgstr ""
++"Standard: inte satt (underkatalogen krb5.include.d till SSSD:s pubconf-"
++"katalog)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:461
+ msgid "ipa_deskprofile_refresh (integer)"
+-msgstr ""
++msgstr "ipa_deskprofile_refresh (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:464
+@@ -10202,16 +11010,19 @@ msgid ""
+ "IPA server. This will reduce the latency and load on the IPA server if there "
+ "are many desktop profiles requests made in a short period."
+ msgstr ""
++"Tiden mellan uppslagningar av skrivbordsprofilsregler mot IPA-servern.  "
++"Detta kommer reducera tidsfördröjningen och lasten på IPA-servern om det "
++"görs många begäranden om skrivbordsprofiler under en kort tid."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:471
+ msgid "Default: 5 (seconds)"
+-msgstr ""
++msgstr "Standard: 5 (sekunder)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:477
+ msgid "ipa_deskprofile_request_interval (integer)"
+-msgstr ""
++msgstr "ipa_deskprofile_request_interval (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:480
+@@ -10219,16 +11030,18 @@ msgid ""
+ "The amount of time between lookups of the Desktop Profile rules against the "
+ "IPA server in case the last request did not return any rule."
+ msgstr ""
++"Tiden mellan uppslagningar av skrivbordsprofilsregler mot IPA-servern ifall "
++"den senaste förfrågan inte returnerade någon regel"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:485
+ msgid "Default: 60 (minutes)"
+-msgstr ""
++msgstr "Standard: 60 (minuter)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:491
+ msgid "ipa_hbac_refresh (integer)"
+-msgstr ""
++msgstr "ipa_hbac_refresh (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:494
+@@ -10237,11 +11050,14 @@ msgid ""
+ "This will reduce the latency and load on the IPA server if there are many "
+ "access-control requests made in a short period."
+ msgstr ""
++"Tiden mellan uppslagningar av HBAC-regler mot IPA-servern.  Detta kommer "
++"reducera tidsfördröjningen och lasten på IPA-servern om det görs många "
++"begäranden om åtkomstkontroll under en kort tid."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:507
+ msgid "ipa_hbac_selinux (integer)"
+-msgstr ""
++msgstr "ipa_hbac_selinux (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:510
+@@ -10250,11 +11066,14 @@ msgid ""
+ "server. This will reduce the latency and load on the IPA server if there are "
+ "many user login requests made in a short period."
+ msgstr ""
++"Tiden mellan uppslagningar av SELinux-översättningar mot IPA-servern.  Detta "
++"kommer reducera tidsfördröjningen och lasten på IPA-servern om det görs "
++"många begäranden om användarinloggningar under en kort tid."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:523
+ msgid "ipa_server_mode (boolean)"
+-msgstr ""
++msgstr "ipa_server_mode (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:526
+@@ -10262,6 +11081,8 @@ msgid ""
+ "This option will be set by the IPA installer (ipa-server-install) "
+ "automatically and denotes if SSSD is running on an IPA server or not."
+ msgstr ""
++"Detta alternativ sätts automatiskt av IPA-installeraren (ipa-server-install) "
++"och markerar om SSSD kör på en IPA-server eller inte."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:531
+@@ -10269,6 +11090,8 @@ msgid ""
+ "On an IPA server SSSD will lookup users and groups from trusted domains "
+ "directly while on a client it will ask an IPA server."
+ msgstr ""
++"På en IPA-server kommer SSSD slå upp användare och grupper från betrodda "
++"domäner direkt medan på en klient kommer den att fråga en IPA-server."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:536
+@@ -10276,6 +11099,8 @@ msgid ""
+ "NOTE: There are currently some assumptions that must be met when SSSD is "
+ "running on an IPA server."
+ msgstr ""
++"OBS: det finns för närvarande några antagenden som måste uppfyllas när SSSD "
++"kör på en IPA-server."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:541
+@@ -10284,6 +11109,9 @@ msgid ""
+ "server itself. This is already the default set by the IPA installer, so no "
+ "manual change is required."
+ msgstr ""
++"Alternativet <quote>ipa_server</quote> måste konfigureras till att peka på "
++"själva IPA-servern. Detta är redan standardvärdet som sätts av IPA-"
++"installeraren, så det behövs inga manuella ändringar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:550
+@@ -10291,71 +11119,73 @@ msgid ""
+ "The <quote>full_name_format</quote> option must not be tweaked to only print "
+ "short names for users from trusted domains."
+ msgstr ""
++"Alternativet <quote>full_name_format</quote> får inte ändras till att bara "
++"skriva korta namn på användare från betrodda domäner."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:565
+ msgid "ipa_automount_location (string)"
+-msgstr ""
++msgstr "ipa_automount_location (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:568
+ msgid "The automounter location this IPA client will be using"
+-msgstr ""
++msgstr "Automonteringsplatsen denna IPA-klient kommer använda"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:571
+ msgid "Default: The location named \"default\""
+-msgstr ""
++msgstr "Standard: platsen som heter ”default”"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd-ipa.5.xml:579
+ msgid "VIEWS AND OVERRIDES"
+-msgstr ""
++msgstr "VYER OCH ÅSIDOSÄTTANDEN"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:588
+ msgid "ipa_view_class (string)"
+-msgstr ""
++msgstr "ipa_view_class (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:591
+ msgid "Objectclass of the view container."
+-msgstr ""
++msgstr "Objektklass för vybehållaren."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:594
+ msgid "Default: nsContainer"
+-msgstr ""
++msgstr "Standard: nsContainer"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:600
+ msgid "ipa_view_name (string)"
+-msgstr ""
++msgstr "ipa_view_name (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:603
+ msgid "Name of the attribute holding the name of the view."
+-msgstr ""
++msgstr "Namn på attributet som har namnet på vyn."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:613
+ msgid "ipa_override_object_class (string)"
+-msgstr ""
++msgstr "ipa_override_object_class (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:616
+ msgid "Objectclass of the override objects."
+-msgstr ""
++msgstr "Objektklass för åsidosättande objekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:619
+ msgid "Default: ipaOverrideAnchor"
+-msgstr ""
++msgstr "Standard: ipaOverrideAnchor"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:625
+ msgid "ipa_anchor_uuid (string)"
+-msgstr ""
++msgstr "ipa_anchor_uuid (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:628
+@@ -10363,16 +11193,18 @@ msgid ""
+ "Name of the attribute containing the reference to the original object in a "
+ "remote domain."
+ msgstr ""
++"Namn på attributet som innehåller referensen till originalobjektet i en "
++"fjärrdomän."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:632
+ msgid "Default: ipaAnchorUUID"
+-msgstr ""
++msgstr "Standard: ipaAnchorUUID"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:638
+ msgid "ipa_user_override_object_class (string)"
+-msgstr ""
++msgstr "ipa_user_override_object_class (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:641
+@@ -10380,56 +11212,59 @@ msgid ""
+ "Name of the objectclass for user overrides. It is used to determine if the "
+ "found override object is related to a user or a group."
+ msgstr ""
++"Namn på objektklassen för användaråsidosättanden.  Det används för att "
++"avgöra om det funna åsidosättande objektet är relaterat till en användare "
++"eller en grupp."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:646
+ msgid "User overrides can contain attributes given by"
+-msgstr ""
++msgstr "Användaråsidosättanden kan innehålla attribut givna av"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:649
+ msgid "ldap_user_name"
+-msgstr ""
++msgstr "ldap_user_name"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:652
+ msgid "ldap_user_uid_number"
+-msgstr ""
++msgstr "ldap_user_uid_number"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:655
+ msgid "ldap_user_gid_number"
+-msgstr ""
++msgstr "ldap_user_gid_number"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:658
+ msgid "ldap_user_gecos"
+-msgstr ""
++msgstr "ldap_user_gecos"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:661
+ msgid "ldap_user_home_directory"
+-msgstr ""
++msgstr "ldap_user_home_directory"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:664
+ msgid "ldap_user_shell"
+-msgstr ""
++msgstr "ldap_user_shell"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:667
+ msgid "ldap_user_ssh_public_key"
+-msgstr ""
++msgstr "ldap_user_ssh_public_key"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:672
+ msgid "Default: ipaUserOverride"
+-msgstr ""
++msgstr "Standard: ipaUserOverride"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+ #: sssd-ipa.5.xml:678
+ msgid "ipa_group_override_object_class (string)"
+-msgstr ""
++msgstr "ipa_group_override_object_class (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:681
+@@ -10437,26 +11272,29 @@ msgid ""
+ "Name of the objectclass for group overrides. It is used to determine if the "
+ "found override object is related to a user or a group."
+ msgstr ""
++"Namn på objektklassen för gruppåsidosättanden.  Det används för att avgöra "
++"om det funna åsidosättandeobjektet är relaterat till en användare eller en "
++"grupp."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:686
+ msgid "Group overrides can contain attributes given by"
+-msgstr ""
++msgstr "Gruppåsidosättanden kan innehålla attribut givna av"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:689
+ msgid "ldap_group_name"
+-msgstr ""
++msgstr "ldap_group_name"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:692
+ msgid "ldap_group_gid_number"
+-msgstr ""
++msgstr "ldap_group_gid_number"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ipa.5.xml:697
+ msgid "Default: ipaGroupOverride"
+-msgstr ""
++msgstr "Standard: ipaGroupOverride"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sssd-ipa.5.xml:581
+@@ -10467,11 +11305,16 @@ msgid ""
+ "related options are listed here with their default values.  <placeholder "
+ "type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
++"SSSD kan hantera vyer och åsidosättanden som erbjuds av FreeIPA 4.1 och "
++"senare versioner.  Eftersom alla sökvägar och objektklasser är fasta på "
++"serversidan finns det egentligen inget behov av att konfigurera något.  För "
++"fullständighets skull är de tillhörande alternativen listade här med sina "
++"standardvärden.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-ipa.5.xml:709
+ msgid "SUBDOMAINS PROVIDER"
+-msgstr ""
++msgstr "UNDERDOMÄNLEVERANTÖR"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:711
+@@ -10479,6 +11322,8 @@ msgid ""
+ "The IPA subdomains provider behaves slightly differently if it is configured "
+ "explicitly or implicitly."
+ msgstr ""
++"IPA-underomänleverantören beter sig något annorlunda om den konfigureras "
++"explicit eller implicit."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:715
+@@ -10487,6 +11332,9 @@ msgid ""
+ "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
+ "subdomain requests are sent to the IPA server if necessary."
+ msgstr ""
++"Om alternativet ”subdomains_provider = ipa” finns i domänavsnittet i sssd."
++"conf konfigureras IPA-underdomänsleverantören explicit, och alla begäranden "
++"tav underdomäner skickas till IPA-servern om nödvändigt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:721
+@@ -10499,11 +11347,18 @@ msgid ""
+ "hour or after the IPA provider goes online, the subdomains provider is "
+ "enabled again."
+ msgstr ""
++"Om alternativet ”subdomains_provider” inte är satt i domänavsnittet av sssd."
++"conf men alternativet ”id_provider = ipa” finns konfigureras IPA-"
++"underdomänsleverantören implicit.  I det fallet, om en underdomänsbegäran "
++"misslyckas och indikerar att servern inte stödjer underdomäner, d.v.s. den "
++"är inte konfigurerad för förtroenden, avaktiveras IPA-"
++"underdomänsleverantören.  Efter en timma eller efter att IPA-leverantören "
++"blir uppkopplad aktiveras underdomänsleverantören igen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-ipa.5.xml:732
+ msgid "TRUSTED DOMAINS CONFIGURATION"
+-msgstr ""
++msgstr "KONFIGURATION AV BETRODDA DOMÄNER"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-ipa.5.xml:738
+@@ -10512,6 +11367,8 @@ msgid ""
+ "[domain/ipa.domain.com/ad.domain.com]\n"
+ "ad_server = dc.ad.domain.com\n"
+ msgstr ""
++"[domain/ipa.domain.com/ad.domain.com]\n"
++"ad_server = dc.ad.domain.com\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:734
+@@ -10520,6 +11377,9 @@ msgid ""
+ "domain configuration can either be done using a subsection, for example: "
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
++"Några konfigurationsalternativ kan även sättas för en betrodd domän.  En "
++"konfiguration av en betrodd domän kan antingen göras med ett underavsnitt, "
++"till exempel: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:743
+@@ -10529,6 +11389,10 @@ msgid ""
+ "more details, see the <citerefentry> <refentrytitle>sssd.conf</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+ msgstr ""
++"Dessutom kan några alternativ sättas i föräldradomänen och ärvas av den "
++"betrodda domänen med alternativet <quote>subdomain_inherit</quote>.  För "
++"fler detaljer, se manualsidan <citerefentry> <refentrytitle>sssd.conf</"
++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:753
+@@ -10536,58 +11400,62 @@ msgid ""
+ "Different configuration options are tunable for a trusted domain depending "
+ "on whether you are configuring SSSD on an IPA server or an IPA client."
+ msgstr ""
++"Olika konfigurationsalternativ kan ställas in för en betrodd domän beroende "
++"på huruvida man konfigurerar SSSD på en IPA-server eller en IPA-klient."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd-ipa.5.xml:758
+ msgid "OPTIONS TUNABLE ON IPA MASTERS"
+-msgstr ""
++msgstr "ALTERNATIV ATT STÄLLA IN PÅ IPA-MASTRAR"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sssd-ipa.5.xml:760
+ msgid ""
+ "The following options can be set in a subdomain section on an IPA master:"
+ msgstr ""
++"Följande alternativ kan sättas i ett underdomänsavsnitt på en IPA-master:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794
+ msgid "ad_server"
+-msgstr ""
++msgstr "ad_server"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:767
+ msgid "ad_backup_server"
+-msgstr ""
++msgstr "ad_backup_server"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797
+ msgid "ad_site"
+-msgstr ""
++msgstr "ad_site"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:773
+ msgid "ldap_search_base"
+-msgstr ""
++msgstr "ldap_search_base"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:776
+ msgid "ldap_user_search_base"
+-msgstr ""
++msgstr "ldap_user_search_base"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+ #: sssd-ipa.5.xml:779
+ msgid "ldap_group_search_base"
+-msgstr ""
++msgstr "ldap_group_search_base"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><title>
+ #: sssd-ipa.5.xml:788
+ msgid "OPTIONS TUNABLE ON IPA CLIENTS"
+-msgstr ""
++msgstr "ALTERNATIV ATT STÄLLA IN PÅ IPA-KLIENTER"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sssd-ipa.5.xml:790
+ msgid ""
+ "The following options can be set in a subdomain section on an IPA client:"
+ msgstr ""
++"Följande alternativ kan sättas i ett underdomänsavsnitt på en IPA-klient:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sssd-ipa.5.xml:802
+@@ -10595,6 +11463,8 @@ msgid ""
+ "Note that if both options are set, only <quote>ad_server</quote> is "
+ "evaluated."
+ msgstr ""
++"Observera att om bådda alternativen sätts evalueras endast <quote>ad_server</"
++"quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para>
+ #: sssd-ipa.5.xml:806
+@@ -10609,6 +11479,15 @@ msgid ""
+ "<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the "
+ "Kerberos locator plugin."
+ msgstr ""
++"Eftersom alla begäranden om en användar- eller en gruppidentitet från en "
++"betrodd domän startad från en IPA-klient löses upp av IPA-servern, påverkar "
++"alternativen <quote>ad_server</quote> och <quote>ad_site</quote> bara vilken "
++"AD DC autentiseringen kommer utföras emot.  I synnerhet kommer adresserna "
++"som löses upp från dessa listor att skrivas till <quote>kdcinfo</quote>-"
++"filer som läses av Kerberos-lokaliseringinsticksmodulen.  För fler detaljer "
++"om Kerberos-lokaliseringsinsticksmodulen hänvisas till manualsidan "
++"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> "
++"<manvolnum>8</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ipa.5.xml:830
+@@ -10617,6 +11496,9 @@ msgid ""
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+ "This examples shows only the ipa provider-specific options."
+ msgstr ""
++"Följande exempel antar att SSSD är korrekt konfigurerat och att exempel.se "
++"är en av domänerna i avsnittet <replaceable>[sssd]</replaceable>.  Dessa "
++"exempel visar endast alternativ som är specifika för leverantören ipa."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-ipa.5.xml:837
+@@ -10627,16 +11509,20 @@ msgid ""
+ "ipa_server = ipaserver.example.com\n"
+ "ipa_hostname = myhost.example.com\n"
+ msgstr ""
++"[domain/exemple.se]\n"
++"id_provider = ipa\n"
++"ipa_server = ipaserver.exempel.se\n"
++"ipa_hostname = minvärd.exempel.se\n"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sssd-ad.5.xml:10 sssd-ad.5.xml:16
+ msgid "sssd-ad"
+-msgstr ""
++msgstr "sssd-ad"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sssd-ad.5.xml:17
+ msgid "SSSD Active Directory provider"
+-msgstr ""
++msgstr "SSSD Active Directory-leverantör"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:23
+@@ -10647,6 +11533,11 @@ msgid ""
+ "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+ msgstr ""
++"Denna manualsida besriver konfigurationen av leverantören AD till "
++"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
++"</citerefentry>.  För en detaljerad referens om syntaxen, se avsnittet "
++"<quote>FILFORMAT</quote> i manualsidan <citerefentry> <refentrytitle>sssd."
++"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:36
+@@ -10657,6 +11548,11 @@ msgid ""
+ "channel, SSL/TLS options should not be used with the AD provider and will be "
+ "superseded by Kerberos usage."
+ msgstr ""
++"Leverantören AD är en bakände som används för att ansluta till en Active "
++"Directory-server.  Leverantören att maskinen läggs in i AD-domänen och en "
++"keytab är tillgänlig.  Bakändekommunikationen sker över en GSSAPI-krypterad "
++"kanal, SSL/TLS-alternativ skall inte användas tillsammans med AD-"
++"leverantören och kommer ersättas av Kerberos-användning."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:44
+@@ -10664,6 +11560,8 @@ msgid ""
+ "The AD provider supports connecting to Active Directory 2008 R2 or later. "
+ "Earlier versions may work, but are unsupported."
+ msgstr ""
++"AD-leverantören stödjer anslutning till Active Directory 2008 R2 eller "
++"senare.  Tidigare versioner kan fungera, men stödjs inte."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:48
+@@ -10673,6 +11571,10 @@ msgid ""
+ "recognized. In addition servers from trusted domains are always auto-"
+ "discovered."
+ msgstr ""
++"AD-leverantören kan användas för att få användarinformation och autentisera "
++"användare från betrodda domäner.  För närvarande känns endast betrodda "
++"domäner i samma skog igen.  Dessutom automatupptäcks alltid servrar från "
++"betrodda domäner."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:54
+@@ -10686,6 +11588,14 @@ msgid ""
+ "exceptions. However, it is neither necessary nor recommended to set these "
+ "options."
+ msgstr ""
++"AD-leverantören gör att SSSD kan använda identitetsleverantören "
++"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
++"manvolnum> </citerefentry> och autentiseringsleverantören <citerefentry> "
++"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry> med optimeringar för Active Directory-miljöer.  AD-"
++"leverantören tar samma alternativ som aänvänds av leverantörerna sssd-ldap "
++"och sssd-krb5 med några undantag.  Dock är det varken nödvändigt eller "
++"lämpligt att sätta dessa alternativ."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:69
+@@ -10694,6 +11604,9 @@ msgid ""
+ "default options with some exceptions, the differences are listed in the "
+ "<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+ msgstr ""
++"AD-leverantören kopierar i huvudsak standardalternativen för de "
++"traditionella leverantörerna ldap och krb5 med några undantag.  Skillnaderna "
++"listas i avsnittet <quote>ÄNDRADE STANDARDINSTÄLLNINGAR</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:74
+@@ -10702,6 +11615,9 @@ msgid ""
+ "provider. No configuration of the access provider is required on the client "
+ "side."
+ msgstr ""
++"AD-leverantören kan även användas som en åtkomst-, chpass-, sudo- och autofs-"
++"leverantör.  Ingen konfiguration av åtkomstleverantören behövs på "
++"klientsidan."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:79
+@@ -10710,6 +11626,9 @@ msgid ""
+ "configured in sssd.conf then the id_provider must also be set to <quote>ad</"
+ "quote>."
+ msgstr ""
++"Om <quote>auth_provider=ad</quote> eller <quote>access_provider=ad</quote> "
++"konfigureras i sssd.conf måste id-leverantören också sättas till <quote>ad</"
++"quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-ad.5.xml:91
+@@ -10718,6 +11637,8 @@ msgid ""
+ "ldap_id_mapping = False\n"
+ "            "
+ msgstr ""
++"ldap_id_mapping = False\n"
++"            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:85
+@@ -10738,6 +11659,21 @@ msgid ""
+ "present in the Global Catalog, the non-replicated attributes are currently "
+ "not read from the LDAP port."
+ msgstr ""
++"Som standard kommer AD-leverantören översätta UID- och GID-värden från "
++"parametern objectSID i Active Directory.  För detaljer om detta se avsnittet "
++"<quote>ID-ÖVERSÄTTNING</quote> nedan.  Om du vill avaktivera ID-översättning "
++"och istället lita på POSIX-attribut definierade i Active Directory skall du "
++"sätta <placeholder type=\"programlisting\" id=\"0\"/>.  Om POSIX-attribut "
++"skall användas rekommenderas det av restandaskäl att attributen även "
++"replikeras till den globala katalogen.  Om POSIX-attribut replikeras kommer "
++"SSSD försöka att hitta domänen för den begärda numeriska ID:n med hjälp av "
++"den globala katalogen och endast söka i den domänen.  Om POSIX-attribut "
++"däremot inte replikeras till den globala katalogen måste SSSD söka i alla "
++"domänerna i skogen sekventiellt.  Observera att alternativet "
++"<quote>cache_first</quote> också kan vara till hjälp för att snabba upp "
++"domänlösa sökningar.  Observera att om endast en delmängd av POSIX-"
++"attributen finns i den globala katalogen läses för närvarande inte de "
++"attribut som inte replikeras från LDAP-porten."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:108
+@@ -10746,11 +11682,14 @@ msgid ""
+ "insensitive in the AD provider for compatibility with Active Directory's "
+ "LDAP implementation."
+ msgstr ""
++"Användare, grupper och andra enheter som servas av SSSD behandlas alltid som "
++"skiftlägesokänsliga i AD-leverantören för kompatibilitet med Active "
++"Directorys LDAP-implementation."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:123
+ msgid "ad_domain (string)"
+-msgstr ""
++msgstr "ad_domain (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:126
+@@ -10758,6 +11697,8 @@ msgid ""
+ "Specifies the name of the Active Directory domain.  This is optional. If not "
+ "provided, the configuration domain name is used."
+ msgstr ""
++"Anger namnet på Active Directory-domänen.  Detta är frivilligt.  Om det inte "
++"anges används namnet på den konfigurerade domänen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:131
+@@ -10765,6 +11706,8 @@ msgid ""
+ "For proper operation, this option should be specified as the lower-case "
+ "version of the long version of the Active Directory domain."
+ msgstr ""
++"För att fungera ordentligt skall detta alternativ anges som den gemena "
++"versionen av den långa versionen av Active Directorys domän."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:136
+@@ -10772,11 +11715,13 @@ msgid ""
+ "The short domain name (also known as the NetBIOS or the flat name) is "
+ "autodetected by the SSSD."
+ msgstr ""
++"Det korta domännamnet (även känt som NetBIOS--namet eller det flata namnet) "
++"detekteras automatiskt av SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:143
+ msgid "ad_enabled_domains (string)"
+-msgstr ""
++msgstr "ad_enabled_domains (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:146
+@@ -10785,6 +11730,10 @@ msgid ""
+ "SSSD will ignore any domains not listed in this option. If left unset, all "
+ "domains from the AD forest will be available."
+ msgstr ""
++"En kommaseparerad lista av aktiverade Active Directory-domäner.  Om det "
++"tillhandahålls kommer SSSD ignorera eventuella domäner som inte räknas upp i "
++"detta alternativ.  Om det lämnas osatt kommer alla domäner från AD-skogen "
++"vara tillgängliga."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd-ad.5.xml:156
+@@ -10793,6 +11742,8 @@ msgid ""
+ "ad_enabled_domains = sales.example.com, eng.example.com\n"
+ "                            "
+ msgstr ""
++"ad_enabled_domains = marknad.exempel.se, tekn.exempel.se\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:152
+@@ -10801,6 +11752,9 @@ msgid ""
+ "the fully qualified domain name of the Active Directory domain. For example: "
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
++"För att fungera ordentligt bör detta alternativ anges helt i gemener och som "
++"det fullständigt kvalificerade namnet på Active Directorys domänen.  Till "
++"exempel: <placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:160
+@@ -10808,11 +11762,13 @@ msgid ""
+ "The short domain name (also known as the NetBIOS or the flat name) will be "
+ "autodetected by SSSD."
+ msgstr ""
++"Det korta domännamnet (även känt som NetBIOS--namet eller det flata namnet) "
++"kommer detekteras automatiskt av SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:170
+ msgid "ad_server, ad_backup_server (string)"
+-msgstr ""
++msgstr "ad_server, ad_backup_server (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:173
+@@ -10840,11 +11796,13 @@ msgid ""
+ "Note: Trusted domains will always auto-discover servers even if the primary "
+ "server is explicitly defined in the ad_server option."
+ msgstr ""
++"Observera: betrodda domäner kommer alltid automatiskt upptäcka servrar även "
++"om den primära servern definieras uttryckligen i alternativet ad_server."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:193
+ msgid "ad_hostname (string)"
+-msgstr ""
++msgstr "ad_hostname (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:196
+@@ -10853,6 +11811,9 @@ msgid ""
+ "fully qualified name used in the Active Directory domain to identify this "
+ "host."
+ msgstr ""
++"Valfri.  Kan sättas på maskiner där hostname(5) inte avspeglar det "
++"fullständigt kvalificerade namnet som används i Active Directory-domänen för "
++"att identifiera denna värd."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:202
+@@ -10860,11 +11821,13 @@ msgid ""
+ "This field is used to determine the host principal in use in the keytab. It "
+ "must match the hostname for which the keytab was issued."
+ msgstr ""
++"Detta fält används för att avgöra värd-huvudmannen som används i keytab:en.  "
++"Det måste stämma med värdnamnet som keytab:en gavs ut för."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:210
+ msgid "ad_enable_dns_sites (boolean)"
+-msgstr ""
++msgstr "ad_enable_dns_sites (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:217
+@@ -10886,7 +11849,7 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:233
+ msgid "ad_access_filter (string)"
+-msgstr ""
++msgstr "ad_access_filter (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:236
+@@ -10896,6 +11859,10 @@ msgid ""
+ "quote> option must be explicitly set to <quote>ad</quote> in order for this "
+ "option to have an effect."
+ msgstr ""
++"Detta alternativ anger LDAP:s åtkomstkontrollfilter som anändaren måste "
++"matcha för att tillåtas åtkomst.  Observera att alternativet "
++"<quote>access_provider</quote> måste vara uttryckligen satt till <quote>ad</"
++"quote> för att detta alternativ skall ha någon effekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:244
+@@ -10905,6 +11872,10 @@ msgid ""
+ "The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or "
+ "missing."
+ msgstr ""
++"Alternativet stödjer också att ange olika filter per domän eller skog.  "
++"Detta utökade filter skulle bestå av: <quote>NYCKELORD:NAMN:FILTER</quote>.  "
++"Nyckelordet kan vara antingen <quote>DOM</quote>, <quote>FOREST</quote> "
++"eller utelämnas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:252
+@@ -10914,6 +11885,10 @@ msgid ""
+ "keyword equals to <quote>FOREST</quote>, then the filter equals to all "
+ "domains from the forest specified by <quote>NAME</quote>."
+ msgstr ""
++"Om nyckelordet är lika med <quote>DOM</quote> eller saknas anger "
++"<quote>NAMN</quote> domänen eller underdomänen filtret gäller för.  Om "
++"nyckelordet är lika med <quote>FOREST</quote> är filtret lika för alla "
++"domäner från skogen som anges av <quote>NAMN</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:260
+@@ -10921,6 +11896,8 @@ msgid ""
+ "Multiple filters can be separated with the <quote>?</quote> character, "
+ "similarly to how search bases work."
+ msgstr ""
++"Flera filter kan avgränsas med tecknet <quote>?</quote>, i likhet med hur "
++"sökbaser fungerar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:265
+@@ -10934,6 +11911,14 @@ msgid ""
+ "microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+ "extensions</ulink>"
+ msgstr ""
++"Nästade gruppmedlemskap måste sökas efter med en speciell OID "
++"<quote>:1.2.840.113556.1.4.1941:</quote> utöver den fullständiga syntaxen "
++"DOM:domän.exempel.se: för att säkerställa att tolken inte försöker tolka "
++"kolontecknen som hör till OID:n.  Om man inte använder denna OID kommer "
++"nästade gruppmedlemskap inte slås upp.  Se användningsexempel nedan och se "
++"här för ytterligare information om OID:n: <ulink url=\"https://msdn."
++"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] avsnittet LDAP-"
++"utökningar</ulink>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:278
+@@ -10943,6 +11928,10 @@ msgid ""
+ "domain filter would be applied.  If there are more matches with the same "
+ "specification, the first one is used."
+ msgstr ""
++"Den mest specifika matchingen används alltid.  Till exempel, om alternativet "
++"angav filter för en domän användaren är medlem i och ett globalt filter "
++"skulle det domänspecifika filtret tillämpas.  Om det finns fler matchningar "
++"med samma specifikation används den första."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+ #: sssd-ad.5.xml:289
+@@ -10961,11 +11950,23 @@ msgid ""
+ "DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
+ "                        "
+ msgstr ""
++"# tillämpla endast filtret på än domän som heter dom1:\n"
++"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n"
++"\n"
++"# tillämpa endast filtret på en domän som heter dom2:\n"
++"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n"
++"\n"
++"# tillämpa endast filtret på en skog som heter EXEMPEL.SE:\n"
++"FOREST:EXEMPEL.SE:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
++"\n"
++"# tillämpa filtret på en medlem av en nästad grupp i dom1:\n"
++"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
++"                        "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:308
+ msgid "ad_site (string)"
+-msgstr ""
++msgstr "ad_site (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:311
+@@ -10973,11 +11974,13 @@ msgid ""
+ "Specify AD site to which client should try to connect.  If this option is "
+ "not provided, the AD site will be auto-discovered."
+ msgstr ""
++"Ange en AD-sajt som klienten skall försöka ansluta till.  Om detta "
++"alternativ inte anges kommer AD-sajten att automatupptäckas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:322
+ msgid "ad_enable_gc (boolean)"
+-msgstr ""
++msgstr "ad_enable_gc (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:325
+@@ -10987,6 +11990,10 @@ msgid ""
+ "as a fallback. Disabling this option makes the SSSD only connect to the LDAP "
+ "port of the current AD server."
+ msgstr ""
++"Som standard ansluter SSSD till den globala katalogen först för att hämta "
++"användare från betrodda domäner och använder LDAP-porten för att hämta "
++"gruppmedlemskap som en reserv.  Att avaktivera detta alternativ gör att SSSD "
++"endast ansluter till lDAP-porten på den aktuella AD-servern."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:333
+@@ -10996,11 +12003,15 @@ msgid ""
+ "port of trusted domains instead. However, Global Catalog must be used in "
+ "order to resolve cross-domain group memberships."
+ msgstr ""
++"Observera att att avaktivera stöd för den globala katalogen inte avaktiverar "
++"att hämta användare från betrodda domäner.  SSSD skulle ansluta till LDAP-"
++"porten på den betrodda domänen istället.  Dock måste den globala katalogen "
++"användas för att slå upp gruppmedlemskap över domäner."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:347
+ msgid "ad_gpo_access_control (string)"
+-msgstr ""
++msgstr "ad_gpo_access_control (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:350
+@@ -11011,6 +12022,11 @@ msgid ""
+ "must be explicitly set to <quote>ad</quote> in order for this option to have "
+ "an effect."
+ msgstr ""
++"Detta alternativ anger arbetsläget för GPO-baserad "
++"åtkomstkontrollsfunktionalitet: huruvida det arbetar i avaktiverat läge, "
++"tvingande läge eller tillåtande läge.  Observera att alternativet "
++"<quote>access_provider</quote> måste vara uttryckligen satt till <quote>ad</"
++"quote> för att detta alternativ skall ha någon effekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:359
+@@ -11018,6 +12034,8 @@ msgid ""
+ "GPO-based access control functionality uses GPO policy settings to determine "
+ "whether or not a particular user is allowed to logon to a particular host."
+ msgstr ""
++"GPO-baserad åtkomstkontrollsfunktionalitet använder GPO-policyinställningar "
++"för att avgöra huruvida en viss användare tillåts att logga på en viss värd."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:365
+@@ -11026,6 +12044,9 @@ msgid ""
+ "in the GPO 'Security Filtering' list. Only user and group entries are "
+ "supported. Host entries in the list have no effect."
+ msgstr ""
++"OBS: Den nuvarande versionen av SSSD stödjer inte värd- (dator-)poster i GPO:"
++"s ”säkerhetsfilter”-lista.  Endast användar- och gruppposter stödjs.  "
++"Värdposter i listan har ingen effekt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:372
+@@ -11039,22 +12060,32 @@ msgid ""
+ "administrators can then make the necessary changes before setting the mode "
+ "to enforcing."
+ msgstr ""
++"OBS: Om arbetsläget är satt till tvingande är det möjligt att användare som "
++"tidigare tilläts inloggningsåtkomst nu kommer att nekas inloggningsåtkomst "
++"(som det dikteras av GPO-policyinställningarna).  För att möjliggöra en "
++"smidig övergång för administratörer är ett tillåtande läge tillgängligt som "
++"inte kommer tvinga reglerna för åtkomstkontroll, men kommer beräkna dem och "
++"skriva ut ett syslog-meddelande om åtkomst skulle ha nekats.  Genom att "
++"granska loggarna kan administratörer sedan göra de nödvändiga ändringarna "
++"före de ställer in arbetsläget till tvingande."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:385
+ msgid "There are three supported values for this option:"
+-msgstr ""
++msgstr "Det finns tre stödda värden för detta alternativ:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:389
+ msgid ""
+ "disabled: GPO-based access control rules are neither evaluated nor enforced."
+ msgstr ""
++"disabled: GPO-baserade åtkomstkontrollsregler varken evalueras eller "
++"påtvingas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:395
+ msgid "enforcing: GPO-based access control rules are evaluated and enforced."
+-msgstr ""
++msgstr "enforcing: GPO-baserade åtkomstkontrollregler evalueras och påtvingas."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:401
+@@ -11063,21 +12094,24 @@ msgid ""
+ "Instead, a syslog message will be emitted indicating that the user would "
+ "have been denied access if this option's value were set to enforcing."
+ msgstr ""
++"permissive: GPO-baserade åtkomstkontrollregler evalueras men påtvingas "
++"inte.  Istället skickas ett syslog-meddelande ut om indikerar att användaren "
++"skulle ha nekats åtkomst om detta alternativs värde vore satt till enforcing."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:412
+ msgid "Default: permissive"
+-msgstr ""
++msgstr "Standard: permissive"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:415
+ msgid "Default: enforcing"
+-msgstr ""
++msgstr "Standard: enforcing"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:421
+ msgid "ad_gpo_implicit_deny (boolean)"
+-msgstr ""
++msgstr "ad_gpo_implicit_deny (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:424
+@@ -11089,20 +12123,23 @@ msgid ""
+ "because it can deny access even to users in the built-in Administrators "
+ "group if no GPO rules apply to them."
+ msgstr ""
++"Normalt när inga tillämpliga GPO:er finns tillåts användarna åtkomst.  När "
++"detta alternativ är satt till True kommer användare att tillåtas åtkomst "
++"endast när det uttryckligen tillåts av en GPO-regel.  Annars kommer "
++"användare nekas åtkomst.  Detta kan användas för att stärka säkerheten men "
++"var försiktig när detta alternativ används för det kan neka åtkomst även "
++"till användare i den inbyggda administratörsgruppen om inga GPO-regler är "
++"tillämpliga på dem."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:435
+-#, fuzzy
+-#| msgid "Default: False"
+ msgid "Default: False (seconds)"
+-msgstr "Default: False"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:441
+-#, fuzzy
+-#| msgid "ldap_force_upper_case_realm (boolean)"
+ msgid "ad_gpo_ignore_unreadable (boolean)"
+-msgstr "ldap_force_upper_case_realm (boolean)"
++msgstr "ad_gpo_ignore_unreadable (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:444
+@@ -11113,11 +12150,16 @@ msgid ""
+ "policies if their attributes in group policy containers are not readable for "
+ "SSSD."
+ msgstr ""
++"Normalt när några gruppolicybehållare (AD-objekt) av några tillämpliga "
++"gruppolicyobjekt inte är läsbara av SSSD så nekas användare åtkomst.  Detta "
++"alternativ tillåter att man ignorerar gruppolicybehållare och med dem "
++"tillhörande policyer om deras attribut i gruppolicybehållare inte är läsbara "
++"för SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:461
+ msgid "ad_gpo_cache_timeout (integer)"
+-msgstr ""
++msgstr "ad_gpo_cache_timeout (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:464
+@@ -11126,11 +12168,14 @@ msgid ""
+ "server. This will reduce the latency and load on the AD server if there are "
+ "many access-control requests made in a short period."
+ msgstr ""
++"Tiden mellan uppslagningar av GPO-policyfiler AD-servern.  Detta kommer "
++"reducera tidsfördröjningen och lasten på AD-servern om det görs många "
++"begäranden om åtkomstkontroll under en kort tid."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:477
+ msgid "ad_gpo_map_interactive (string)"
+-msgstr ""
++msgstr "ad_gpo_map_interactive (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:480
+@@ -11139,6 +12184,9 @@ msgid ""
+ "control is evaluated based on the InteractiveLogonRight and "
+ "DenyInteractiveLogonRight policy settings."
+ msgstr ""
++"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad "
++"åtkomstkontroll beräknas baserat på policyinställningarna "
++"InteractiveLogonRight och DenyInteractiveLogonRight."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:486
+@@ -11146,6 +12194,8 @@ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on locally\" and \"Deny log on locally\"."
+ msgstr ""
++"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde "
++"”Tillåt inloggning lokalt” och ”Neka inloggning lokalt”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd-ad.5.xml:500
+@@ -11154,6 +12204,8 @@ msgid ""
+ "ad_gpo_map_interactive = +my_pam_service, -login\n"
+ "                            "
+ msgstr ""
++"ad_gpo_map_interactive = +min_pam_tjänst, -login\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:491
+@@ -11166,41 +12218,49 @@ msgid ""
+ "<quote>my_pam_service</quote>), you would use the following configuration: "
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
++"Det är möjligt att lägga till ett annat PAM-tjänstnamn till "
++"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att "
++"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom "
++"att använda <quote>-tjänstenamn</quote>.  Till exempel, för att byta ut ett "
++"standard-PAM-tjänstenamn för denna inloggningsrätt (t.ex. <quote>login</"
++"quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</"
++"quote>) skulle man använda följande konfiguration: <placeholder type="
++"\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:523
+ msgid "gdm-fingerprint"
+-msgstr ""
++msgstr "gdm-fingerprint"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:543
+ msgid "lightdm"
+-msgstr ""
++msgstr "lightdm"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:548
+ msgid "lxdm"
+-msgstr ""
++msgstr "lxdm"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:553
+ msgid "sddm"
+-msgstr ""
++msgstr "sddm"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:558
+ msgid "unity"
+-msgstr ""
++msgstr "unity"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:563
+ msgid "xdm"
+-msgstr ""
++msgstr "xdm"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:572
+ msgid "ad_gpo_map_remote_interactive (string)"
+-msgstr ""
++msgstr "ad_gpo_map_remote_interactive (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:575
+@@ -11209,6 +12269,9 @@ msgid ""
+ "control is evaluated based on the RemoteInteractiveLogonRight and "
+ "DenyRemoteInteractiveLogonRight policy settings."
+ msgstr ""
++"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad "
++"åtkomstkontroll beräknas baserat på policyinställningarna "
++"RemoteInteractiveLogonRight och DenyRemoteInteractiveLogonRight."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:581
+@@ -11217,6 +12280,9 @@ msgid ""
+ "log on through Remote Desktop Services\" and \"Deny log on through Remote "
+ "Desktop Services\"."
+ msgstr ""
++"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde "
++"”Tillåt inloggning via fjärrskrivbordstjänster” och ”Neka inloggning via "
++"fjärrinloggningstjänter”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd-ad.5.xml:596
+@@ -11225,6 +12291,8 @@ msgid ""
+ "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+ "                            "
+ msgstr ""
++"ad_gpo_map_remote_interactive = +min_pam_tjänst, -sshd\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:587
+@@ -11237,21 +12305,29 @@ msgid ""
+ "<quote>my_pam_service</quote>), you would use the following configuration: "
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
++"Det är möjligt att lägga till ett annat PAM-tjänstnamn till "
++"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att "
++"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom "
++"att använda <quote>-tjänstenamn</quote>.  Till exempel, för att byta ut ett "
++"standard-PAM-tjänstenamn för denna inloggningsrätt (t.ex. <quote>sshd</"
++"quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</"
++"quote>) skulle man använda följande konfiguration: <placeholder type="
++"\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:604
+ msgid "sshd"
+-msgstr ""
++msgstr "sshd"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:609
+ msgid "cockpit"
+-msgstr ""
++msgstr "cockpit"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:618
+ msgid "ad_gpo_map_network (string)"
+-msgstr ""
++msgstr "ad_gpo_map_network (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:621
+@@ -11260,6 +12336,9 @@ msgid ""
+ "control is evaluated based on the NetworkLogonRight and "
+ "DenyNetworkLogonRight policy settings."
+ msgstr ""
++"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad "
++"åtkomstkontroll beräknas baserat på policyinställningarna NetworkLogonRight "
++"och DenyNetworkLogonRight."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:627
+@@ -11268,6 +12347,9 @@ msgid ""
+ "this computer from the network\" and \"Deny access to this computer from the "
+ "network\"."
+ msgstr ""
++"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde "
++"”Kom åt denna dator från nätverket” och ”Neka åtkomst till denna dator från "
++"nätverket”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd-ad.5.xml:642
+@@ -11276,6 +12358,8 @@ msgid ""
+ "ad_gpo_map_network = +my_pam_service, -ftp\n"
+ "                            "
+ msgstr ""
++"ad_gpo_map_network = +min_pam_tjänst, -ftp\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:633
+@@ -11288,21 +12372,29 @@ msgid ""
+ "<quote>my_pam_service</quote>), you would use the following configuration: "
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
++"Det är möjligt att lägga till ett annat PAM-tjänstnamn till "
++"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att "
++"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom "
++"att använda <quote>-tjänstenamn</quote>.  Till exempel, för att byta ut ett "
++"standard-PAM-tjänstenamn för denna inloggningsrätt (t.ex. <quote>ftp</"
++"quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</"
++"quote>) skulle man använda följande konfiguration: <placeholder type="
++"\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:650
+ msgid "ftp"
+-msgstr ""
++msgstr "ftp"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:655
+ msgid "samba"
+-msgstr ""
++msgstr "samba"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:664
+ msgid "ad_gpo_map_batch (string)"
+-msgstr ""
++msgstr "ad_gpo_map_batch (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:667
+@@ -11311,6 +12403,9 @@ msgid ""
+ "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+ "policy settings."
+ msgstr ""
++"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad "
++"åtkomstkontroll beräknas baserat på policyinställningarna BatchLogonRight "
++"och DenyBatchLogonRight."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:673
+@@ -11318,6 +12413,9 @@ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a batch job\" and \"Deny log on as a batch job\"."
+ msgstr ""
++"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde "
++"”Tillåt inloggning som ett batch-jobb” och ”Neka inloggning som ett batch-"
++"jobb”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd-ad.5.xml:687
+@@ -11326,6 +12424,8 @@ msgid ""
+ "ad_gpo_map_batch = +my_pam_service, -crond\n"
+ "                            "
+ msgstr ""
++"ad_gpo_map_batch = +min_pam_tjänst, -crond\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:678
+@@ -11338,22 +12438,32 @@ msgid ""
+ "<quote>my_pam_service</quote>), you would use the following configuration: "
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
++"Det är möjligt att lägga till ett annat PAM-tjänstnamn till "
++"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att "
++"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom "
++"att använda <quote>-tjänstenamn</quote>.  Till exempel, för att byta ut ett "
++"standard-PAM-tjänstenamn för denna inloggningsrätt (t.ex. <quote>crond</"
++"quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</"
++"quote>) skulle man använda följande konfiguration: <placeholder type="
++"\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:690
+ msgid ""
+ "Note: Cron service name may differ depending on Linux distribution used."
+ msgstr ""
++"Obs: cron-tjänstenamn kan skilja beroende på vilken Linuxdistribution som "
++"används."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:696
+ msgid "crond"
+-msgstr ""
++msgstr "crond"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:705
+ msgid "ad_gpo_map_service (string)"
+-msgstr ""
++msgstr "ad_gpo_map_service (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:708
+@@ -11362,6 +12472,9 @@ msgid ""
+ "control is evaluated based on the ServiceLogonRight and "
+ "DenyServiceLogonRight policy settings."
+ msgstr ""
++"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad "
++"åtkomstkontroll beräknas baserat på policyinställningarna ServiceLogonRight "
++"och DenyServiceLogonRight."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:714
+@@ -11369,6 +12482,8 @@ msgid ""
+ "Note: Using the Group Policy Management Editor this value is called \"Allow "
+ "log on as a service\" and \"Deny log on as a service\"."
+ msgstr ""
++"Obs: när man använder gruppolicyhanteringsredigeraren kallas detta värde "
++"”Tillåt inloggning som en tjänst” och ”Neka inloggning som en tjänst”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd-ad.5.xml:727
+@@ -11377,6 +12492,8 @@ msgid ""
+ "ad_gpo_map_service = +my_pam_service\n"
+ "                            "
+ msgstr ""
++"ad_gpo_map_service = +min_pam_tjänst\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:719 sssd-ad.5.xml:794
+@@ -11388,11 +12505,18 @@ msgid ""
+ "would use the following configuration: <placeholder type=\"programlisting\" "
+ "id=\"0\"/>"
+ msgstr ""
++"Det är möjligt att lägga till ett PAM-tjänstnamn till standarduppsättningen "
++"genom att använda <quote>+tjänstenamn</quote>.  Eftersom "
++"standarduppsättningen är tom är det inte möjligt att ta bort ett PAM-"
++"tjänstenamn från standarduppsättningen.  Till exempel, för att lägga till "
++"ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-tjänst</quote>) skulle "
++"man använda följande konfiguration: <placeholder type=\"programlisting\" id="
++"\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:737
+ msgid "ad_gpo_map_permit (string)"
+-msgstr ""
++msgstr "ad_gpo_map_permit (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:740
+@@ -11400,6 +12524,8 @@ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always granted, regardless of any GPO Logon Rights."
+ msgstr ""
++"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad åtkomst "
++"alltid tillåts, oavsett några andra GPO-inloggningsrättigheter."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd-ad.5.xml:754
+@@ -11408,6 +12534,8 @@ msgid ""
+ "ad_gpo_map_permit = +my_pam_service, -sudo\n"
+ "                            "
+ msgstr ""
++"ad_gpo_map_permit = +min_pam_tjänst, -sudo\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:745
+@@ -11420,21 +12548,29 @@ msgid ""
+ "<quote>my_pam_service</quote>), you would use the following configuration: "
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
++"Det är möjligt att lägga till ett annat PAM-tjänstnamn till "
++"standarduppsättninge genom att använda <quote>+tjänstenamn</quote> eller att "
++"uttryckligen ta bort ett PAM-tjänstenamn från standarduppsättningen genom "
++"att använda <quote>-tjänstenamn</quote>.  Till exempel, för att byta ut ett "
++"standard-PAM-tjänstenamn för ovillkorligt tillåten åtkomst (t.ex. "
++"<quote>sudo</quote>) mot ett anpassat PAM-tjänstenamn (t.ex. <quote>min_pam-"
++"tjänst</quote>) skulle man använda följande konfiguration: <placeholder type="
++"\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:762
+ msgid "polkit-1"
+-msgstr ""
++msgstr "polkit-1"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:777
+ msgid "systemd-user"
+-msgstr ""
++msgstr "systemd-user"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:786
+ msgid "ad_gpo_map_deny (string)"
+-msgstr ""
++msgstr "ad_gpo_map_deny (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:789
+@@ -11442,6 +12578,8 @@ msgid ""
+ "A comma-separated list of PAM service names for which GPO-based access is "
+ "always denied, regardless of any GPO Logon Rights."
+ msgstr ""
++"En kommaseparerad lista av PAM-tjänstenamn för vilka GPO-baserad åtkomst "
++"alltid nekas, oavsett några andra GPO-inloggningsrättigheter."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd-ad.5.xml:802
+@@ -11450,11 +12588,13 @@ msgid ""
+ "ad_gpo_map_deny = +my_pam_service\n"
+ "                            "
+ msgstr ""
++"ad_gpo_map_deny = +min_pam_tjänst\n"
++"                            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:812
+ msgid "ad_gpo_default_right (string)"
+-msgstr ""
++msgstr "ad_gpo_default_right (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:815
+@@ -11468,56 +12608,65 @@ msgid ""
+ "settings. Alternatively, this option can be set to either always permit or "
+ "always deny access for unmapped PAM service names."
+ msgstr ""
++"Detta alternativ definierar hur åtkomstkontroll beräknas för PAM-tjänstenamn "
++"som inte är uttryckligen listade i en av alternativen ad_gpo_map_*.  Detta "
++"alternativ kan anges på två olika sätt.  Antingen kan detta alternativ "
++"sättas till att ange standardinloggningsrättigheter.  Till exempel, om detta "
++"alternativ är satt till ”interactive” betyder det att att omappade PAM-"
++"tjänstenamn kommer bearbetas baserat på policyinställningarna "
++"InteractiveLogonRight och DenyInteractiveLogonRight.  Alternativt kan detta "
++"alternativ sättas till att antingen alltid tillåta eller lltid neka åtkomst "
++"för omappade PAM-tjänstenamn."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:828
+ msgid "Supported values for this option include:"
+-msgstr ""
++msgstr "Värden som stödjs för detta alternativ inkluderar:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:832
+ msgid "interactive"
+-msgstr ""
++msgstr "interactive"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:837
+ msgid "remote_interactive"
+-msgstr ""
++msgstr "remote_interactive"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:842
+ msgid "network"
+-msgstr ""
++msgstr "network"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:847
+ msgid "batch"
+-msgstr ""
++msgstr "batch"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:852
+ msgid "service"
+-msgstr ""
++msgstr "service"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:857
+ msgid "permit"
+-msgstr ""
++msgstr "permit"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ad.5.xml:862
+ msgid "deny"
+-msgstr ""
++msgstr "deny"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:868
+ msgid "Default: deny"
+-msgstr ""
++msgstr "Standard: deny"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:874
+ msgid "ad_maximum_machine_account_password_age (integer)"
+-msgstr ""
++msgstr "ad_maximum_machine_account_password_age (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:877
+@@ -11526,16 +12675,19 @@ msgid ""
+ "given age in days and try to renew it. A value of 0 will disable the renewal "
+ "attempt."
+ msgstr ""
++"SSSD kommer en gång om dagen kontrollera om maskinkontolösenordet är äldre "
++"än den givna ålder i dagar och försöka förnya det.  Ett värde på 0 kommer "
++"förhindra förnyelseförsöket."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:883
+ msgid "Default: 30 days"
+-msgstr ""
++msgstr "Standard: 30 dagar"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:889
+ msgid "ad_machine_account_password_renewal_opts (string)"
+-msgstr ""
++msgstr "ad_machine_account_password_renewal_opts (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:892
+@@ -11546,11 +12698,16 @@ msgid ""
+ "specifies the initial timeout in seconds before the task is run for the "
+ "first time after startup."
+ msgstr ""
++"Detta alternativ skall endast användas för att testa "
++"maskinkontoförnyelsefunktionen.  Alternativet förväntar sig 2 heltal "
++"separerade av ett kolon (”:”).  Det första heltalet anger intervallet i "
++"sekunder hur ofta funktionen körs.  Det andra anger den initiala tidsgränsen "
++"i sekunder före funktionen körs för första gången efter uppstart."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:901
+ msgid "Default: 86400:750 (24h and 15m)"
+-msgstr ""
++msgstr "Standard: 86400:750 (24h och 15m)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:910
+@@ -11562,11 +12719,17 @@ msgid ""
+ "AD LDAP connection is used for the updates, if it is not otherwise specified "
+ "by using the <quote>dyndns_iface</quote> option."
+ msgstr ""
++"Valfritt.  Detta alternativ säger till SSSD att automatiskt uppdatera DNS-"
++"servern i Active Directory med IP-adressen för denna klient.  Uppdateringen "
++"säkras med GSS-TSIG.  Som en konsekvens av det behöver Active Directory-"
++"administratören bara tillåta säkra uppdateringar för DNS-zonen.  IP-adressen "
++"för AD-LDAP-förbindelsen används för uppdateringar, om det inte specificeras "
++"på annat sätt med alternativet <quote>dyndns_iface</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:940
+ msgid "Default: 3600 (seconds)"
+-msgstr ""
++msgstr "Standard: 3600 (sekunder)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:956
+@@ -11574,6 +12737,8 @@ msgid ""
+ "Default: Use the IP addresses of the interface which is used for AD LDAP "
+ "connection"
+ msgstr ""
++"Standard: använd IP-adresser för gränssnittet som används för AD LDAP-"
++"förbindelsen"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:969
+@@ -11584,11 +12749,16 @@ msgid ""
+ "lowest possible value is 60 seconds in-case if value is provided less than "
+ "60, parameter will assume lowest value only."
+ msgstr ""
++"Hur ofta bakänden skall utföra periodiska DNS-uppdateringar utöver den "
++"automatiska uppdateringen som utförs när bakänden kopplar upp.  Detta "
++"alternativ är valfritt och tillämpligt endast när dyndns_update är sann.  "
++"Observera att det lägsta möjliga värdet är 60 sekunder, ifall ett värde "
++"mindre än 60 ges kommer parametern endast anta det lägsta värdet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:992 sss_rpcidmapd.5.xml:76
+ msgid "Default: True"
+-msgstr ""
++msgstr "Standard: True"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:1084
+@@ -11597,6 +12767,9 @@ msgid ""
+ "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
+ "This example shows only the AD provider-specific options."
+ msgstr ""
++"Följande exempel antar att SSSD är korrekt konfigurerat och att exempel.se "
++"är en av domänerna i avsnittet <replaceable>[sssd]</replaceable>.  Detta "
++"exempel visar endast alternativ som är specifika för leverantören AD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-ad.5.xml:1091
+@@ -11612,6 +12785,15 @@ msgid ""
+ "ad_hostname = client.example.com\n"
+ "ad_domain = example.com\n"
+ msgstr ""
++"[domain/EXEMPEL]\n"
++"id_provider = ad\n"
++"auth_provider = ad\n"
++"access_provider = ad\n"
++"chpass_provider = ad\n"
++"\n"
++"ad_server = dc1.exempel.se\n"
++"ad_hostname = client.exempel.se\n"
++"ad_domain = exempel.se\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-ad.5.xml:1111
+@@ -11621,6 +12803,9 @@ msgid ""
+ "ldap_access_order = expire\n"
+ "ldap_account_expire_policy = ad\n"
+ msgstr ""
++"access_provider = ldap\n"
++"ldap_access_order = expire\n"
++"ldap_account_expire_policy = ad\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:1107
+@@ -11629,6 +12814,9 @@ msgid ""
+ "same effect as the following configuration of the LDAP provider: "
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
++"Leverantören AD av åtkomstkontroll kontrollerar om kontot har gått ut.  Det "
++"har samma effekt som följande konfiguration av LDAP-leverantören: "
++"<placeholder type=\"programlisting\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:1117
+@@ -11639,6 +12827,11 @@ msgid ""
+ "you need to set all the connection parameters (such as LDAP URIs and "
+ "encryption details) manually."
+ msgstr ""
++"Dock, om inte åtkomstleverantören <quote>ad</quote> är konfigurerad explicit "
++"är standardåtkomstleverantören <quote>permit</quote>.  Observera att om man "
++"konfigurerar en annan åtkomstleverantör än <quote>ad</quote> behöver man "
++"sätta alla anslutningsparametrarna (såsoms LDAP URI:er och "
++"krypteringsdetaljer) manuellt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ad.5.xml:1125
+@@ -11647,16 +12840,19 @@ msgid ""
+ "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+ "are included in the default Active Directory schema."
+ msgstr ""
++"När autofs-leverantören är satt till <quote>ad</quote> används "
++"översättningen av schemaattribut enligt RFC2307 (nisMap, nisObject, …), för "
++"att dessa attribut inkluderas i standardschemat för Active Directory."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16
+ msgid "sssd-sudo"
+-msgstr ""
++msgstr "sssd-sudo"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sssd-sudo.5.xml:17
+ msgid "Configuring sudo with the SSSD back end"
+-msgstr ""
++msgstr "Konfigurera sudo med SSSD-bakänden"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:23
+@@ -11666,11 +12862,15 @@ msgid ""
+ "to work with <citerefentry> <refentrytitle>sssd</refentrytitle> "
+ "<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules."
+ msgstr ""
++"Denna manualsida beskriver hur man konfigurerar <citerefentry> "
++"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> "
++"till att fungera med <citerefentry> <refentrytitle>sssd</refentrytitle> "
++"<manvolnum>8</manvolnum> </citerefentry> och hur SSSD cachar sudo-regler."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-sudo.5.xml:36
+ msgid "Configuring sudo to cooperate with SSSD"
+-msgstr ""
++msgstr "Konfigurera sudo att samarbeta med SSSD"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:38
+@@ -11680,6 +12880,10 @@ msgid ""
+ "<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+ "citerefentry>."
+ msgstr ""
++"För att aktivera SSSD som en källa för sudo-regler, lägg till <emphasis>sss</"
++"emphasis> till posten <emphasis>sudoers</emphasis> i <citerefentry> "
++"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:47
+@@ -11690,12 +12894,17 @@ msgid ""
+ "local users) and then in SSSD, the nsswitch.conf file should contain the "
+ "following line:"
+ msgstr ""
++"Till exempel, för att konfigurera sudo till att först slå upp regler i "
++"standardfilen <citerefentry> <refentrytitle>sudoers</refentrytitle> "
++"<manvolnum>5</manvolnum> </citerefentry> (som bör innehålla regler som "
++"gäller för lokala användare) och sedan i SSSD, skall filen nsswitch.conf "
++"innehålla följande rad:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-sudo.5.xml:57
+ #, no-wrap
+ msgid "sudoers: files sss\n"
+-msgstr ""
++msgstr "sudoers: files sss\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:61
+@@ -11706,6 +12915,10 @@ msgid ""
+ "<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+ "citerefentry>."
+ msgstr ""
++"Mer information om att konfigurera sökordningen för sudoers från filen "
++"nsswitch.conf liksom information om LDAP-schemat som används för att spara "
++"sudo-regler i katalogen finns i <citerefentry> <refentrytitle>sudoers.ldap</"
++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:70
+@@ -11716,11 +12929,16 @@ msgid ""
+ "citerefentry> to your NIS domain name (which equals to IPA domain name when "
+ "using hostgroups)."
+ msgstr ""
++"<emphasis>Observera</emphasis>: för att använda nätgrupper eller IPA-"
++"värdgrupper i sudo-regler behöver man även sätta <citerefentry> "
++"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </"
++"citerefentry> korrekt till sitt NIS-domännamn (som är samma som IPA-"
++"domännamnet här värdgrupper används)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-sudo.5.xml:82
+ msgid "Configuring SSSD to fetch sudo rules"
+-msgstr ""
++msgstr "Konfigurera SSSD till att hämta sudo-regler"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:84
+@@ -11732,6 +12950,12 @@ msgid ""
+ "search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> "
+ "option."
+ msgstr ""
++"All konfiguration som behövs på SSSD-sidan är att utöka listan över "
++"<emphasis>tjänster</emphasis> med ”sudo” i avsnittet [sssd] i <citerefentry> "
++"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry>.  För att snabba upp LDAP-uppslagningarna kan man även sätta "
++"sökbasen för sudo-regler med alternativet <emphasis>ldap_sudo_search_base</"
++"emphasis>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:94
+@@ -11739,6 +12963,8 @@ msgid ""
+ "The following example shows how to configure SSSD to download sudo rules "
+ "from an LDAP server."
+ msgstr ""
++"Följande exempel visar hur man konfigurerar SSSD att hämta sudo-regler från "
++"en LDAP-server."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-sudo.5.xml:99
+@@ -11755,6 +12981,16 @@ msgid ""
+ "ldap_uri = ldap://example.com\n"
+ "ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n"
+ msgstr ""
++"[sssd]\n"
++"config_file_version = 2\n"
++"services = nss, pam, sudo\n"
++"domains = EXEMPEL\n"
++"\n"
++"[domain/EXEMPEL]\n"
++"id_provider = ldap\n"
++"sudo_provider = ldap\n"
++"ldap_uri = ldap://exempel.se\n"
++"ldap_sudo_search_base = ou=sudoers,dc=exempel,dc=se\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:98
+@@ -11765,6 +13001,11 @@ msgid ""
+ "services, as it became optional. However, sssd-sudo.socket must be enabled "
+ "instead.  </phrase>"
+ msgstr ""
++"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
++"\"have_systemd\"> Det är viktigt att observera att på plattformar där "
++"systemd stödjs finns det inget behov av att lägga till ”sudo”-leverantören "
++"till listan av tjänster, eftersom det blev frivilligt.  Dock måste sssd-sudo."
++"socket vara aktiverat istället.  </phrase>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:118
+@@ -11775,11 +13016,16 @@ msgid ""
+ "sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+ "$SUFFIX) is no longer required for IPA sudo functionality."
+ msgstr ""
++"När SSSD är konfigurerat till att använda IPA som ID-leverantör aktiveras "
++"sudo-leverantören automatiskt.  Sudo-sökbasen konfigureras till att använda "
++"IPA:s egna LDAP-träd (cn=sudo,$SUFFIX).  Om någon annan sökbas är definierad "
++"i sssd.conf kommer detta värde användas istället.  Kompatibilitetsträdet "
++"(ou=sudoers,$SUFFIX) behövs inte längre för IPA-sudo-funktionalitet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd-sudo.5.xml:128
+ msgid "The SUDO rule caching mechanism"
+-msgstr ""
++msgstr "Cachnings-mekanismen för SUDO-regler"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:130
+@@ -11791,6 +13037,12 @@ msgid ""
+ "of updates. They are referred to as full refresh, smart refresh and rules "
+ "refresh."
+ msgstr ""
++"Den största utmaningen vid utvecklingen av stöd för sudo i SSSD var att "
++"säkerställa att köra sudo med SSSD som datakälla ger samma "
++"användarupplevelse och är lika snabbt som sudo men tillhandahåller de "
++"senaste reglerna så mycket som möjligt.  För att uppfylla dessa krav "
++"använder SSSD tre sorters uppdateringar.  De refereras till som fullständig "
++"uppdatering, smart uppdatering och regeluppdatering."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:138
+@@ -11800,6 +13052,10 @@ msgid ""
+ "database growing by fetching only small increments that do not generate "
+ "large amounts of network traffic."
+ msgstr ""
++"Den <emphasis>smarta uppdateringen</emphasis> hämtar periodiskt regler som "
++"är nya eller ändrades efter den senaste uppdateringen.  Dess primära mål är "
++"att se till att databasen växer genom att bara hämta små inkrementella steg "
++"som inte genererar stora mängder med nätverkstrafik."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:144
+@@ -11811,6 +13067,12 @@ msgid ""
+ "and thus it should be run only occasionally depending on the size and "
+ "stability of the sudo rules."
+ msgstr ""
++"Den <emphasis>fullständiga uppdateringen</emphasis> raderar helt enkelt alla "
++"sudo-regler som är lagrade i cachen och ersätter dem med alla regler som är "
++"sparade på servern.  Detta används för att hålla cachen konsistent genom att "
++"ta bort varje regel som var raderad från servern.  Dock kan en fullständig "
++"uppdatering skapa mycket trafik och den bör alltså bara köras ibland "
++"beroende på storleken och stabiliteten hos sudo-reglerna."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:152
+@@ -11822,6 +13084,13 @@ msgid ""
+ "these rules are missing on the server, the SSSD will do an out of band full "
+ "refresh because more rules (that apply to other users) may have been deleted."
+ msgstr ""
++"<emphasis>Regeluppdateringen</emphasis> säkerställer att vi inte ger "
++"användaren fler rättigheter än definierat.  Den triggas varje gång "
++"användaren kör sudo.  Regeluppdateringen kommer hitta alla regler som är "
++"tillämpliga på den användaren, kontrollera deras utgångstidpunkt och hämta "
++"om dem om de gått ut.  Ifall att någon av dessa regler saknas på servern "
++"kommer SSSD göra en fullständig uppdatering vid sidan av för att fler regler "
++"(som är tillämpliga på andra användare) kan ha raderats."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:161
+@@ -11830,36 +13099,39 @@ msgid ""
+ "This means rules that contain one of the following values in "
+ "<emphasis>sudoHost</emphasis> attribute:"
+ msgstr ""
++"Om aktiverat kommer SSSD endast lagra regler som kan tillämpas på denna "
++"maskin.  Detta betyder att regler som innehåller ett av följande värden i "
++"attributet <emphasis>sudoHost</emphasis>:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
+ #: sssd-sudo.5.xml:168
+ msgid "keyword ALL"
+-msgstr ""
++msgstr "nyckelordet ALL"
+ 
+ #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
+ #: sssd-sudo.5.xml:173
+ msgid "wildcard"
+-msgstr ""
++msgstr "jokertecken (wildcard)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
+ #: sssd-sudo.5.xml:178
+ msgid "netgroup (in the form \"+netgroup\")"
+-msgstr ""
++msgstr "nätgrupp (i formen ”+nätgrupp”)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
+ #: sssd-sudo.5.xml:183
+ msgid "hostname or fully qualified domain name of this machine"
+-msgstr ""
++msgstr "värdnamn eller fullständigt kvalificerat domännamn på denna maskin"
+ 
+ #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
+ #: sssd-sudo.5.xml:188
+ msgid "one of the IP addresses of this machine"
+-msgstr ""
++msgstr "en av IP-adresserna till denna maskin"
+ 
+ #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
+ #: sssd-sudo.5.xml:193
+ msgid "one of the IP addresses of the network (in the form \"address/mask\")"
+-msgstr ""
++msgstr "en av IP-adresserna till nätverket (på formen ”adress/mask”)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-sudo.5.xml:199
+@@ -11870,16 +13142,21 @@ msgid ""
+ "citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ msgstr ""
++"Det finns många konfigurationsalternativ som kan användas för att justera "
++"beteendet.  Se ”ldap_sudo_*” i <citerefentry> <refentrytitle>sssd-ldap</"
++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> och ”sudo_*” i "
++"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sssd.8.xml:10 sssd.8.xml:15
+ msgid "sssd"
+-msgstr ""
++msgstr "sssd"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sssd.8.xml:16
+ msgid "System Security Services Daemon"
+-msgstr ""
++msgstr "Demonen för systemsäkerhetstjänster"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: sssd.8.xml:21
+@@ -11887,6 +13164,8 @@ msgid ""
+ "<command>sssd</command> <arg choice='opt'> <replaceable>options</"
+ "replaceable> </arg>"
+ msgstr ""
++"<command>sssd</command> <arg choice='opt'> <replaceable>flaggor</"
++"replaceable> </arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.8.xml:31
+@@ -11899,6 +13178,14 @@ msgid ""
+ "FreeIPA. It provides a more robust database to store local users as well as "
+ "extended user data."
+ msgstr ""
++"<command>SSSD</command> tillhandahåller en uppsättning demoner för att "
++"hantera åtkomst till fjärrkataloger och autentiseringmekanismer.  Det "
++"tillhandahåller ett NSS- och PAM-gränssnitt mot systemet och ett system med "
++"insticksmoduler till bakänden för att ansluta till flera olika kontokällor, "
++"såväl som ett D-Bus-gränssnit.  Det är också basen för att tillhandahålla "
++"klientgranskning och policytjänster för projekt som FreeIPA.  Det "
++"tillhandahåller en mer robust databas att spara lokala användare såväl som "
++"utökade användardata."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:46
+@@ -11906,42 +13193,48 @@ msgid ""
+ "<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
+ "replaceable>"
+ msgstr ""
++"<option>-d</option>,<option>--debug-level</option> <replaceable>NIVÅ</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:53
+ msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>"
+-msgstr ""
++msgstr "<option>--debug-timestamps=</option><replaceable>läge</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:57
+ msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages"
+ msgstr ""
++"<emphasis>1</emphasis>: Lägg till en tidsstämpel till felsökningsmeddelandena"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:60
+ msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages"
+ msgstr ""
++"<emphasis>0</emphasis>: Avaktivera tidsstämpeln i felsökningsmeddelanden"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:69
+ msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>"
+-msgstr ""
++msgstr "<option>--debug-microseconds=</option><replaceable>läge</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:73
+ msgid ""
+ "<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages"
+ msgstr ""
++"<emphasis>1</emphasis>: Lägg till mikrosekunder till tidsstämpeln i "
++"felsökningsmeddelanden"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:76
+ msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp"
+-msgstr ""
++msgstr "<emphasis>0</emphasis>: Avaktivera mikrosekunder i tidsstämpeln"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:85
+ msgid "<option>-f</option>,<option>--debug-to-files</option>"
+-msgstr ""
++msgstr "<option>-f</option>,<option>--debug-to-files</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:89
+@@ -11950,17 +13243,21 @@ msgid ""
+ "are stored in <filename>/var/log/sssd</filename> and there are separate log "
+ "files for every SSSD service and domain."
+ msgstr ""
++"Skicka felutskrifter till filer istället för standard fel.  Som standard "
++"sparas loggfilerna i <filename>/var/log/sssd</filename> och det finns "
++"separata loggfiler för varje SSSD-tjänst och domän."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:94
+ msgid ""
+ "This option is deprecated. It is replaced by <option>--logger=files</option>."
+ msgstr ""
++"Denna flagga undanbedes.  Den är ersatt av <option>--logger=files</option>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:101
+ msgid "<option>--logger=</option><replaceable>value</replaceable>"
+-msgstr ""
++msgstr "<option>--logger=</option><replaceable>värde</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:105
+@@ -11969,6 +13266,10 @@ msgid ""
+ "of the deprecated option <option>--debug-to-files</option>. The deprecated "
+ "option will still work if the <option>--logger</option> is not used."
+ msgstr ""
++"Plats dit SSSD skall skicka loggmeddelanden.  Denna flagga åsidosätter "
++"värdet på den undanbedda flaggan <option>--debug-to-files</option>.  Den "
++"undanbedda flaggan kommer fortfarande fungera om <option>--logger</option> "
++"inte används."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:112
+@@ -11976,6 +13277,8 @@ msgid ""
+ "<emphasis>stderr</emphasis>: Redirect debug messages to standard error "
+ "output."
+ msgstr ""
++"<emphasis>stderr</emphasis>: Omdirigera felmeddelanden till standard fel-"
++"utmatning."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:116
+@@ -11984,37 +13287,42 @@ msgid ""
+ "default, the log files are stored in <filename>/var/log/sssd</filename> and "
+ "there are separate log files for every SSSD service and domain."
+ msgstr ""
++"<emphasis>files</emphasis>: Omdirigera felsökningsmeddelanden till "
++"loggfilerna.  Som standard lagras loggfilerna i <filename>/var/log/sssd</"
++"filename> och det finns separata loggfiler för varje SSSD-tjänstoch domän."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:122
+ msgid ""
+ "<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald"
+ msgstr ""
++"<emphasis>journald</emphasis>: Omdirigera felsökningsmeddelanden till "
++"systemd-journald"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:132
+ msgid "<option>-D</option>,<option>--daemon</option>"
+-msgstr ""
++msgstr "<option>-D</option>,<option>--daemon</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:136
+ msgid "Become a daemon after starting up."
+-msgstr ""
++msgstr "Bli en demon efter att ha startat upp."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:142 sss_seed.8.xml:136
+ msgid "<option>-i</option>,<option>--interactive</option>"
+-msgstr ""
++msgstr "<option>-i</option>,<option>--interactive</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:146
+ msgid "Run in the foreground, don't become a daemon."
+-msgstr ""
++msgstr "Kör i förgrunden, bli inte en demon."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:152
+ msgid "<option>-c</option>,<option>--config</option>"
+-msgstr ""
++msgstr "<option>-c</option>,<option>--config</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:156
+@@ -12024,26 +13332,30 @@ msgid ""
+ "consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+ "<manvolnum>5</manvolnum> </citerefentry> manual page."
+ msgstr ""
++"Ange en annan konfigurationsfil än standard.  Standard är <filename>/etc/"
++"sssd/sssd.conf</filename>.  För referens till konfigurationfilsyntaxen och -"
++"alternativ, konsultera manualsidan <citerefentry> <refentrytitle>sssd.conf</"
++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:170
+ msgid "<option>--version</option>"
+-msgstr ""
++msgstr "<option>--version</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:174
+ msgid "Print version number and exit."
+-msgstr ""
++msgstr "Skriv ut versionsnumret och avsluta."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.8.xml:182
+ msgid "Signals"
+-msgstr ""
++msgstr "Signaler"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:185
+ msgid "SIGTERM/SIGINT"
+-msgstr ""
++msgstr "SIGTERM/SIGINT"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:188
+@@ -12051,11 +13363,13 @@ msgid ""
+ "Informs the SSSD to gracefully terminate all of its child processes and then "
+ "shut down the monitor."
+ msgstr ""
++"Säger till SSSD att snyggt avsluta alla dess barnprocesser och sedan stänga "
++"av monitorn."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:194
+ msgid "SIGHUP"
+-msgstr ""
++msgstr "SIGHUP"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:197
+@@ -12064,11 +13378,14 @@ msgid ""
+ "close and reopen them. This is meant to facilitate log rolling with programs "
+ "like logrotate."
+ msgstr ""
++"Säger till SSSD att sluta skriva till dess aktuella felsökningsfilbeskrivare "
++"och stänga och öppna om dem.  Detta är tänkt att möjliggöra loggrullning med "
++"program som logrotate."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:205
+ msgid "SIGUSR1"
+-msgstr ""
++msgstr "SIGUSR1"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:208
+@@ -12078,11 +13395,15 @@ msgid ""
+ "signal can be sent to either the sssd process or any sssd_be process "
+ "directly."
+ msgstr ""
++"Säger till SSSD att simulera frånkopplad funktion under tiden hos parametern "
++"<quote>offline_timeout</quote>.  Detta är användbart för att testa.  "
++"Signalen kan skickas antingen till sssd-processen eller direkt till någon "
++"sssd_be-process."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sssd.8.xml:217
+ msgid "SIGUSR2"
+-msgstr ""
++msgstr "SIGUSR2"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd.8.xml:220
+@@ -12091,6 +13412,9 @@ msgid ""
+ "signal can be sent to either the sssd process or any sssd_be process "
+ "directly."
+ msgstr ""
++"Säger till SSSD att gå till uppkopplat läge omedelbart.  Detta är användbart "
++"för att testa.  Signalen kan skickas antingen till sssd-processen eller "
++"direkt till någon sssd_be-process."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.8.xml:232
+@@ -12098,16 +13422,18 @@ msgid ""
+ "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
+ "applications will not use the fast in memory cache."
+ msgstr ""
++"Om miljövariabeln SSS_NSS_USE_MEMCACHE är satt till ”NO” kommer "
++"klientprogram inte använda den snabba cachen i minnet."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
+ msgid "sss_obfuscate"
+-msgstr ""
++msgstr "sss_obfuscate"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss_obfuscate.8.xml:16
+ msgid "obfuscate a clear text password"
+-msgstr ""
++msgstr "fördunkla ett klartextlösenord"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: sss_obfuscate.8.xml:21
+@@ -12116,6 +13442,9 @@ msgid ""
+ "replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
+ "replaceable></arg>"
+ msgstr ""
++"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>flaggor</"
++"replaceable> </arg> <arg choice='plain'><replaceable>[LÖSENORD]</"
++"replaceable></arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_obfuscate.8.xml:32
+@@ -12124,6 +13453,9 @@ msgid ""
+ "unreadable format and places it into appropriate domain section of the SSSD "
+ "config file."
+ msgstr ""
++"<command>sss_obfuscate</command> konverterar ett givet lösenord till ett "
++"format oläsbart för människor och placerar det i det passande domänavsnittet "
++"av SSSD-konfigurationsfilen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_obfuscate.8.xml:37
+@@ -12136,6 +13468,13 @@ msgid ""
+ "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+ "citerefentry> for more details on these parameters."
+ msgstr ""
++"Klartextlösenordet läses från standard in eller skrivs interaktivt.  Det "
++"fördunklade lösenordet läggs in i parametern <quote>ldap_default_authtok</"
++"quote> av en given SSSD-domän och parametern "
++"<quote>ldap_default_authtok_type</quote> sätts till "
++"<quote>obfuscated_password</quote>.  Se <citerefentry> <refentrytitle>sssd-"
++"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> för fler "
++"detaljer om dessa parametrar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_obfuscate.8.xml:49
+@@ -12146,16 +13485,21 @@ msgid ""
+ "such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
+ "advised."
+ msgstr ""
++"Observera att fördunklandet av lösenord ger <emphasis>ingen riktigt "
++"säkerhetsförbättring</emphasis> eftersom det fortfarande är möjligt för en "
++"anfallare att återskapa lösenrodet. Det rekommenderas <emphasis>starkt</"
++"emphasis> att använda en bättre autentiseringsmekanism såsom "
++"klientsidecertifikat eller GSSAPI."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_obfuscate.8.xml:63
+ msgid "<option>-s</option>,<option>--stdin</option>"
+-msgstr ""
++msgstr "<option>-s</option>,<option>--stdin</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_obfuscate.8.xml:67
+ msgid "The password to obfuscate will be read from standard input."
+-msgstr ""
++msgstr "Lösenordet att fördunkla kommer läsas från standard in."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127
+@@ -12164,6 +13508,8 @@ msgid ""
+ "<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
+ "replaceable>"
+ msgstr ""
++"<option>-d</option>,<option>--domain</option> <replaceable>DOMÄN</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_obfuscate.8.xml:79
+@@ -12171,32 +13517,35 @@ msgid ""
+ "The SSSD domain to use the password in. The default name is <quote>default</"
+ "quote>."
+ msgstr ""
++"SSSD-domäner att använda lösenordet i.  Standardnamnet är <quote>default</"
++"quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_obfuscate.8.xml:86
+ msgid ""
+ "<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
+ msgstr ""
++"<option>-f</option>,<option>--file</option> <replaceable>FIL</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_obfuscate.8.xml:91
+ msgid "Read the config file specified by the positional parameter."
+-msgstr ""
++msgstr "Läs konfigurationsfilen som anges av positionsparametern."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_obfuscate.8.xml:95
+ msgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
+-msgstr ""
++msgstr "Standard: <filename>/etc/sssd/sssd.conf</filename>"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss_override.8.xml:10 sss_override.8.xml:15
+ msgid "sss_override"
+-msgstr ""
++msgstr "sss_override"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss_override.8.xml:16
+ msgid "create local overrides of user and group attributes"
+-msgstr ""
++msgstr "skapa lokala åsidosättanden av användar- och gruppattribut"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: sss_override.8.xml:21
+@@ -12205,6 +13554,9 @@ msgid ""
+ "replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </"
+ "arg>"
+ msgstr ""
++"<command>sss_override</command> <arg choice='plain'><replaceable>KOMMANDO</"
++"replaceable></arg> <arg choice='opt'> <replaceable>flaggor</replaceable> </"
++"arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_override.8.xml:32
+@@ -12213,6 +13565,9 @@ msgid ""
+ "allows to change selected values of specific user and groups. This change "
+ "takes effect only on local machine."
+ msgstr ""
++"<command>sss_override</command> gör det möjligt att skapa en klientsidevy "
++"och tillåter att man ändrar valda värden på specifika användare och "
++"grupper.  Denna ändring gäller endast på den lokala maskinen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_override.8.xml:37
+@@ -12225,11 +13580,18 @@ msgid ""
+ "take effect.  <emphasis>sss_override</emphasis> prints message when a "
+ "restart is required."
+ msgstr ""
++"Data om åsidosättanden lagras i SSSD-cachen.  Om cachen raderas förloras "
++"alla lokala osådosättanden.  Observera att efter det första åsidosättandet "
++"har skapats med något av följande kommandon <emphasis>user-add</emphasis>, "
++"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> eller "
++"<emphasis>group-import</emphasis> behöver SSSD startas om för att det skall "
++"få effekt.  <emphasis>sss_override</emphasis> skriver ett meddelande när en "
++"omstart behövs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sss_override.8.xml:50 sssctl.8.xml:41
+ msgid "AVAILABLE COMMANDS"
+-msgstr ""
++msgstr "TILLGÄNGLIGA KOMMANDON"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_override.8.xml:52
+@@ -12238,6 +13600,9 @@ msgid ""
+ "commands. It is not possible to override <emphasis>uid</emphasis> or "
+ "<emphasis>gid</emphasis> to 0."
+ msgstr ""
++"Argumentet <emphasis>NAMN</emphasis> är namnet på originalobjektet i alla "
++"kommandon.  Det är inte möjligt att åsidosätta <emphasis>uid</emphasis> "
++"eller <emphasis>gid</emphasis> till 0."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:59
+@@ -12250,6 +13615,13 @@ msgid ""
+ "optional> <optional><option>-x,--certificate</option> BASE64 ENCODED "
+ "CERTIFICATE</optional>"
+ msgstr ""
++"<option>user-add</option> <emphasis>NAMN</emphasis> <optional><option>-n,--"
++"name</option> NAMN</optional> <optional><option>-u,--uid</option> AID</"
++"optional> <optional><option>-g,--gid</option> GID</optional> "
++"<optional><option>-h,--home</option> HEM</optional> <optional><option>-s,--"
++"shell</option> SKAL</optional> <optional><option>-c,--gecos</option> GECOS</"
++"optional> <optional><option>-x,--certificate</option> BASE64-KODAT "
++"CERTIFIKAT</optional>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:72
+@@ -12257,11 +13629,14 @@ msgid ""
+ "Override attributes of an user. Please be aware that calling this command "
+ "will replace any previous override for the (NAMEd) user."
+ msgstr ""
++"Åsidosätt attribut på en användare.  Var medveten om att anropa detta "
++"kommando kommer ersätta eventuella tidigare åsidosättanden för (den "
++"NAMNgivna) användaren."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:80
+ msgid "<option>user-del</option> <emphasis>NAME</emphasis>"
+-msgstr ""
++msgstr "<option>user-del</option> <emphasis>NAMN</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:85
+@@ -12270,6 +13645,9 @@ msgid ""
+ "returned from memory cache. Please see SSSD option "
+ "<emphasis>memcache_timeout</emphasis> for more details."
+ msgstr ""
++"Ta bort användaråsidosättanden.  Var dock medveten om att åsidosatta "
++"attribut kan returneras från minnescachen.  Se SSSD-alternativet "
++"<emphasis>memcache_timeout</emphasis> för fler detaljer."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:94
+@@ -12277,6 +13655,8 @@ msgid ""
+ "<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</"
+ "optional>"
+ msgstr ""
++"<option>user-find</option> <optional><option>-d,--domain</option> DOMÄN</"
++"optional>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:99
+@@ -12284,21 +13664,23 @@ msgid ""
+ "List all users with set overrides.  If <emphasis>DOMAIN</emphasis> parameter "
+ "is set, only users from the domain are listed."
+ msgstr ""
++"Lista alla användare med satta åsidosättanden.  Om parametern "
++"<emphasis>DOMÄN</emphasis> är satt listas endast användare från den domänen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:107
+ msgid "<option>user-show</option> <emphasis>NAME</emphasis>"
+-msgstr ""
++msgstr "<option>user-show</option> <emphasis>NAMN</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:112
+ msgid "Show user overrides."
+-msgstr ""
++msgstr "Visa användaråsidosättanden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:118
+ msgid "<option>user-import</option> <emphasis>FILE</emphasis>"
+-msgstr ""
++msgstr "<option>user-import</option> <emphasis>FIL</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:123
+@@ -12306,11 +13688,13 @@ msgid ""
+ "Import user overrides from <emphasis>FILE</emphasis>.  Data format is "
+ "similar to standard passwd file.  The format is:"
+ msgstr ""
++"Importera användaråsidosättanden från <emphasis>FIL</emphasis>.  "
++"Dataformatet liknar den vanliga passwd-filen.  Formatet är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:128
+ msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate"
+-msgstr ""
++msgstr "urpsprungligt_namn:namn:uid:gid:gecos:hem:skal:bas64-kodat_certifikat"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:131
+@@ -12319,21 +13703,24 @@ msgid ""
+ "overridden. The rest of fields correspond to new values. You can omit a "
+ "value simply by leaving corresponding field empty."
+ msgstr ""
++"där ursprungligt_namn är användarens originalnamn vars attribut skall "
++"åsidosättas.  Resten av fälten motsvarar nya värden.  Man kan utelämna ett "
++"värde helt enkelt genom att lämna motsvarande fält tomt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:140
+ msgid "ckent:superman::::::"
+-msgstr ""
++msgstr "kwalker:fantomen::::::"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:143
+ msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:"
+-msgstr ""
++msgstr "kwalker@bangalla.com::501:501:Fantomen:/home/bangalla:/bin/bash:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:149
+ msgid "<option>user-export</option> <emphasis>FILE</emphasis>"
+-msgstr ""
++msgstr "<option>user-export</option> <emphasis>FIL</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:154
+@@ -12341,6 +13728,8 @@ msgid ""
+ "Export all overridden attributes and store them in <emphasis>FILE</"
+ "emphasis>. See <emphasis>user-import</emphasis> for data format."
+ msgstr ""
++"Exportera alla åsidosatta attribut och spara dem i <emphasis>FIL</"
++"emphasis>.  Se <emphasis>user-import</emphasis> för dataformatet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:162
+@@ -12349,6 +13738,9 @@ msgid ""
+ "name</option> NAME</optional> <optional><option>-g,--gid</option> GID</"
+ "optional>"
+ msgstr ""
++"<option>group-add</option> <emphasis>NAMN</emphasis> <optional><option>-n,--"
++"name</option> NAMN</optional> <optional><option>-g,--gid</option> GID</"
++"optional>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:169
+@@ -12356,11 +13748,14 @@ msgid ""
+ "Override attributes of a group. Please be aware that calling this command "
+ "will replace any previous override for the (NAMEd) group."
+ msgstr ""
++"Åsidosätt attribut på en grupp.  Var medveten om att anropa detta kommando "
++"kommer ersätta eventuella tidigare åsidosättanden för (den NAMNgivna) "
++"gruppen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:177
+ msgid "<option>group-del</option> <emphasis>NAME</emphasis>"
+-msgstr ""
++msgstr "<option>group-del</option> <emphasis>NAMN</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:182
+@@ -12369,6 +13764,9 @@ msgid ""
+ "returned from memory cache. Please see SSSD option "
+ "<emphasis>memcache_timeout</emphasis> for more details."
+ msgstr ""
++"Ta bort gruppåsidosättanden.  Var dock medveten om att åsidosatta attribut "
++"kan returneras från minnescachen.  Se SSSD-alternativet "
++"<emphasis>memcache_timeout</emphasis> för fler detaljer."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:191
+@@ -12376,6 +13774,8 @@ msgid ""
+ "<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</"
+ "optional>"
+ msgstr ""
++"<option>group-find</option> <optional><option>-d,--domain</option> DOMÄN</"
++"optional>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:196
+@@ -12383,21 +13783,23 @@ msgid ""
+ "List all groups with set overrides.  If <emphasis>DOMAIN</emphasis> "
+ "parameter is set, only groups from the domain are listed."
+ msgstr ""
++"Lista alla grupper med satta åsidosättanden.  Om parametern <emphasis>DOMÄN</"
++"emphasis> är satt listas endast grupper från den domänen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:204
+ msgid "<option>group-show</option> <emphasis>NAME</emphasis>"
+-msgstr ""
++msgstr "<option>group-show</option> <emphasis>NAMN</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:209
+ msgid "Show group overrides."
+-msgstr ""
++msgstr "Visa gruppåsidosättanden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:215
+ msgid "<option>group-import</option> <emphasis>FILE</emphasis>"
+-msgstr ""
++msgstr "<option>grupp-import</option> <emphasis>FIL</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:220
+@@ -12405,11 +13807,13 @@ msgid ""
+ "Import group overrides from <emphasis>FILE</emphasis>.  Data format is "
+ "similar to standard group file.  The format is:"
+ msgstr ""
++"Importera gruppåsidosättanden från <emphasis>FIL</emphasis>.  Dataformatet "
++"liknar den vanliga group-filen.  Formatet är:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:225
+ msgid "original_name:name:gid"
+-msgstr ""
++msgstr "urpsprungligt_namn:namn:gid:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:228
+@@ -12418,21 +13822,24 @@ msgid ""
+ "overridden. The rest of fields correspond to new values. You can omit a "
+ "value simply by leaving corresponding field empty."
+ msgstr ""
++"där ursprungligt_namn är gruppens originalnamn vars attribut skall "
++"åsidosättas.  Resten av fälten motsvarar nya värden.  Man kan utelämna ett "
++"värde helt enkelt genom att lämna motsvarande fält tomt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:237
+ msgid "admins:administrators:"
+-msgstr ""
++msgstr "admin:administratorer:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:240
+ msgid "Domain Users:Users:501"
+-msgstr ""
++msgstr "Domain Users:Users:501"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:246
+ msgid "<option>group-export</option> <emphasis>FILE</emphasis>"
+-msgstr ""
++msgstr "<option>group-export</option> <emphasis>FIL</emphasis>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_override.8.xml:251
+@@ -12440,31 +13847,33 @@ msgid ""
+ "Export all overridden attributes and store them in <emphasis>FILE</"
+ "emphasis>. See <emphasis>group-import</emphasis> for data format."
+ msgstr ""
++"Exportera alla åsidosatta attribut och spara dem i <emphasis>FIL</"
++"emphasis>.  Se <emphasis>group-import</emphasis> för dataformatet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sss_override.8.xml:261 sssctl.8.xml:50
+ msgid "COMMON OPTIONS"
+-msgstr ""
++msgstr "GEMENSAMMA FLAGGOR"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_override.8.xml:263 sssctl.8.xml:52
+ msgid "Those options are available with all commands."
+-msgstr ""
++msgstr "Dessa flaggor är tillgängliga med alla kommandon."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_override.8.xml:268 sssctl.8.xml:57
+ msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>"
+-msgstr ""
++msgstr "<option>--debug-level</option> <replaceable>NIVÅ</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss_useradd.8.xml:10 sss_useradd.8.xml:15
+ msgid "sss_useradd"
+-msgstr ""
++msgstr "sss_useradd"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss_useradd.8.xml:16
+ msgid "create a new user"
+-msgstr ""
++msgstr "skapa en ny användare"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: sss_useradd.8.xml:21
+@@ -12473,6 +13882,9 @@ msgid ""
+ "replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+ "arg>"
+ msgstr ""
++"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>flaggor</"
++"replaceable> </arg> <arg choice='plain'><replaceable>INLOGGNINGSNAMN</"
++"replaceable></arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_useradd.8.xml:32
+@@ -12480,12 +13892,15 @@ msgid ""
+ "<command>sss_useradd</command> creates a new user account using the values "
+ "specified on the command line plus the default values from the system."
+ msgstr ""
++"<command>sss_useradd</command> skapar ett nytt användarkonto med värdena som "
++"agnes på kommandoraden plus standardvärden från systemet"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_useradd.8.xml:43 sss_seed.8.xml:76
+ msgid ""
+ "<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
+ msgstr ""
++"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_useradd.8.xml:48
+@@ -12493,6 +13908,8 @@ msgid ""
+ "Set the UID of the user to the value of <replaceable>UID</replaceable>.  If "
+ "not given, it is chosen automatically."
+ msgstr ""
++"Sätt UID:n för användaren till värdet av <replaceable>UID</replaceable>.  Om "
++"det inte anges väljs det automatiskt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100
+@@ -12500,6 +13917,8 @@ msgid ""
+ "<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
+ "replaceable>"
+ msgstr ""
++"<option>-c</option>,<option>--gecos</option> <replaceable>KOMMENTAR</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105
+@@ -12507,6 +13926,8 @@ msgid ""
+ "Any text string describing the user. Often used as the field for the user's "
+ "full name."
+ msgstr ""
++"Godtycklig textsträng som beskriver användaren.  Ofta använt som ett fält "
++"för användarens fullständiga namn."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112
+@@ -12514,6 +13935,8 @@ msgid ""
+ "<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
+ "replaceable>"
+ msgstr ""
++"<option>-h</option>,<option>--home</option> <replaceable>HEMKATALOG</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_useradd.8.xml:72
+@@ -12524,12 +13947,18 @@ msgid ""
+ "<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
+ "baseDirectory</quote> setting in sssd.conf."
+ msgstr ""
++"Hemkatalogen för användarkontot.  Standardvärde är att lägga till namnet "
++"<replaceable>INLOGGNINGSNAMN</replaceable> till <filename>/home</filename> "
++"och använda det som hemkatalog.  Basen som läggs till före "
++"<replaceable>INLOGGNINGSNAMN</replaceable> kan ställas in med inställningen "
++"<quote>user_defaults/baseDirectory</quote> i sssd.conf."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124
+ msgid ""
+ "<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
+ msgstr ""
++"<option>-s</option>,<option>--shell</option> <replaceable>SKAL</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_useradd.8.xml:87
+@@ -12538,6 +13967,9 @@ msgid ""
+ "filename>.  The default can be changed with <quote>user_defaults/"
+ "defaultShell</quote> setting in sssd.conf."
+ msgstr ""
++"Användarens inloggningsskal.  Standard är för närvarande <filename>/bin/"
++"bash</filename>.  Standardvärdet kan ändras med inställningen "
++"<quote>user_defaults/defaultShell</quote> i sssd.conf."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_useradd.8.xml:96
+@@ -12545,16 +13977,18 @@ msgid ""
+ "<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
+ "replaceable>"
+ msgstr ""
++"<option>-G</option>,<option>--groups</option> <replaceable>GRUPPER</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_useradd.8.xml:101
+ msgid "A list of existing groups this user is also a member of."
+-msgstr ""
++msgstr "En lista av befintliga grupper denna användare också är en medlem i."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_useradd.8.xml:107
+ msgid "<option>-m</option>,<option>--create-home</option>"
+-msgstr ""
++msgstr "<option>-m</option>,<option>--create-home</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_useradd.8.xml:111
+@@ -12563,17 +13997,21 @@ msgid ""
+ "directories contained in the skeleton directory (which can be defined with "
+ "the -k option or in the config file) will be copied to the home directory."
+ msgstr ""
++"Skapa användarens hemkatalog om den inte redan finns.  Filerna och "
++"katalogerna som finns i skelettkatalogen (som kan definieras med flaggan -k "
++"eller i konfigurationsfilen) kommer kopieras till hemkatalogen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_useradd.8.xml:121
+ msgid "<option>-M</option>,<option>--no-create-home</option>"
+-msgstr ""
++msgstr "<option>-M</option>,<option>--no-create-home</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_useradd.8.xml:125
+ msgid ""
+ "Do not create the user's home directory. Overrides configuration settings."
+ msgstr ""
++"Skapa inte användarens hemkatalog.  Åsidosätter konfigurationsinställningar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_useradd.8.xml:132
+@@ -12581,6 +14019,8 @@ msgid ""
+ "<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
+ "replaceable>"
+ msgstr ""
++"<option>-k</option>,<option>--skel</option> <replaceable>SKELKAT</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_useradd.8.xml:137
+@@ -12589,6 +14029,9 @@ msgid ""
+ "the user's home directory, when the home directory is created by "
+ "<command>sss_useradd</command>."
+ msgstr ""
++"Skelettkatalogen, som innehåller filer och kataloger som skall kopieras till "
++"användarens hemkatalog, när hemkatalogen skapas av\n"
++"<command>sss_useradd</command>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_useradd.8.xml:143
+@@ -12596,6 +14039,8 @@ msgid ""
+ "Special files (block devices, character devices, named pipes and unix "
+ "sockets) will not be copied."
+ msgstr ""
++"Specialfiler (blockenheter, teckenenheter, namngivna rör och unix-uttag) "
++"kommer inte kopieras."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_useradd.8.xml:147
+@@ -12604,6 +14049,9 @@ msgid ""
+ "home</option>) option is specified, or creation of home directories is set "
+ "to TRUE in the configuration."
+ msgstr ""
++"Denna flagga är endast giltig om flaggan <option>-m</option> (eller "
++"<option>--create-home</option>) anges, eller att skapandet av hemkataloger "
++"är satt till TRUE i konfigurationen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_useradd.8.xml:156 sss_usermod.8.xml:124
+@@ -12611,6 +14059,8 @@ msgid ""
+ "<option>-Z</option>,<option>--selinux-user</option> "
+ "<replaceable>SELINUX_USER</replaceable>"
+ msgstr ""
++"<option>-Z</option>,<option>--selinux-user</option> <replaceable>SELINUX-"
++"ANVÄNDARE</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_useradd.8.xml:161
+@@ -12618,16 +14068,18 @@ msgid ""
+ "The SELinux user for the user's login. If not specified, the system default "
+ "will be used."
+ msgstr ""
++"SELinux-användaren för användarens inloggning.  Om det inte anges används "
++"systemstandarden."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16
+ msgid "sssd-krb5"
+-msgstr ""
++msgstr "sssd-krb5"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sssd-krb5.5.xml:17
+ msgid "SSSD Kerberos provider"
+-msgstr ""
++msgstr "SSSD:s Kerberos-leverantör"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-krb5.5.xml:23
+@@ -12639,6 +14091,12 @@ msgid ""
+ "the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+ "manvolnum> </citerefentry> manual page."
+ msgstr ""
++"Denna manualsida beskriver konfigurationen av bakänden för Kerberos 5-"
++"autentisering för <citerefentry> <refentrytitle>sssd</refentrytitle> "
++"<manvolnum>8</manvolnum> </citerefentry>.  För en detaljerad syntaxreferens, "
++"se avsnittet <quote>FILFORMAT</quote> i manualsidan <citerefentry> "
++"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-krb5.5.xml:36
+@@ -12652,6 +14110,14 @@ msgid ""
+ "page for the applicable identity provider for details on how to configure "
+ "this."
+ msgstr ""
++"Kerberos 5-autentiseringsbakänden innehåller auth- och chpass-leverantörer.  "
++"Den måste paras ihop med en identitetsleverantör för att fungera korrekt "
++"(till exempel, id_provider = ldap).  En del information krävs av Kerberos 5-"
++"autentiseringsbakänden måste tillhandahållas av identitetsleverantören, "
++"såsom användarens Kerberos huvudmannanamn (UPN).  Konfigurationen av "
++"identitetsleverantören skall ha en post för att ange UPN:en.  Se manualsidan "
++"för den tillämpliga identitetsleverantören för detaljer om hur man "
++"konfigurerar detta."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-krb5.5.xml:47
+@@ -12663,6 +14129,12 @@ msgid ""
+ "To activate this feature, use 'access_provider = krb5' in your SSSD "
+ "configuration."
+ msgstr ""
++"Denna bakände tillhandahåller även åtkomstkontroll baserad på filen .k5login "
++"i användarens hemkatalog  Se <citerefentry> <refentrytitle>.k5login</"
++"refentrytitle><manvolnum>5</manvolnum> </citerefentry> för mer detaljer.  "
++"Observera att en tom .k5login-fil kommer neka all åtkomst till denna "
++"användare.  För att aktivera denna funktion, använd ”access_provider = krb5” "
++"i din SSSD-konfiguration."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-krb5.5.xml:55
+@@ -12671,6 +14143,9 @@ msgid ""
+ "<command>sssd</command> will construct a UPN using the format "
+ "<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
+ msgstr ""
++"I situationer där UPN:en inte är tillgänglig i identitetsbakänden kommer "
++"<command>sssd</command> konstruera en UPN genom att använda formatet "
++"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:77
+@@ -12696,11 +14171,12 @@ msgid ""
+ "The name of the Kerberos realm. This option is required and must be "
+ "specified."
+ msgstr ""
++"Namnet på Kerberos-riket.  Detta alternativ är nödvändigt och måste anges."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:113
+ msgid "krb5_kpasswd, krb5_backup_kpasswd (string)"
+-msgstr ""
++msgstr "krb5_kpasswd, krb5_backup_kpasswd (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:116
+@@ -12709,6 +14185,9 @@ msgid ""
+ "servers can be defined here. An optional port number (preceded by a colon) "
+ "may be appended to the addresses or hostnames."
+ msgstr ""
++"Om tjänsten för att ändra lösenord inte kör på KDC:n kan alternativa servrar "
++"definieras här.  Ett frivilligt portnummer (föregått av ett kolon) kan "
++"läggas till efter adresser eller värdnamn."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:122
+@@ -12726,12 +14205,12 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:129
+ msgid "Default: Use the KDC"
+-msgstr ""
++msgstr "Standard: använd KDC:n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:135
+ msgid "krb5_ccachedir (string)"
+-msgstr ""
++msgstr "krb5_ccachedir (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:138
+@@ -12740,96 +14219,99 @@ msgid ""
+ "krb5_ccname_template can be used here, too, except %d and %P.  The directory "
+ "is created as private and owned by the user, with permissions set to 0700."
+ msgstr ""
++"Katalog att lagra kreditiv-cachar i.  Alla substitutionssekvenserna i "
++"krb5_ccname_template kan användas här också, utom %d och %P.  Katalogen "
++"skapas som privat och ägd av användaren, med rättigheterna satta till 0700."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:145
+ msgid "Default: /tmp"
+-msgstr ""
++msgstr "Standard: /tmp"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:151
+ msgid "krb5_ccname_template (string)"
+-msgstr ""
++msgstr "krb5_ccname_template (sträng)"
+ 
+ #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:165 include/override_homedir.xml:11
+ msgid "%u"
+-msgstr ""
++msgstr "%u"
+ 
+ #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:166 include/override_homedir.xml:12
+ msgid "login name"
+-msgstr ""
++msgstr "inloggningsnamn"
+ 
+ #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:169 include/override_homedir.xml:15
+ msgid "%U"
+-msgstr ""
++msgstr "%U"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:170
+ msgid "login UID"
+-msgstr ""
++msgstr "inloggnings-UID"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:173
+ msgid "%p"
+-msgstr ""
++msgstr "%p"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:174
+ msgid "principal name"
+-msgstr ""
++msgstr "huvudmannanamn"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:178
+ msgid "%r"
+-msgstr ""
++msgstr "%r"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:179
+ msgid "realm name"
+-msgstr ""
++msgstr "namn på rike"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:182
+ msgid "%h"
+-msgstr ""
++msgstr "%h"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108
+ msgid "home directory"
+-msgstr ""
++msgstr "hemkatalog"
+ 
+ #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:187 include/override_homedir.xml:19
+ msgid "%d"
+-msgstr ""
++msgstr "%d"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:188
+ msgid "value of krb5_ccachedir"
+-msgstr ""
++msgstr "värdet på krb5_ccachedir"
+ 
+ #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:193 include/override_homedir.xml:31
+ msgid "%P"
+-msgstr ""
++msgstr "%P"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:194
+ msgid "the process ID of the SSSD client"
+-msgstr ""
++msgstr "process-ID:t på SSSD-klienten"
+ 
+ #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:199 include/override_homedir.xml:49
+ msgid "%%"
+-msgstr ""
++msgstr "%%"
+ 
+ #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:200 include/override_homedir.xml:50
+ msgid "a literal '%'"
+-msgstr ""
++msgstr "ett bokstavligt ”%”"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:154
+@@ -12843,6 +14325,13 @@ msgid ""
+ "the template ends with 'XXXXXX' mkstemp(3) is used to create a unique "
+ "filename in a safe way."
+ msgstr ""
++"Platsen för användarens kreditiv-cache.  Tre typer av kreditiv-cacher stödjs "
++"för närvarande: <quote>FIEL</quote>, <quote>DIR</quote> och <quote>KEYRING:"
++"persistent</quote>.  Cachen kan anges antingen som <replaceable>TYP:"
++"ÅTERSTOD</replaceable>, eller som en absolut sökväg, vilket implicerar typen "
++"<quote>FILE</quote>.  I mallen ersätts följande sekvenser: <placeholder type="
++"\"variablelist\" id=\"0\"/> Om mallen slutar med ”XXXXXX” används mkstemp(3) "
++"för att skapa ett unikt filnamn på ett säkert sätt."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:208
+@@ -12852,6 +14341,10 @@ msgid ""
+ "credentials on a per-UID basis. This is also the recommended choice, as it "
+ "is the most secure and predictable method."
+ msgstr ""
++"När KEYRING-typer används är den enda mekanismen som stödjs <quote>KEYRING:"
++"persistent:%U</quote>, vilket använder Linuxkärnans nyckelring för att lagra "
++"kreditiv på per-UID-bas.  Detta är också det rekommenderade valet, eftersom "
++"det är den säkraste och mest förutsägbara metoden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:216
+@@ -12862,6 +14355,11 @@ msgid ""
+ "PARAMETER EXPANSION paragraph for additional information on the expansion "
+ "format defined by krb5.conf."
+ msgstr ""
++"Standardvärdet för namnet på kreditiv-cachen läses från profilen som fil "
++"sparad i den systemtäckande konfigurationsfilen krb5.conf i avsnittet "
++"[libdefaults].  Alternativnamnet är default_ccache_name.  Se krb5.conf(5)s "
++"avsnitt PARAMETEREXPANSION för mer information om expansionsformatet som "
++"definieras av krb5.conf."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:225
+@@ -12870,16 +14368,19 @@ msgid ""
+ "<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
+ "manvolnum> </citerefentry> uses different expansion sequences than SSSD."
+ msgstr ""
++"OBSERVERA: var medveten om att ccache-expansionsmallen för libkrb5 från "
++"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
++"manvolnum> </citerefentry> använder andra expansionssekvenser än SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:234
+ msgid "Default: (from libkrb5)"
+-msgstr ""
++msgstr "Standard: (från libkrb5)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:240
+ msgid "krb5_auth_timeout (integer)"
+-msgstr ""
++msgstr "krb5_auth_timeout (heltal)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:243
+@@ -12888,11 +14389,14 @@ msgid ""
+ "request is aborted. If possible, the authentication request is continued "
+ "offline."
+ msgstr ""
++"Tidsgräns i sekunder efter vilken en uppkopplad begäran om autentisering "
++"eller begäran om lösenordsändring avbryts.  OM möjligt fortsätts begäran om "
++"autentisering frånkopplat."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:254
+ msgid "krb5_validate (boolean)"
+-msgstr ""
++msgstr "krb5_validate (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:257
+@@ -12904,11 +14408,18 @@ msgid ""
+ "environments using cross-realm trust by placing the appropriate keytab entry "
+ "as the last entry or the only entry in the keytab file."
+ msgstr ""
++"Verifiera med hjälp av krb5_keytab att den TGT om hämtats inte har "
++"förfalskats.  I keytab:en kontrolleras poster sekvensiellt, och den första "
++"posten med ett matchande rike används för validering.  Om ingen post machar "
++"riket används den sista posten i keytab:en.  Denna process kan användas för "
++"att validera miljöer genom att använda förtroenden mellan riken genom att "
++"placera den motsvarande keytab-posten som sista post eller den enda posten i "
++"keytab-filen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:272
+ msgid "krb5_keytab (string)"
+-msgstr ""
++msgstr "krb5_keytab (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:275
+@@ -12916,16 +14427,18 @@ msgid ""
+ "The location of the keytab to use when validating credentials obtained from "
+ "KDCs."
+ msgstr ""
++"Platsen där keytab:en som skall användas för validering av kreditiv som tas "
++"emot från KDC:er finns."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:279
+ msgid "Default: /etc/krb5.keytab"
+-msgstr ""
++msgstr "Standard: /etc/krb5.keytab"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:285
+ msgid "krb5_store_password_if_offline (boolean)"
+-msgstr ""
++msgstr "krb5_store_password_if_offline (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:288
+@@ -12933,6 +14446,8 @@ msgid ""
+ "Store the password of the user if the provider is offline and use it to "
+ "request a TGT when the provider comes online again."
+ msgstr ""
++"Spara lösenordet för användaren om leverantören är frånkopplad och använd "
++"det för att begära en TGT när leverantören blir uppkopplad igen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:293
+@@ -12941,11 +14456,14 @@ msgid ""
+ "are kept in plaintext in the kernel keyring and are potentially accessible "
+ "by the root user (with difficulty)."
+ msgstr ""
++"OBS: denna funktion är endast tillgänglig på Linux.  Lösenord som lagras på "
++"detta sätt hålls i klartext i kärnans nyckelring och är potentiellt "
++"åtkomliga för root-användaren (med svårighet)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:306
+ msgid "krb5_renewable_lifetime (string)"
+-msgstr ""
++msgstr "krb5_renewable_lifetime (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:309
+@@ -12953,31 +14471,33 @@ msgid ""
+ "Request a renewable ticket with a total lifetime, given as an integer "
+ "immediately followed by a time unit:"
+ msgstr ""
++"Begär en förnybar biljett med en total livslängd, given som ett heltal "
++"omedelbart följd av en tidsenhet:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385
+ msgid "<emphasis>s</emphasis> for seconds"
+-msgstr ""
++msgstr "<emphasis>s</emphasis> för sekunder"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388
+ msgid "<emphasis>m</emphasis> for minutes"
+-msgstr ""
++msgstr "<emphasis>m</emphasis> för minuter"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391
+ msgid "<emphasis>h</emphasis> for hours"
+-msgstr ""
++msgstr "<emphasis>h</emphasis> för timmar"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394
+ msgid "<emphasis>d</emphasis> for days."
+-msgstr ""
++msgstr "<emphasis>d</emphasis> för dagar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397
+ msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
+-msgstr ""
++msgstr "Om ingen enhet anges antas <emphasis>s</emphasis>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401
+@@ -12985,16 +14505,19 @@ msgid ""
+ "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
+ "and a half hours, use '90m' instead of '1h30m'."
+ msgstr ""
++"OBSERVERA: det är inte möjligt att blanda enheter.  För att sätta den "
++"förnybara livslängden till en och en halv timma, använd ”90m” istället för "
++"”1h30m”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:335
+ msgid "Default: not set, i.e. the TGT is not renewable"
+-msgstr ""
++msgstr "Standard: inte satt, d.v.s. TGT:en är inte förnybar"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:341
+ msgid "krb5_lifetime (string)"
+-msgstr ""
++msgstr "krb5_lifetime (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:344
+@@ -13002,11 +14525,13 @@ msgid ""
+ "Request ticket with a lifetime, given as an integer immediately followed by "
+ "a time unit:"
+ msgstr ""
++"Begär en biljett med en livslängd, given som ett heltal omedelbart följd av "
++"en tidsenhet:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:360
+ msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
+-msgstr ""
++msgstr "Om ingen enhet anges antas <emphasis>s</emphasis>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:364
+@@ -13014,17 +14539,20 @@ msgid ""
+ "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
+ "half hours please use '90m' instead of '1h30m'."
+ msgstr ""
++"OBSERVERA: det är inte möjligt att blanda enheter.  För att sätta "
++"livslängden till en och en halv timma, använd ”90m” istället för ”1h30m”."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:369
+ msgid ""
+ "Default: not set, i.e. the default ticket lifetime configured on the KDC."
+ msgstr ""
++"Standard: inte satt, d.v.s. biljettens stanardlivsläng konfigurerad på KDC:n."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:376
+ msgid "krb5_renew_interval (string)"
+-msgstr ""
++msgstr "krb5_renew_interval (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:379
+@@ -13033,16 +14561,21 @@ msgid ""
+ "are renewed if about half of their lifetime is exceeded, given as an integer "
+ "immediately followed by a time unit:"
+ msgstr ""
++"Tiden i sekunder mellan två kontroller om TGT:en skall förnyas.  TGT:er "
++"förnyas om ungefär halva deras livstid har överskridits, givet som ett "
++"heltal omedelbart följt av en tidsenhet:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:406
+ msgid "If this option is not set or is 0 the automatic renewal is disabled."
+ msgstr ""
++"Om detta alternativ inte är satt eller är 0 är den automatiska förnyelsen "
++"avaktiverad."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:416
+ msgid "krb5_use_fast (string)"
+-msgstr ""
++msgstr "krb5_use_fast (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:419
+@@ -13050,6 +14583,9 @@ msgid ""
+ "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+ "authentication. The following options are supported:"
+ msgstr ""
++"Aktiverar flexibel autentisering via säker tunnling (flexible authentication "
++"secure tunneling, FAST) för Kerberos förautentisering.  Följande alternativ "
++"stödjs:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:424
+@@ -13057,6 +14593,9 @@ msgid ""
+ "<emphasis>never</emphasis> use FAST. This is equivalent to not setting this "
+ "option at all."
+ msgstr ""
++"<emphasis>never</emphasis> använd aldrig FAST.  Detta är ekvivalent med att "
++"inte ställa in denna This is ekvivalent med att inte sätta detta alterinativ "
++"alls."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:428
+@@ -13064,6 +14603,8 @@ msgid ""
+ "<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
+ "continue the authentication without it."
+ msgstr ""
++"<emphasis>try</emphasis> försök använda FAST.  Om servern inte stödjer FAST, "
++"fortsätt då autentiseringen utan den."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:433
+@@ -13071,16 +14612,18 @@ msgid ""
+ "<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+ "server does not require fast."
+ msgstr ""
++"<emphasis>demand</emphasis> kräv användning av FAST.  Autentiseringen "
++"misslyckas om servern inte begär fast."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:438
+ msgid "Default: not set, i.e. FAST is not used."
+-msgstr ""
++msgstr "Standard: inte satt, d.v.s. FAST används inte."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:441
+ msgid "NOTE: a keytab is required to use FAST."
+-msgstr ""
++msgstr "OBSERVERA: en keytab krävs för att använda FAST."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:444
+@@ -13089,16 +14632,19 @@ msgid ""
+ "SSSD is used with an older version of MIT Kerberos, using this option is a "
+ "configuration error."
+ msgstr ""
++"OBSERVERA: SSSD stödjer endast FAST med MIT Kerberos version 1.8 och "
++"senare.  Om SSSD används med en äldre version av MIT Kerberos är det ett "
++"konfigurationsfel att använda detta alternativ."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:453
+ msgid "krb5_fast_principal (string)"
+-msgstr ""
++msgstr "krb5_fast_principal (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:456
+ msgid "Specifies the server principal to use for FAST."
+-msgstr ""
++msgstr "Anger serverhuvudmannen att använda för FAST."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:465
+@@ -13106,30 +14652,27 @@ msgid ""
+ "Specifies if the host and user principal should be canonicalized. This "
+ "feature is available with MIT Kerberos 1.7 and later versions."
+ msgstr ""
++"Anger om värdens och användarens huvudman skall göras kononisk.  Denna "
++"funktion är tillgänglig med MIT Kerberos 1.7 och senare versioner."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-#, fuzzy
+-#| msgid "krb5_rcache_dir (string)"
+ msgid "krb5_kdcinfo_lookahead (string)"
+-msgstr "krb5_rcache_dir (sträng)"
++msgstr "krb5_kdcinfo_lookahead (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+-#, fuzzy
+-#| msgid ""
+-#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+-#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+-#| "citerefentry> for more information on configuring Kerberos."
+ msgid ""
+ "When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
+ "handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
+ "helpful when there are too many servers discovered using SRV record."
+ msgstr ""
+-"<quote>krb5</quote> för att ändra Kerberoslösenordet.  Se <citerefentry> "
+-"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+-"citerefentry> för mer information om att konfigurera Kerberos."
++"När krb5_use_kdcinfo är satt till true kan man begränsa mängden servrar som "
++"skcikas till <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  Detta kan vara "
++"användbart när det finns för många servrar som upptäcks med hjälp av SRV-"
++"poster."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:518
+@@ -13138,35 +14681,32 @@ msgid ""
+ "The first number represents number of primary servers used and the second "
+ "number specifies the number of backup servers."
+ msgstr ""
++"Alternativet krb5_kdcinfo_lookahead innehåller två tal separerade av ett "
++"kolon.  Det första talet representerar antalet primärservrar som används och "
++"det andra talet anger antalet reservservrar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:524
+-#, fuzzy
+-#| msgid ""
+-#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+-#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+-#| "citerefentry> for more information on configuring Kerberos."
+ msgid ""
+ "For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
+ "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
+ "servers."
+ msgstr ""
+-"<quote>krb5</quote> för att ändra Kerberoslösenordet.  Se <citerefentry> "
+-"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+-"citerefentry> för mer information om att konfigurera Kerberos."
++"Till exempel betyder <emphasis>10:0</emphasis> att upp till 10 primärservrar "
++"kommer lämnas till<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  men inga "
++"reservservrar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "Standard: 3"
++msgstr "Standard: 3:1"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+ msgid "krb5_use_enterprise_principal (boolean)"
+-msgstr ""
++msgstr "krb5_use_enterprise_principal (boolean)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:542
+@@ -13174,11 +14714,13 @@ msgid ""
+ "Specifies if the user principal should be treated as enterprise principal. "
+ "See section 5 of RFC 6806 for more details about enterprise principals."
+ msgstr ""
++"Anger om användarens huvudman skall behandlas som företagshuvudman.  Se "
++"avsnitt 5 i RFC 6806 för mer detaljer om företagshuvudmän."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:548
+ msgid "Default: false (AD provider: true)"
+-msgstr ""
++msgstr "Standard: false (AD-leverantör: true)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:551
+@@ -13187,11 +14729,14 @@ msgid ""
+ "is capable of handling enterprise principals and the option is not set "
+ "explicitly in the config file."
+ msgstr ""
++"IPA-leverantören kommer sätta detta alternativ till ”true” om den upptäcker "
++"att servern klarar av att hantera företagshuvudmän och alternativet inte är "
++"uttryckligen satt i konfigurationsfilen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:560
+ msgid "krb5_map_user (string)"
+-msgstr ""
++msgstr "krb5_map_user (sträng)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:563
+@@ -13202,6 +14747,11 @@ msgid ""
+ "mapping is used when user is authenticating using <quote>auth_provider = "
+ "krb5</quote>."
+ msgstr ""
++"Listan av mappningar anges som en kommaseparerad lista av par "
++"<quote>användarnamn:primär</quote> där <quote>användarnamn</quote> är ett "
++"UNIX-användarnamn och <quote>primär</quote> är en användardel av en "
++"kerberoshuvudman.  Denna mappning används när användaren autentiserar med "
++"<quote>auth_provider = krb5</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd-krb5.5.xml:575
+@@ -13210,6 +14760,8 @@ msgid ""
+ "krb5_realm = REALM\n"
+ "krb5_map_user = joe:juser,dick:richard\n"
+ msgstr ""
++"krb5_realm = RIKE\n"
++"krb5_map_user = maria:manvnd,hasse:hans\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:580
+@@ -13220,6 +14772,11 @@ msgid ""
+ "try to kinit as <quote>juser@REALM</quote> resp.  <quote>richard@REALM</"
+ "quote>."
+ msgstr ""
++"<quote>maria</quote> och <quote>hasse</quote> är UNIX-användarnamn och "
++"<quote>manvnd</quote> och <quote>hans</quote> är primärer i "
++"kerberoshuvudmän.  För användaren <quote>maria</quote> resp.  <quote>hasse</"
++"quote> kommer SSSD försöka att göra kinit som <quote>manvndr@RIKE</quote> "
++"resp.  <quote>hans@RIKE</quote>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-krb5.5.xml:65
+@@ -13230,6 +14787,11 @@ msgid ""
+ "<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD "
+ "domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
++"Om autentiseringsodulen krb5 används in en SSD-domän måste följande "
++"alternativ användas.  Se manualsidan <citerefentry> <refentrytitle>sssd."
++"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, avsnittet "
++"<quote>DOMÄNSEKTIONER</quote> för detaljer om konfigurationen av en SSSD-"
++"domän.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-krb5.5.xml:606
+@@ -13239,6 +14801,10 @@ msgid ""
+ "example shows only configuration of Kerberos authentication; it does not "
+ "include any identity provider."
+ msgstr ""
++"Följande exempel antar att SSSD är korrekt konfigurerard och att APA är en "
++"av domänerna i avsnittet <replaceable>[sssd]</replaceable>.  Detta exempel "
++"visar endast konfigurationen av Kerberosautentisering; det inkluderar inte "
++"någon identitetsleverantör."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-krb5.5.xml:614
+@@ -13249,16 +14815,20 @@ msgid ""
+ "krb5_server = 192.168.1.1\n"
+ "krb5_realm = EXAMPLE.COM\n"
+ msgstr ""
++"[domain/APA]\n"
++"auth_provider = krb5\n"
++"krb5_server = 192.168.1.1\n"
++"krb5_realm = EXEMPEL.SE\n"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15
+ msgid "sss_groupadd"
+-msgstr ""
++msgstr "sss_groupadd"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss_groupadd.8.xml:16
+ msgid "create a new group"
+-msgstr ""
++msgstr "skapa en ny grupp"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: sss_groupadd.8.xml:21
+@@ -13267,6 +14837,9 @@ msgid ""
+ "replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+ "arg>"
+ msgstr ""
++"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>flaggor</"
++"replaceable> </arg> <arg choice='plain'><replaceable>GRUPP</replaceable></"
++"arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_groupadd.8.xml:32
+@@ -13275,12 +14848,16 @@ msgid ""
+ "compatible with POSIX groups, with the additional feature that they can "
+ "contain other groups as members."
+ msgstr ""
++"<command>sss_groupadd</command> skapar en ny grupp.  Dessa grupper är "
++"kompatibla med POSIX-grupper, med den ytterligare funktionen att de kan "
++"innehålla andra grupper som medlemmar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_groupadd.8.xml:43 sss_seed.8.xml:88
+ msgid ""
+ "<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
+ msgstr ""
++"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_groupadd.8.xml:48
+@@ -13288,16 +14865,18 @@ msgid ""
+ "Set the GID of the group to the value of <replaceable>GID</replaceable>.  If "
+ "not given, it is chosen automatically."
+ msgstr ""
++"Sätt GID:n för gruppen till värdet av <replaceable>GID</replaceable>.  Om "
++"det inte anges väljs det automatiskt."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss_userdel.8.xml:10 sss_userdel.8.xml:15
+ msgid "sss_userdel"
+-msgstr ""
++msgstr "sss_userdel"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss_userdel.8.xml:16
+ msgid "delete a user account"
+-msgstr ""
++msgstr "ta bort ett användarkonto"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: sss_userdel.8.xml:21
+@@ -13306,6 +14885,9 @@ msgid ""
+ "replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+ "arg>"
+ msgstr ""
++"<command>sss_userdel</command> <arg choice='opt'> <replaceable>flaggor</"
++"replaceable> </arg> <arg choice='plain'><replaceable>INLOGGNINGSNAMN</"
++"replaceable></arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_userdel.8.xml:32
+@@ -13313,11 +14895,13 @@ msgid ""
+ "<command>sss_userdel</command> deletes a user identified by login name "
+ "<replaceable>LOGIN</replaceable> from the system."
+ msgstr ""
++"<command>sss_userdel</command> tar bort en användare identifierad av "
++"inloggningsnamnet <replaceable>INLOGGNINGSNAMN</replaceable> från systemet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_userdel.8.xml:44
+ msgid "<option>-r</option>,<option>--remove</option>"
+-msgstr ""
++msgstr "<option>-r</option>,<option>--remove</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_userdel.8.xml:48
+@@ -13325,11 +14909,13 @@ msgid ""
+ "Files in the user's home directory will be removed along with the home "
+ "directory itself and the user's mail spool. Overrides the configuration."
+ msgstr ""
++"Filer i användarens hemkatalog kommer tas bort tillsammans med själva "
++"hemkatalogen och användarens brevlåda.  Åsidosätter konfigurationen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_userdel.8.xml:56
+ msgid "<option>-R</option>,<option>--no-remove</option>"
+-msgstr ""
++msgstr "<option>-R</option>,<option>--no-remove</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_userdel.8.xml:60
+@@ -13337,11 +14923,13 @@ msgid ""
+ "Files in the user's home directory will NOT be removed along with the home "
+ "directory itself and the user's mail spool. Overrides the configuration."
+ msgstr ""
++"Filer i användarens hemkatalog kommer INTE tas bort tillsammans med själva "
++"hemkatalogen och användarens brevlåda.  Åsidosätter konfigurationen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_userdel.8.xml:68
+ msgid "<option>-f</option>,<option>--force</option>"
+-msgstr ""
++msgstr "<option>-f</option>,<option>--force</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_userdel.8.xml:72
+@@ -13349,26 +14937,28 @@ msgid ""
+ "This option forces <command>sss_userdel</command> to remove the user's home "
+ "directory and mail spool, even if they are not owned by the specified user."
+ msgstr ""
++"Denna flagga tvingar <command>sss_userdel</command> att ta bort användarens "
++"hemkatalog och brevlåda, även om de inte ägs av den angivna användaren."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_userdel.8.xml:80
+ msgid "<option>-k</option>,<option>--kick</option>"
+-msgstr ""
++msgstr "<option>-k</option>,<option>--kick</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_userdel.8.xml:84
+ msgid "Before actually deleting the user, terminate all his processes."
+-msgstr ""
++msgstr "Före användaren faktiskt tas bort, döda alla hans processer."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15
+ msgid "sss_groupdel"
+-msgstr ""
++msgstr "sss_groupdel"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss_groupdel.8.xml:16
+ msgid "delete a group"
+-msgstr ""
++msgstr "ta bort en grupp"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: sss_groupdel.8.xml:21
+@@ -13377,6 +14967,9 @@ msgid ""
+ "replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+ "arg>"
+ msgstr ""
++"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>flaggor</"
++"replaceable> </arg> <arg choice='plain'><replaceable>GRUPP</replaceable></"
++"arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_groupdel.8.xml:32
+@@ -13384,16 +14977,18 @@ msgid ""
+ "<command>sss_groupdel</command> deletes a group identified by its name "
+ "<replaceable>GROUP</replaceable> from the system."
+ msgstr ""
++"<command>sss_groupdel</command> tar bort en grupp identifierad av sitt namn "
++"<replaceable>GRUPP</replaceable> från systemet."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
+ msgid "sss_groupshow"
+-msgstr ""
++msgstr "sss_groupshow"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss_groupshow.8.xml:16
+ msgid "print properties of a group"
+-msgstr ""
++msgstr "skriv ut egenskaperna hos en grupp"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: sss_groupshow.8.xml:21
+@@ -13402,6 +14997,9 @@ msgid ""
+ "replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
+ "arg>"
+ msgstr ""
++"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>flaggor</"
++"replaceable> </arg> <arg choice='plain'><replaceable>GRUPP</replaceable></"
++"arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_groupshow.8.xml:32
+@@ -13410,11 +15008,14 @@ msgid ""
+ "identified by its name <replaceable>GROUP</replaceable>. The information "
+ "includes the group ID number, members of the group and the parent group."
+ msgstr ""
++"<command>sss_groupsho</command> visar information om en grupp identifierad "
++"av sitt namn <replaceable>GRUPP</replaceable>.  Informationen inkluderar "
++"grupp-ID-numret, medlemmar i gruppen och föräldragruppen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_groupshow.8.xml:43
+ msgid "<option>-R</option>,<option>--recursive</option>"
+-msgstr ""
++msgstr "<option>-R</option>,<option>--recursive</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_groupshow.8.xml:47
+@@ -13423,16 +15024,19 @@ msgid ""
+ "also affects printing parent groups - without <option>R</option>, only the "
+ "direct parent will be printed."
+ msgstr ""
++"Skriv även ut indirekta gruppmedlemmar i en trädliknande hierarki.  "
++"Observera att detta även påverkar utskriften av föräldragrupper – utan "
++"<option>R</option> kommer endast dem direkta föräldern skrivas ut."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss_usermod.8.xml:10 sss_usermod.8.xml:15
+ msgid "sss_usermod"
+-msgstr ""
++msgstr "sss_usermod"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss_usermod.8.xml:16
+ msgid "modify a user account"
+-msgstr ""
++msgstr "ändra ett användarkonto"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: sss_usermod.8.xml:21
+@@ -13441,6 +15045,9 @@ msgid ""
+ "replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
+ "arg>"
+ msgstr ""
++"<command>sss_usermod</command> <arg choice='opt'> <replaceable>flaggor</"
++"replaceable> </arg> <arg choice='plain'><replaceable>INLOGGNINGSNAMN</"
++"replaceable></arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_usermod.8.xml:32
+@@ -13449,16 +15056,19 @@ msgid ""
+ "<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
+ "on the command line."
+ msgstr ""
++"<command>sss_usermod</command> ändrar kontot som anges av "
++"<replaceable>INLOGGNINGSNAMN</replaceable> till att avspegla ändringarna som "
++"anges på kommandoraden."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:60
+ msgid "The home directory of the user account."
+-msgstr ""
++msgstr "Användarkontots hemkatalog."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:71
+ msgid "The user's login shell."
+-msgstr ""
++msgstr "Användarens inloggningsskal."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:82
+@@ -13467,6 +15077,9 @@ msgid ""
+ "replaceable> parameter.  The <replaceable>GROUPS</replaceable> parameter is "
+ "a comma separated list of group names."
+ msgstr ""
++"Lägg till denna användare till grupperna som anges av parametern "
++"<replaceable>GRUPPER</replaceable> parameter.  Parametern "
++"<replaceable>GRUPPER</replaceable> är en kommaseparerad lista av gruppnamn."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:96
+@@ -13474,46 +15087,48 @@ msgid ""
+ "Remove this user from groups specified by the <replaceable>GROUPS</"
+ "replaceable> parameter."
+ msgstr ""
++"Ta bort denna användare från grupperna som anges av parametern "
++"<replaceable>GRUPPER</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_usermod.8.xml:103
+ msgid "<option>-l</option>,<option>--lock</option>"
+-msgstr ""
++msgstr "<option>-l</option>,<option>--lock</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:107
+ msgid "Lock the user account. The user won't be able to log in."
+-msgstr ""
++msgstr "Lås användarkontot.  Användare kommer inte kunna logga in."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_usermod.8.xml:114
+ msgid "<option>-u</option>,<option>--unlock</option>"
+-msgstr ""
++msgstr "<option>-u</option>,<option>--unlock</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:118
+ msgid "Unlock the user account."
+-msgstr ""
++msgstr "Lås upp användarkontot."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:129
+ msgid "The SELinux user for the user's login."
+-msgstr ""
++msgstr "SELinux-användaren för användarens inloggning."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_usermod.8.xml:135
+ msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>"
+-msgstr ""
++msgstr "<option>--addattr</option> <replaceable>ATTR_NAMN_VÄRDE</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:140
+ msgid "Add an attribute/value pair. The format is attrname=value."
+-msgstr ""
++msgstr "Lägg till ett attribut/värde-par.  Formatet är attrnamn=värde."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_usermod.8.xml:147
+ msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>"
+-msgstr ""
++msgstr "<option>--setattr</option> <replaceable>ATTR_NAMN_VÄRDE</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:152
+@@ -13521,26 +15136,28 @@ msgid ""
+ "Set an attribute to a name/value pair. The format is attrname=value. For "
+ "multi-valued attributes, the command replaces the values already present"
+ msgstr ""
++"Sätt ett attribut till ett namn/värde-par.  Formatet är attrnamn=värde.  För "
++"flervärda attribut ersätter kommandot de värden som redan finns"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_usermod.8.xml:160
+ msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>"
+-msgstr ""
++msgstr "<option>--delattr</option> <replaceable>ATTR_NAMN_VÄRDE</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_usermod.8.xml:165
+ msgid "Delete an attribute/value pair. The format is attrname=value."
+-msgstr ""
++msgstr "Ta bort ett attribut/värde-par.  Formatet är attrnamn=värde."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss_cache.8.xml:10 sss_cache.8.xml:15
+ msgid "sss_cache"
+-msgstr ""
++msgstr "sss_cache"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss_cache.8.xml:16
+ msgid "perform cache cleanup"
+-msgstr ""
++msgstr "utför cacherensning"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: sss_cache.8.xml:21
+@@ -13548,6 +15165,8 @@ msgid ""
+ "<command>sss_cache</command> <arg choice='opt'> <replaceable>options</"
+ "replaceable> </arg>"
+ msgstr ""
++"<command>sss_cache</command> <arg choice='opt'> <replaceable>flaggor</"
++"replaceable> </arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_cache.8.xml:31
+@@ -13557,32 +15176,38 @@ msgid ""
+ "backend is online. Options that invalidate a single object only accept a "
+ "single provided argument."
+ msgstr ""
++"<command>sss_cache</command> invalidrtst poster i SSSD-cachen.  Invaliderade "
++"poster måste hämtas om från servern så fort den tillhörande SSSD-bakänden är "
++"ansluten.  Flaggor som invaliderar ett enstaka objekt tar bara ett ensamt "
++"argument."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:43
+ msgid "<option>-E</option>,<option>--everything</option>"
+-msgstr ""
++msgstr "<option>-E</option>,<option>--everything</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:47
+ msgid "Invalidate all cached entries."
+-msgstr ""
++msgstr "Invalidera alla cachade poster."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:53
+ msgid ""
+ "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
+ msgstr ""
++"<option>-u</option>,<option>--user</option> <replaceable>inloggning</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:58
+ msgid "Invalidate specific user."
+-msgstr ""
++msgstr "Invalidera en viss användare."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:64
+ msgid "<option>-U</option>,<option>--users</option>"
+-msgstr ""
++msgstr "<option>-U</option>,<option>--users</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:68
+@@ -13590,22 +15215,25 @@ msgid ""
+ "Invalidate all user records. This option overrides invalidation of specific "
+ "user if it was also set."
+ msgstr ""
++"Invalidera alla användarposter.  Detta alternativ åsidosätter invalidering "
++"av en viss användare om det också angavs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:75
+ msgid ""
+ "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
+ msgstr ""
++"<option>-g</option>,<option>--group</option> <replaceable>grupp</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:80
+ msgid "Invalidate specific group."
+-msgstr ""
++msgstr "Invalidera en viss grupp."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:86
+ msgid "<option>-G</option>,<option>--groups</option>"
+-msgstr ""
++msgstr "<option>-G</option>,<option>--groups</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:90
+@@ -13613,6 +15241,8 @@ msgid ""
+ "Invalidate all group records. This option overrides invalidation of specific "
+ "group if it was also set."
+ msgstr ""
++"Invalidera alla grupposter.  Detta alternativ åsidosätter invalidering av en "
++"viss grupp om det också angavs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:97
+@@ -13620,16 +15250,18 @@ msgid ""
+ "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
+ "replaceable>"
+ msgstr ""
++"<option>-n</option>,<option>--netgroup</option> <replaceable>nätgrupp</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:102
+ msgid "Invalidate specific netgroup."
+-msgstr ""
++msgstr "Invalidera en viss nätgrupp."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:108
+ msgid "<option>-N</option>,<option>--netgroups</option>"
+-msgstr ""
++msgstr "<option>-N</option>,<option>--netgroups</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:112
+@@ -13637,6 +15269,8 @@ msgid ""
+ "Invalidate all netgroup records. This option overrides invalidation of "
+ "specific netgroup if it was also set."
+ msgstr ""
++"Invalidera alla nätgruppsposter.  Detta alternativ åsidosätter invalidering "
++"av en viss nätgrupp om det också angavs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:119
+@@ -13644,16 +15278,18 @@ msgid ""
+ "<option>-s</option>,<option>--service</option> <replaceable>service</"
+ "replaceable>"
+ msgstr ""
++"<option>-s</option>,<option>--service</option> <replaceable>tjänst</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:124
+ msgid "Invalidate specific service."
+-msgstr ""
++msgstr "Invalidera en viss tjänst."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:130
+ msgid "<option>-S</option>,<option>--services</option>"
+-msgstr ""
++msgstr "<option>-S</option>,<option>--services</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:134
+@@ -13661,6 +15297,8 @@ msgid ""
+ "Invalidate all service records. This option overrides invalidation of "
+ "specific service if it was also set."
+ msgstr ""
++"Invalidera alla tjänsteposter.  Detta alternativ åsidosätter invalidering av "
++"en viss tjänst om det också angavs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:141
+@@ -13668,16 +15306,18 @@ msgid ""
+ "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
+ "replaceable>"
+ msgstr ""
++"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-"
++"översättning</replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:146
+ msgid "Invalidate specific autofs maps."
+-msgstr ""
++msgstr "Invalidera specifika autofs-översättningar."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:152
+ msgid "<option>-A</option>,<option>--autofs-maps</option>"
+-msgstr ""
++msgstr "<option>-A</option>,<option>--autofs-maps</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:156
+@@ -13685,6 +15325,8 @@ msgid ""
+ "Invalidate all autofs maps. This option overrides invalidation of specific "
+ "map if it was also set."
+ msgstr ""
++"Invalidera alla autofs-översättningar.  Detta alternativ åsidosätter "
++"invalidering av en viss översättning om det också angavs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:163
+@@ -13692,16 +15334,18 @@ msgid ""
+ "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
+ "replaceable>"
+ msgstr ""
++"<option>-h</option>,<option>--ssh-host</option> <replaceable>värdnamn</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:168
+ msgid "Invalidate SSH public keys of a specific host."
+-msgstr ""
++msgstr "Invalidera publika SSH-nycklar för en viss värd."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:174
+ msgid "<option>-H</option>,<option>--ssh-hosts</option>"
+-msgstr ""
++msgstr "<option>-H</option>,<option>--ssh-hosts</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:178
+@@ -13709,6 +15353,8 @@ msgid ""
+ "Invalidate SSH public keys of all hosts. This option overrides invalidation "
+ "of SSH public keys of specific host if it was also set."
+ msgstr ""
++"Invalidera publika SSH-nycklar för alla värdar.  Detta alternativ "
++"åsidosätter invalidering av SSH-nycklar för en viss värd om det också angavs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:186
+@@ -13716,16 +15362,18 @@ msgid ""
+ "<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</"
+ "replaceable>"
+ msgstr ""
++"<option>-r</option>,<option>--sudo-rule</option> <replaceable>regel</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:191
+ msgid "Invalidate particular sudo rule."
+-msgstr ""
++msgstr "Invalidera en viss sudo-regel."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:197
+ msgid "<option>-R</option>,<option>--sudo-rules</option>"
+-msgstr ""
++msgstr "<option>-R</option>,<option>--sudo-rules</option>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:201
+@@ -13733,6 +15381,8 @@ msgid ""
+ "Invalidate all cached sudo rules. This option overrides invalidation of "
+ "specific sudo rule if it was also set."
+ msgstr ""
++"Invalidera alla cachade sudo-regler.  Detta alternativ åsidosätter "
++"invalidering av en viss sudo-regel om det också angavs."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_cache.8.xml:209
+@@ -13740,21 +15390,23 @@ msgid ""
+ "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
+ "replaceable>"
+ msgstr ""
++"<option>-d</option>,<option>--domain</option> <replaceable>domän</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_cache.8.xml:214
+ msgid "Restrict invalidation process only to a particular domain."
+-msgstr ""
++msgstr "Begränsa invalideringsprocessen till endast en viss domän."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15
+ msgid "sss_debuglevel"
+-msgstr ""
++msgstr "sss_debuglevel"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss_debuglevel.8.xml:16
+ msgid "[DEPRECATED] change debug level while SSSD is running"
+-msgstr ""
++msgstr "[föråldrad] ändra felsökningsnivå medan SSSD kör"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: sss_debuglevel.8.xml:21
+@@ -13763,6 +15415,9 @@ msgid ""
+ "replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</"
+ "replaceable></arg>"
+ msgstr ""
++"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>flaggor</"
++"replaceable> </arg> <arg choice='plain'><replaceable>NY_FELSÖKNINGSNIVÅ</"
++"replaceable></arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_debuglevel.8.xml:32
+@@ -13771,16 +15426,19 @@ msgid ""
+ "debug-level command. Please refer to the <command>sssctl</command> man page "
+ "for more information on sssctl usage."
+ msgstr ""
++"<command>sss_debuglevel</command> är föråldrat och ersatt av kommandot "
++"sssctl debug-level.  Se manualsidan <command>sssctl</command> för mer "
++"information om användning av sssctl."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sss_seed.8.xml:10 sss_seed.8.xml:15
+ msgid "sss_seed"
+-msgstr ""
++msgstr "sss_seed"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sss_seed.8.xml:16
+ msgid "seed the SSSD cache with a user"
+-msgstr ""
++msgstr "initiera SSSD-cachen med en användare"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: sss_seed.8.xml:21
+@@ -13790,6 +15448,9 @@ msgid ""
+ "replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></"
+ "arg>"
+ msgstr ""
++"<command>sss_seed</command> <arg choice='opt'> <replaceable>flaggor</"
++"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMÄN</replaceable></"
++"arg> <arg choice='plain'>-n <replaceable>ANVÄNDARE</replaceable></arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_seed.8.xml:33
+@@ -13798,6 +15459,9 @@ msgid ""
+ "temporary password. If a user entry is already present in the SSSD cache "
+ "then the entry is updated with the temporary password."
+ msgstr ""
++"<command>sss_seed</command> initierar SSSD-cachen med en användarpost och "
++"tillfälligt lösenord.  Om en användarpost redan finns i SSSD-cachen "
++"uppdateras den posten med det tillfälliga lösenordet."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_seed.8.xml:46
+@@ -13805,6 +15469,8 @@ msgid ""
+ "<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</"
+ "replaceable>"
+ msgstr ""
++"<option>-D</option>,<option>--domain</option> <replaceable>DOMÄN</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_seed.8.xml:51
+@@ -13815,6 +15481,10 @@ msgid ""
+ "Information retrieved from the domain overrides what is provided in the "
+ "options."
+ msgstr ""
++"Ange namnet på domänen i vilken användaren är en medlem.  Domänen används "
++"också för att hämta användarinformation.  Tomänen måste vara konfigurerad i "
++"sssd.conf.  Alternativet <replaceable>DOMÄN</replaceable> måste anges.  "
++"Information som hämtas från domänen åsidosätter vad som anges i flaggorna."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_seed.8.xml:63
+@@ -13822,6 +15492,8 @@ msgid ""
+ "<option>-n</option>,<option>--username</option> <replaceable>USER</"
+ "replaceable>"
+ msgstr ""
++"<option>-n</option>,<option>--username</option> <replaceable>ANVÄNDARE</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_seed.8.xml:68
+@@ -13829,27 +15501,29 @@ msgid ""
+ "The username of the entry to be created or modified in the cache. The "
+ "<replaceable>USER</replaceable> option must be provided."
+ msgstr ""
++"Användarnamnet på posten som skall skapas eller ändras i cachen.  Flaggan "
++"<replaceable>ANVÄNDARE</replaceable> måste anges."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_seed.8.xml:81
+ msgid "Set the UID of the user to <replaceable>UID</replaceable>."
+-msgstr ""
++msgstr "Sätt användarens AID till  <replaceable>AID</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_seed.8.xml:93
+ msgid "Set the GID of the user to <replaceable>GID</replaceable>."
+-msgstr ""
++msgstr "Sätt användarens GID till  <replaceable>GID</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_seed.8.xml:117
+ msgid ""
+ "Set the home directory of the user to <replaceable>HOME_DIR</replaceable>."
+-msgstr ""
++msgstr "Sätt användarens hemkatalog till <replaceable>HEMKAT</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_seed.8.xml:129
+ msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>."
+-msgstr ""
++msgstr "Sätt användarens inloggningsskal till <replaceable>SKAL</replaceable>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_seed.8.xml:140
+@@ -13857,6 +15531,9 @@ msgid ""
+ "Interactive mode for entering user information. This option will only prompt "
+ "for information not provided in the options or retrieved from the domain."
+ msgstr ""
++"Interaktivt läge för att ange användarinformation.  Detta alternativ kommer "
++"bara att fråga efter information som inte angävs med flaggor eller hämtades "
++"från domänen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+ #: sss_seed.8.xml:148
+@@ -13864,6 +15541,8 @@ msgid ""
+ "<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</"
+ "replaceable>"
+ msgstr ""
++"<option>-p</option>,<option>--password-file</option> <replaceable>LÖSENFIL</"
++"replaceable>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sss_seed.8.xml:153
+@@ -13871,6 +15550,8 @@ msgid ""
+ "Specify file to read user's password from. (if not specified password is "
+ "prompted for)"
+ msgstr ""
++"Ange filen att läsa användarnas lösenord ifrån.  (om inte angivet "
++"efterfrågas lösenord)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sss_seed.8.xml:165
+@@ -13879,16 +15560,19 @@ msgid ""
+ "password-file option) must be less than or equal to PASS_MAX bytes (64 bytes "
+ "on systems with no globally-defined PASS_MAX value)."
+ msgstr ""
++"Längden på lösenordet (eller storleken på filen som anges med flaggan -p "
++"eller --password-file) måste vara mindre eller lika med  PASS_MAX byte (64 "
++"byte på system utan något globalt definierat PASS_MAX-värde)."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16
+ msgid "sssd-ifp"
+-msgstr ""
++msgstr "sssd-ifp"
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refpurpose>
+ #: sssd-ifp.5.xml:17
+ msgid "SSSD InfoPipe responder"
+-msgstr ""
++msgstr "SSSD InfoPipe-respondent"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ifp.5.xml:23
+@@ -13899,6 +15583,11 @@ msgid ""
+ "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+ "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+ msgstr ""
++"Denna manualsida besriver konfigurationen av InfoPipe-respondenten till "
++"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
++"</citerefentry>.  För en detaljerad referens om syntaxen, se avsnittet "
++"<quote>FILFORMAT</quote> i manualsidan <citerefentry> <refentrytitle>sssd."
++"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ifp.5.xml:36
+@@ -13907,11 +15596,15 @@ msgid ""
+ "system bus. The interface allows the user to query information about remote "
+ "users and groups over the system bus."
+ msgstr ""
++"InfoPipe-respondenten tillhandahåller ett publikt D-Bus-gränssnitt åtkomligt "
++"över systembussen.  Gränssnittet låter användaren att fråga efter "
++"information om fjärranvändare och -grupper över systembussen."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-ifp.5.xml:46
+ msgid "These options can be used to configure the InfoPipe responder."
+ msgstr ""
++"Dessa alternativ kan användas för att konfigurera InfoPipe-respondenten."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:53
+@@ -13920,12 +15613,16 @@ msgid ""
+ "allowed to access the InfoPipe responder. User names are resolved to UIDs at "
+ "startup."
+ msgstr ""
++"Anger den kommaseparerade listan av UID-värden eller användarnamn som "
++"tillåts använda InfoPipe-respondenten.  Användarnamn slås upp till UID:er "
++"vid uppstart."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:59
+ msgid ""
+ "Default: 0 (only the root user is allowed to access the InfoPipe responder)"
+ msgstr ""
++"Standard: 0 (endast root-användaren tillåts komma åt InfoPipe-respondenten)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:63
+@@ -13935,66 +15632,71 @@ msgid ""
+ "access the InfoPipe responder, which would be the typical case, you have to "
+ "add 0 to the list of allowed UIDs as well."
+ msgstr ""
++"Observera att även om UID 0 används som standard kommer det att skrivas över "
++"av detta alternativ.  Om du fortfarande vill tillåta root-användaren att "
++"komma åt InfoPipe-respondenten, vilket man typiskt vill, måste du lägga till "
++"även 0 i listan av tillåtna UID:er."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:77
+ msgid "Specifies the comma-separated list of white or blacklisted attributes."
+ msgstr ""
++"Anger den kommaseparerade listan över vit- eller svartlistade attribut."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-ifp.5.xml:91
+ msgid "name"
+-msgstr ""
++msgstr "name"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:92
+ msgid "user's login name"
+-msgstr ""
++msgstr "användarens inloggningsnamn"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-ifp.5.xml:95
+ msgid "uidNumber"
+-msgstr ""
++msgstr "uidNumber"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:96
+ msgid "user ID"
+-msgstr ""
++msgstr "användar-ID"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-ifp.5.xml:99
+ msgid "gidNumber"
+-msgstr ""
++msgstr "gidNumber"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:100
+ msgid "primary group ID"
+-msgstr ""
++msgstr "primär grupps ID"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-ifp.5.xml:103
+ msgid "gecos"
+-msgstr ""
++msgstr "gecos"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:104
+ msgid "user information, typically full name"
+-msgstr ""
++msgstr "användarinformation, normalt fullständigt namn"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-ifp.5.xml:107
+ msgid "homeDirectory"
+-msgstr ""
++msgstr "homeDirectory"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd-ifp.5.xml:111
+ msgid "loginShell"
+-msgstr ""
++msgstr "loginShell"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:112
+ msgid "user shell"
+-msgstr ""
++msgstr "användarens skal"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:81
+@@ -14005,6 +15707,11 @@ msgid ""
+ "manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" "
+ "id=\"0\"/>"
+ msgstr ""
++"Som standard tillåter bara InfoPipe-respondenten att standarduppsättningen "
++"av POSIX-attribut begärs.  Denna uppsättning är densamma som returneras av "
++"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</"
++"manvolnum> </citerefentry> och inkluderar: <placeholder type=\"variablelist"
++"\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd-ifp.5.xml:125
+@@ -14013,6 +15720,8 @@ msgid ""
+ "user_attributes = +telephoneNumber, -loginShell\n"
+ "                        "
+ msgstr ""
++"user_attributes = +telephoneNumber, -loginShell\n"
++"                        "
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:117
+@@ -14023,11 +15732,19 @@ msgid ""
+ "deny <quote>loginShell</quote>, you would use the following configuration: "
+ "<placeholder type=\"programlisting\" id=\"0\"/>"
+ msgstr ""
++"Det är möjligt att lägga till ett annat attribut till denna uppsättning "
++"genom att använda <quote>+attrnamn</quote> eller uttryckligen ta bort ett "
++"attribut genom att använda <quote>-attrnamn</quote>.  Till exempel, för att "
++"tillåta <quote>telephoneNumber</quote> men neka <quote>loginShell</quote> "
++"skulle man använda följande konfiguration: <placeholder type=\"programlisting"
++"\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:129
+ msgid "Default: not set. Only the default set of POSIX attributes is allowed."
+ msgstr ""
++"Standard: inte satt.  Endast standaruppsättningen av POSIX-attribut är "
++"tillåtna."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:139
+@@ -14035,11 +15752,13 @@ msgid ""
+ "Specifies an upper limit on the number of entries that are downloaded during "
+ "a wildcard lookup that overrides caller-supplied limit."
+ msgstr ""
++"Anger en övre gräns på antalet poster som hämtas under en uppslagning med "
++"jokertecken som åsidosätter gränsen anroparen tillhandahåller."
+ 
+ #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+ #: sssd-ifp.5.xml:144
+ msgid "Default: 0 (let the caller set an upper limit)"
+-msgstr ""
++msgstr "Standard: 0 (låt anroparen sätta en övre gräns)"
+ 
+ #. type: Content of: <reference><refentry><refentryinfo>
+ #: sss_rpcidmapd.5.xml:8
+@@ -14583,12 +16302,6 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:59
+-#, fuzzy
+-#| msgid ""
+-#| "This section lists the available tunables. Please refer to their "
+-#| "description in the <citerefentry> <refentrytitle>sssd.conf</"
+-#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, manual page.  "
+-#| "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "In addition to the options listed below, generic SSSD domain options can be "
+ "set where applicable.  Refer to the section <quote>DOMAIN SECTIONS</quote> "
+@@ -14596,10 +16309,6 @@ msgid ""
+ "manvolnum> </citerefentry> manual page for details on the configuration of "
+ "an SSSD domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Detta avsnitt listar tillgängliga trimningsvariabler.  Se deras beskrivning "
+-"i manualsidan <citerefentry> <refentrytitle>sssd.conf</"
+-"refentrytitle><manvolnum>5</manvolnum> </citerefentry>.  <placeholder type="
+-"\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:105
+@@ -17281,26 +18990,3 @@ msgstr ""
+ #: include/ipa_modified_defaults.xml:118
+ msgid "ldap_group_external_member = ipaExternalMember"
+ msgstr ""
+-
+-#~ msgid ""
+-#~ "The background refresh will process users, groups and netgroups in the "
+-#~ "cache."
+-#~ msgstr ""
+-#~ "Bakgrundsuppdateringen kommer bearbeta användare, grupper och nätgrupper "
+-#~ "i cachen."
+-
+-#~ msgid ""
+-#~ "For POSIX subdomains, setting the option in the main domain is inherited "
+-#~ "in the subdomain."
+-#~ msgstr ""
+-#~ "För POSIX-underdomäner ärvs detta värde till underdomäner om det sätts i "
+-#~ "huvuddomänen."
+-
+-#~ msgid ""
+-#~ "For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-#~ "subdomains and setting it to false will not have any effect for the "
+-#~ "subdomain."
+-#~ msgstr ""
+-#~ "För ID-mappning av underdomäner är auto_private_groups redan aktiverat "
+-#~ "för underdomänerna och att sätta det till falskt kommer inte ha någon "
+-#~ "effekt för underdomänen."
+diff --git a/src/man/po/tg.po b/src/man/po/tg.po
+index 7bee3e513..78268fbdc 100644
+--- a/src/man/po/tg.po
++++ b/src/man/po/tg.po
+@@ -5,9 +5,9 @@
+ # Translators:
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2014-12-15 12:10+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Tajik (http://www.transifex.com/projects/p/sssd/language/"
+@@ -3988,10 +3988,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3404
+-#, fuzzy
+-#| msgid "password"
+ msgid "password_prompt"
+-msgstr "парол"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3405
+@@ -4397,10 +4395,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: exop"
+-msgstr "Пешфарз: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -10007,10 +10003,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:435
+-#, fuzzy
+-#| msgid "Default: false"
+ msgid "Default: False (seconds)"
+-msgstr "Пешфарз: false"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:441
+@@ -12043,10 +12037,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "Пешфарз: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+diff --git a/src/man/po/uk.po b/src/man/po/uk.po
+index d6f6d2caa..2aa708618 100644
+--- a/src/man/po/uk.po
++++ b/src/man/po/uk.po
+@@ -12,11 +12,11 @@
+ # Yuri Chornoivan <yurchor@ukr.net>, 2019. #zanata
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
+-"PO-Revision-Date: 2019-03-05 05:43+0000\n"
+-"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
++"PO-Revision-Date: 2019-10-07 02:21+0000\n"
++"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
+ "Language-Team: Ukrainian (http://www.transifex.com/projects/p/sssd/language/"
+ "uk/)\n"
+ "Language: uk\n"
+@@ -887,14 +887,10 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:482
+-#, fuzzy
+-#| msgid ""
+-#| "(NSS Version) This option must be used together with "
+-#| "ocsp_default_responder_signing_cert."
+ msgid ""
+ "This option must be used together with ocsp_default_responder_signing_cert."
+ msgstr ""
+-"(Версія з NSS) Цей параметр слід використовувати разом із параметром "
++"Цей параметр слід використовувати разом із параметром "
+ "ocsp_default_responder_signing_cert."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+@@ -904,19 +900,14 @@ msgstr "ocsp_default_responder_signing_cert=НАЗВА"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:492
+-#, fuzzy
+-#| msgid ""
+-#| "(NSS Version) The nickname of the cert to trust (expected) to sign the "
+-#| "OCSP responses.  The certificate with the given nickname must be "
+-#| "available in the systems NSS database."
+ msgid ""
+ "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
+ "The certificate with the given nickname must be available in the systems NSS "
+ "database."
+ msgstr ""
+-"(Версія з NSS) Альтернативна назва сертифіката, якому слід довіряти "
+-"(очікувано) для підписування відповідей OCSP. Сертифікат із вказаною "
+-"альтернативною назвою має зберігатися у базі даних NSS системи."
++"Альтернативна назва сертифіката, якому слід довіряти (очікувано) для "
++"підписування відповідей OCSP. Сертифікат із вказаною альтернативною назвою "
++"має зберігатися у базі даних NSS системи."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:497
+@@ -1371,12 +1362,6 @@ msgstr "filter_users, filter_groups (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:812
+-#, fuzzy
+-#| msgid ""
+-#| "Exclude certain users or groups from being fetched from the sss NSS "
+-#| "database. This is particularly useful for system accounts. This option "
+-#| "can also be set per-domain or include fully-qualified names to filter "
+-#| "only users from the particular domain."
+ msgid ""
+ "Exclude certain users or groups from being fetched from the sss NSS "
+ "database. This is particularly useful for system accounts. This option can "
+@@ -1387,7 +1372,8 @@ msgstr ""
+ "даних NSS sss. Таке виключення може бути корисним для облікових записів "
+ "керування системою. Цей параметр також можна встановлювати для кожного з "
+ "доменів окремо або включити до нього імена користувачів повністю для "
+-"обмеження списку користувачами лише з певного домену."
++"обмеження списку користувачами лише з певного домену або за назвою "
++"реєстраційного запису користувача (UPN)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:820
+@@ -3142,15 +3128,16 @@ msgid ""
+ "user, typically ran at login)  operation in the past, both the user entry "
+ "and the group membership are updated."
+ msgstr ""
++"Під час фонового оновлення виконуватиметься обробка записів користувачів, "
++"груп та мережевих груп у кеші. для записів користувачів, для яких "
++"виконувалися дії з ініціювання груп (отримання даних щодо участі користувача "
++"у групах, які типово виконуються під час входу до системи), буде оновлено і "
++"запис користувача, і дані щодо участі у групах."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2091
+-#, fuzzy
+-#| msgid ""
+-#| "This option specifies the maximum allowed number of nested containers."
+ msgid "This option is automatically inherited for all trusted domains."
+-msgstr ""
+-"Цей параметр визначає максимальну дозволену кількість вкладених контейнерів."
++msgstr "Цей параметр автоматично успадковується для усіх довірених доменів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2095
+@@ -4162,21 +4149,14 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2848
+-#, fuzzy
+-#| msgid ""
+-#| "Treat user and group names as case sensitive.  <phrase condition="
+-#| "\"enable_local_provider\"> At the moment, this option is not supported in "
+-#| "the local provider.  </phrase> Possible option values are: <placeholder "
+-#| "type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "Treat user and group names as case sensitive. At the moment, this option is "
+ "not supported in the local provider. Possible option values are: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Враховувати регістр записів імен користувачів та назв груп. <phrase "
+-"condition=\"enable_local_provider\"> У поточній версії підтримку передбачено "
+-"лише для локальних надавачів даних. </phrase> Можливі значення параметра: "
+-"<placeholder type=\"variablelist\" id=\"0\"/>"
++"Враховувати регістр записів імен користувачів та назв груп. У поточній "
++"версії підтримку передбачено лише для локальних надавачів даних. Можливі "
++"значення параметра: <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2883
+@@ -4313,11 +4293,6 @@ msgstr "cached_auth_timeout (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2968
+-#, fuzzy
+-#| msgid ""
+-#| "Specifies time in seconds since last successful online authentication for "
+-#| "which user will be authenticated using cached credentials while SSSD is "
+-#| "in the online mode."
+ msgid ""
+ "Specifies time in seconds since last successful online authentication for "
+ "which user will be authenticated using cached credentials while SSSD is in "
+@@ -4326,7 +4301,9 @@ msgid ""
+ msgstr ""
+ "Визначає час у секундах з моменту останнього успішного розпізнавання у "
+ "мережі, для якого користувача буде розпізнано за допомогою кешованих "
+-"реєстраційних даних, доки SSSD перебуває у режимі «у мережі»."
++"реєстраційних даних, доки SSSD перебуває у режимі «у мережі». Якщо "
++"реєстраційні дані є помилковими, SSSD повертається до інтерактивного "
++"розпізнавання."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2976
+@@ -4334,6 +4311,9 @@ msgid ""
+ "This option's value is inherited by all trusted domains. At the moment it is "
+ "not possible to set a different value per trusted domain."
+ msgstr ""
++"Значення цього параметра успадковується усіма довіреними доменами. У "
++"поточній версії не передбачено можливості встановлювати окремі різні "
++"значення для різних довірених доменів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2981
+@@ -4359,21 +4339,16 @@ msgstr "auto_private_groups (рядок)"
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3002
+ msgid "true"
+-msgstr ""
++msgstr "true"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3005
+-#, fuzzy
+-#| msgid ""
+-#| "If this option is enabled, SSSD will automatically create user private "
+-#| "groups based on user's UID number. The GID number is ignored in this case."
+ msgid ""
+ "Create user's private group unconditionally from user's UID number.  The GID "
+ "number is ignored in this case."
+ msgstr ""
+-"Якщо увімкнено цей параметр, SSSD автоматично створюватиме приватні групи "
+-"користувачів на основі номера UID користувача. Номер GID у цьому випадку "
+-"ігноруватиметься."
++"Безумовно створює приватну групу користувача на основі номера UID "
++"користувача. У цьому випадку номер GID буде проігноровано."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3009
+@@ -4390,10 +4365,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3018
+-#, fuzzy
+-#| msgid "False"
+ msgid "false"
+-msgstr "False"
++msgstr "false"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3021
+@@ -4401,11 +4374,13 @@ msgid ""
+ "Always use the user's primary GID number. The GID number must refer to a "
+ "group object in the LDAP database."
+ msgstr ""
++"Завжди використовувати номер основної GID користувача. Номер GID має "
++"вказувати на об'єкт групи у базі даних LDAP."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3027
+ msgid "hybrid"
+-msgstr ""
++msgstr "hybrid"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3030
+@@ -4416,6 +4391,11 @@ msgid ""
+ "GID in the user entry is also used by a group object, the primary GID of the "
+ "user resolves to that group object."
+ msgstr ""
++"Основна група створюється автоматично для записів користувача, значення UID "
++"і GID яких збігаються і, одночасно, номер GID не відповідає справжньому "
++"об'єкту групи у LDAP. Якщо значення є однаковими, але основне значення GID у "
++"записі користувача також використовується як об'єкт групи, основний GID "
++"цього користувача визначатиме цей об'єкт групи."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3043
+@@ -4423,6 +4403,8 @@ msgid ""
+ "If the UID and GID of a user are different, then the GID must correspond to "
+ "a group entry, otherwise the GID is simply not resolvable."
+ msgstr ""
++"Якщо UID і GID користувача є різними, значення GID має відповідати запису "
++"групи, інакше надійне визначення GID буде просто неможливим."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3050
+@@ -4431,16 +4413,18 @@ msgid ""
+ "separate group objects for the user private groups, but also wish to retain "
+ "the existing user private groups."
+ msgstr ""
++"Ця можливість є корисною для середовищ, де бажаним є усування потреби у "
++"супроводі окремих об'єктів груп для користувачів у приватних групах, але зі "
++"збереженням наявних приватних груп для користувачів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:2999
+-#, fuzzy
+-#| msgid ""
+-#| "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "This option takes any of three available values: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+-msgstr "Доступні варіанти: <placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++"Цей параметр приймає будь-яке з таких трьох доступних значень: <placeholder "
++"type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3062
+@@ -4448,6 +4432,9 @@ msgid ""
+ "For subdomains, the default value is False for subdomains that use assigned "
+ "POSIX IDs and True for subdomains that use automatic ID-mapping."
+ msgstr ""
++"Для піддоменів типовим значенням є False для тих піддоменів, які пов'язано "
++"із ідентифікаторами POSIX, і True для тих піддоменів, для яких "
++"використовується автоматична прив'язка до ідентифікаторів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd.conf.5.xml:3070
+@@ -4456,6 +4443,8 @@ msgid ""
+ "[domain/forest.domain/sub.domain]\n"
+ "auto_private_groups = false\n"
+ msgstr ""
++"[domain/forest.domain/sub.domain]\n"
++"auto_private_groups = false\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+ #: sssd.conf.5.xml:3076
+@@ -4465,6 +4454,9 @@ msgid ""
+ "subdomain_inherit = auto_private_groups\n"
+ "auto_private_groups = false\n"
+ msgstr ""
++"[domain/forest.domain]\n"
++"subdomain_inherit = auto_private_groups\n"
++"auto_private_groups = false\n"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3067
+@@ -4474,6 +4466,11 @@ msgid ""
+ "globally for all subdomains in the main domain section using the "
+ "subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+ msgstr ""
++"Значення параметра auto_private_groups може встановлюватися або на рівні "
++"окремих піддоменів у підрозділі, приклад: <placeholder type=\"programlisting"
++"\" id=\"0\"/> або на загальному рівні для усіх піддоменів у основному "
++"розділі домену за допомогою параметра subdomain_inherit: <placeholder type="
++"\"programlisting\" id=\"1\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:1802
+@@ -4903,10 +4900,8 @@ msgstr "ldap_service_search_base,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3367
+-#, fuzzy
+-#| msgid "ldap_sasl_mech (string)"
+ msgid "ldap_sasl_mech,"
+-msgstr "ldap_sasl_mech (рядок)"
++msgstr "ldap_sasl_mech,"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3368
+@@ -4939,10 +4934,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3379
+-#, fuzzy
+-#| msgid "CONFIGURATION OPTIONS"
+ msgid "PROMPTING CONFIGURATION SECTION"
+-msgstr "ПАРАМЕТРИ НАЛАШТУВАННЯ"
++msgstr "РОЗДІЛ НАЛАШТОВУВАННЯ ЗАПИТІВ"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3381
+@@ -4953,6 +4946,12 @@ msgid ""
+ "Based on the results pam_sss will prompt the user for appropriate "
+ "credentials."
+ msgstr ""
++"Якщо існує спеціальний файл (<filename>/var/lib/sss/pubconf/"
++"pam_preauth_available</filename>), модуль PAM SSSD pam_sss надсилатиме запит "
++"до SSSD для визначення того, які методи розпізнавання доступні для "
++"користувача, який намагається увійти до системи. На основі отриманих "
++"результатів pam_sss надсилатиме запит до користувача щодо відповідних "
++"реєстраційних даних."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3389
+@@ -4962,63 +4961,65 @@ msgid ""
+ "select the prompting might not be suitable for all use cases. To following "
+ "options should provide a better flexibility here."
+ msgstr ""
++"Зростання кількості способів розпізнавання та можливість того, що для "
++"окремого користувача передбачено декілька способів, призводить до того, що "
++"евристика, яка використовується pam_sss для вибору запиту може не "
++"спрацьовувати в усіх можливих випадках. Підвищення гнучкості системи у таких "
++"випадках мають забезпечити описані нижче параметри."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3401
+ msgid "[prompting/password]"
+-msgstr ""
++msgstr "[prompting/password]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3404
+-#, fuzzy
+-#| msgid "password"
+ msgid "password_prompt"
+-msgstr "password"
++msgstr "password_prompt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3405
+ msgid "to change the string of the password prompt"
+-msgstr ""
++msgstr "для зміни рядка запиту пароля"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3403
+-#, fuzzy
+-#| msgid ""
+-#| "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "to configure password prompting, allowed options are: <placeholder type="
+ "\"variablelist\" id=\"0\"/>"
+-msgstr "Доступні варіанти: <placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++"для налаштовування запиту щодо пароля; дозволені параметри: <placeholder "
++"type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3413
+ msgid "[prompting/2fa]"
+-msgstr ""
++msgstr "[prompting/2fa]"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3417
+ msgid "first_prompt"
+-msgstr ""
++msgstr "first_prompt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3418
+ msgid "to change the string of the prompt for the first factor"
+-msgstr ""
++msgstr "для зміни рядка запиту для першого фактора"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3421
+ msgid "second_prompt"
+-msgstr ""
++msgstr "second_prompt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3422
+ msgid "to change the string of the prompt for the second factor"
+-msgstr ""
++msgstr "для зміни рядка запиту для другого фактора"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+ #: sssd.conf.5.xml:3425
+ msgid "single_prompt"
+-msgstr ""
++msgstr "single_prompt"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3426
+@@ -5027,34 +5028,30 @@ msgid ""
+ "first_prompt where it is expected that both factor are entered as a single "
+ "string"
+ msgstr ""
++"булеве значення. Якщо True, буде виконано лише один запит із використанням "
++"значення first_prompt. Припускатиметься, що обидва фактори введено як один "
++"рядок."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd.conf.5.xml:3415
+-#, fuzzy
+-#| msgid ""
+-#| "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "to configure two-factor authentication prompting, allowed options are: "
+ "<placeholder type=\"variablelist\" id=\"0\"/>"
+-msgstr "Доступні варіанти: <placeholder type=\"variablelist\" id=\"0\"/>"
++msgstr ""
++"для налаштовування запиту щодо двофакторного розпізнавання; дозволені "
++"параметри: <placeholder type=\"variablelist\" id=\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3396
+-#, fuzzy
+-#| msgid ""
+-#| "These options are supported by LDAP domains, but they should be used with "
+-#| "caution. Please include them in your configuration only if you know what "
+-#| "you are doing.  <placeholder type=\"variablelist\" id=\"0\"/> "
+-#| "<placeholder type=\"variablelist\" id=\"1\"/>"
+ msgid ""
+ "Each supported authentication method has it's own configuration sub-section "
+ "under <quote>[prompting/...]</quote>. Currently there are: <placeholder type="
+ "\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/>"
+ msgstr ""
+-"Підтримку цих параметрів передбачено доменами LDAP, але користуватися ними "
+-"слід обережно. Будь ласка, використовуйте їх у налаштуваннях, лише якщо вам "
+-"відомі наслідки ваших дій. <placeholder type=\"variablelist\" id=\"0\"/> "
+-"<placeholder type=\"variablelist\" id=\"1\"/>"
++"У кожного з підтримуваних способів розпізнавання є власний підрозділ "
++"налаштувань у <quote>[prompting/...]</quote>. У поточній версії це: "
++"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
++"\"variablelist\" id=\"1\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd.conf.5.xml:3438
+@@ -5063,6 +5060,9 @@ msgid ""
+ "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
+ "for this service."
+ msgstr ""
++"Передбачено можливість додавання підрозділу для специфічних служб PAM, "
++"наприклад <quote>[prompting/password/sshd]</quote>, для окремої зміни запиту "
++"для цієї служби."
+ 
+ #. type: Content of: <reference><refentry><refsect1><title>
+ #: sssd.conf.5.xml:3445 idmap_sss.8.xml:43
+@@ -5456,32 +5456,29 @@ msgstr "Типове значення: rfc2307"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:209
+-#, fuzzy
+-#| msgid "ldap_group_modify_timestamp (string)"
+ msgid "ldap_pwmodify_mode (string)"
+-msgstr "ldap_group_modify_timestamp (рядок)"
++msgstr "ldap_pwmodify_mode (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:212
+ msgid "Specify the operation that is used to modify user password."
+-msgstr ""
++msgstr "Визначає дію, яку буде здійснено для зміни пароля користувача."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:216
+-#, fuzzy
+-#| msgid "Four schema types are currently supported:"
+ msgid "Two modes are currently supported:"
+-msgstr "У поточній версії передбачено підтримку чотирьох типів схем:"
++msgstr "У поточній версії передбачено два режими:"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ldap.5.xml:220
+ msgid "exop - Password Modify Extended Operation (RFC 3062)"
+-msgstr ""
++msgstr "exop — розширена дія зі зміни пароля (RFC 3062)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+ #: sssd-ldap.5.xml:226
+ msgid "ldap_modify - Direct modification of userPassword (not recommended)."
+ msgstr ""
++"ldap_modify — безпосереднє внесення змін до userPassword (не рекомендуємо)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:233
+@@ -5491,13 +5488,16 @@ msgid ""
+ "connection is used to change the password therefore the user must have write "
+ "access to userPassword attribute."
+ msgstr ""
++"Зауваження: спочатку буде встановлено нове з'єднання для перевірки поточного "
++"пароля шляхом прив'язування до системи від імені користувача, від якого "
++"надійшов запит щодо зміни пароля. Якщо з'єднання вдасться встановити, його "
++"буде використано для зміни пароля, тому у користувача має бути доступ до "
++"запису атрибута userPassword."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: gecos"
+ msgid "Default: exop"
+-msgstr "Типове значення: gecos"
++msgstr "Типове значення: exop"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -6589,10 +6589,8 @@ msgstr "Типове значення: 2"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1099
+-#, fuzzy
+-#| msgid "ldap_group_search_base"
+ msgid "ldap_groups_use_matching_rule_in_chain"
+-msgstr "ldap_group_search_base"
++msgstr "ldap_groups_use_matching_rule_in_chain"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1102
+@@ -6601,6 +6599,10 @@ msgid ""
+ "feature which may speed up group lookup operations on deployments with "
+ "complex or deep nested groups."
+ msgstr ""
++"За допомогою цього параметра можна наказати SSSD скористатися перевагами "
++"специфічної для Active Directory можливості, яка надає змогу пришвидшити дії "
++"з пошуку груп у мережах зі складною системою груп або системою груп з "
++"високим рівнем вкладеності."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1108
+@@ -6608,6 +6610,8 @@ msgid ""
+ "In most common cases, it is best to leave this option disabled. It generally "
+ "only provides a performance increase on very complex nestings."
+ msgstr ""
++"Здебільшого, не варто вмикати цю можливість. Пришвидшення за її допомогою "
++"можна буде спостерігати лише у дуже складних випадках вкладеності груп."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1113 sssd-ldap.5.xml:1140
+@@ -6616,6 +6620,9 @@ msgid ""
+ "supports it during initial connection. So \"True\" here essentially means "
+ "\"auto-detect\"."
+ msgstr ""
++"Якщо увімкнено цей параметр, SSSD використовуватиме можливість, якщо під час "
++"початкового сеансу з’єднання виявить, що на сервері передбачено підтримку "
++"можливості. Отже, насправді значення «True» означає «визначити автоматично»."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1146
+@@ -6625,11 +6632,15 @@ msgid ""
+ "windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> "
+ "for more details."
+ msgstr ""
++"Зауваження: відомо, що у поточній версії цією можливістю можна скористатися "
++"лише для Active Directory 2008 R1 та пізніших версій. Докладніше про це "
++"можна дізнатися з <ulink url=\"http://msdn.microsoft.com/en-us/library/"
++"windows/desktop/aa746475%28v=vs.85%29.aspx\">документації MSDN(TM)</ulink>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1131
+ msgid "ldap_initgroups_use_matching_rule_in_chain"
+-msgstr ""
++msgstr "ldap_initgroups_use_matching_rule_in_chain"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1134
+@@ -6638,6 +6649,11 @@ msgid ""
+ "feature which might speed up initgroups operations (most notably when "
+ "dealing with complex or deep nested groups)."
+ msgstr ""
++"За допомогою цього параметра можна наказати SSSD скористатися перевагами "
++"специфічної для Active Directory можливості, яка може пришвидшити дії з "
++"початковими групами (initgroups). Особливо помітним таке пришвидшення є у "
++"системах зі складною системою груп або системою груп з високим рівнем "
++"вкладеності."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1161
+@@ -7145,6 +7161,13 @@ msgid ""
+ "the server supports it and advertises the dereference control in the rootDSE "
+ "object."
+ msgstr ""
++"Ви можете повністю вимкнути запити щодо розіменувань встановленням значення "
++"0. Будь ласка, зауважте, що у коді SSSD, зокрема засобу надання даних HBAC "
++"IPA, є інструкції, які реалізовано лише з використанням викликів щодо "
++"розіменування, тому навіть явне вимикання розіменувань не призведе до "
++"вимикання розіменувань у цих частинах коду, якщо на сервері передбачено "
++"підтримку розіменувань і оголошено про керування розіменуваннями у об'єкті "
++"rootDSE."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1615
+@@ -7392,16 +7415,12 @@ msgstr "ldap_sasl_mech (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1808
+-#, fuzzy
+-#| msgid ""
+-#| "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
+-#| "supported."
+ msgid ""
+ "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
+ "tested and supported."
+ msgstr ""
+ "Визначає механізм SASL, який слід використовувати. У поточній версії "
+-"перевірено і підтримується лише механізм GSSAPI."
++"перевірено і передбачено підтримку лише механізмів GSSAPI та GSS-SPNEGO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1812
+@@ -7413,6 +7432,13 @@ msgid ""
+ "<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+ "manvolnum></citerefentry> for details."
+ msgstr ""
++"Якщо у модулі обробки передбачено підтримку піддоменів, значення для "
++"піддоменів ldap_sasl_mech буде автоматично успадковано від домену. Якщо для "
++"якогось піддомену потрібне інше значення, його можна перезаписати "
++"встановленням ldap_sasl_mech для цього піддомену окремо. Докладніший опис "
++"можна знайти у розділі щодо довірених доменів у підручнику з "
++"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
++"manvolnum></citerefentry>."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1828
+@@ -7441,15 +7467,6 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1831
+-#, fuzzy
+-#| msgid ""
+-#| "Specify the SASL authorization id to use.  When GSSAPI is used, this "
+-#| "represents the Kerberos principal used for authentication to the "
+-#| "directory.  This option can either contain the full principal (for "
+-#| "example host/myhost@EXAMPLE.COM) or just the principal name (for example "
+-#| "host/myhost). By default, the value is not set and the following "
+-#| "principals are used: <placeholder type=\"programlisting\" id=\"0\"/> If "
+-#| "none of them are found, the first principal in keytab is returned."
+ msgid ""
+ "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
+ "this represents the Kerberos principal used for authentication to the "
+@@ -7460,13 +7477,14 @@ msgid ""
+ "found, the first principal in keytab is returned."
+ msgstr ""
+ "Визначає ідентифікатор уповноваження SASL, яким слід скористатися. Якщо "
+-"використовується GSSAPI, цим ідентифікатором є реєстраційні дані Kerberos, "
+-"які використовуються для розпізнавання при доступі до каталогу. Цей параметр "
+-"може містити або повні реєстраційні дані (наприклад host/myhost@EXAMPLE.COM) "
+-"або просто назву реєстраційного запису (наприклад host/myhost). Типово, "
+-"значення не встановлено і використовуються такі реєстраційні записи: "
+-"<placeholder type=\"programlisting\" id=\"0\"/> Якщо жоден з них не буде "
+-"знайдено, буде повернуто перший реєстраційний запис у таблиці ключів."
++"використовується GSSAPI/GSS-SPNEGO, цим ідентифікатором є реєстраційні дані "
++"Kerberos, які використовуються для розпізнавання при доступі до каталогу. "
++"Цей параметр може містити або повні реєстраційні дані (наприклад host/"
++"myhost@EXAMPLE.COM) або просто назву реєстраційного запису (наприклад host/"
++"myhost). Типово, значення не встановлено і використовуються такі "
++"реєстраційні записи: <placeholder type=\"programlisting\" id=\"0\"/> Якщо "
++"жоден з них не буде знайдено, буде повернуто перший реєстраційний запис у "
++"таблиці ключів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1851
+@@ -7522,10 +7540,10 @@ msgstr "ldap_krb5_keytab (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1889
+-#, fuzzy
+-#| msgid "Specify the keytab to use when using SASL/GSSAPI."
+ msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+-msgstr "Визначає таблицю ключів, яку слід використовувати разом з SASL/GSSAPI."
++msgstr ""
++"Визначає таблицю ключів, яку слід використовувати разом з SASL/GSSAPI/GSS-"
++"SPNEGO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1893
+@@ -7541,11 +7559,6 @@ msgstr "ldap_krb5_init_creds (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1902
+-#, fuzzy
+-#| msgid ""
+-#| "Specifies that the id_provider should init Kerberos credentials (TGT).  "
+-#| "This action is performed only if SASL is used and the mechanism selected "
+-#| "is GSSAPI."
+ msgid ""
+ "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+ "action is performed only if SASL is used and the mechanism selected is "
+@@ -7553,7 +7566,7 @@ msgid ""
+ msgstr ""
+ "Визначає, що id_provider має ініціалізувати реєстраційні дані Kerberos "
+ "(TGT). Цю дію буде виконано, лише якщо використовується SASL і вибрано "
+-"механізм GSSAPI."
++"механізм GSSAPI або GSS-SPNEGO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:1914
+@@ -7562,11 +7575,11 @@ msgstr "ldap_krb5_ticket_lifetime (ціле число)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1917
+-#, fuzzy
+-#| msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
+ msgid ""
+ "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
+-msgstr "Визначає строк дії (у секундах) TGT, якщо використовується GSSAPI."
++msgstr ""
++"Визначає строк дії (у секундах) TGT, якщо використовується GSSAPI або GSS-"
++"SPNEGO."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1921 sssd-ad.5.xml:978
+@@ -7627,10 +7640,9 @@ msgstr "krb5_realm (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1959
+-#, fuzzy
+-#| msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
+ msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+-msgstr "Вказати область Kerberos (для розпізнавання за SASL/GSSAPI)."
++msgstr ""
++"Вказати область Kerberos (для розпізнавання за SASL/GSSAPI/GSS-SPNEGO)."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:1963
+@@ -9012,21 +9024,6 @@ msgstr "модуль PAM для SSSD"
+ 
+ #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+ #: pam_sss.8.xml:22
+-#, fuzzy
+-#| msgid ""
+-#| "<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+-#| "replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
+-#| "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
+-#| "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
+-#| "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> "
+-#| "</arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> "
+-#| "</arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</"
+-#| "replaceable> </arg> <arg choice='opt'> <replaceable>domains=X</"
+-#| "replaceable> </arg> <arg choice='opt'> <replaceable>allow_missing_name</"
+-#| "replaceable> </arg> <arg choice='opt'> <replaceable>prompt_always</"
+-#| "replaceable> </arg> <arg choice='opt'> <replaceable>try_cert_auth</"
+-#| "replaceable> </arg> <arg choice='opt'> <replaceable>require_cert_auth</"
+-#| "replaceable> </arg>"
+ msgid ""
+ "<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
+ "replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
+@@ -9048,9 +9045,7 @@ msgstr ""
+ "arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </"
+ "arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg "
+ "choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg "
+-"choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg "
+-"choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg "
+-"choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>"
++"choice='opt'> <replaceable>prompt_always</replaceable> </arg>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: pam_sss.8.xml:58
+@@ -9390,14 +9385,6 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:50
+-#, fuzzy
+-#| msgid ""
+-#| "The plugin reads the information about the KDCs of a given realm from a "
+-#| "file called <filename>kdcinfo.REALM</filename>. The file should contain "
+-#| "one or more IP addresses either in dotted-decimal IPv4 notation or the "
+-#| "hexadecimal IPv6 notation. An optional port number can be added to the "
+-#| "end separated with a colon, the IPv6 address has to be enclosed in "
+-#| "squared brackets in this case as usual. Valid entries are:"
+ msgid ""
+ "The plugin reads the information about the KDCs of a given realm from a file "
+ "called <filename>kdcinfo.REALM</filename>. The file should contain one or "
+@@ -9408,8 +9395,8 @@ msgid ""
+ msgstr ""
+ "Додаток читає дані щодо KDC вказаної області з файла із назвою "
+ "<filename>kdcinfo.REALM</filename>. Цей файл має містити одну або декілька "
+-"IP-адрес або у форматі чисел, які відокремлено крапками, IPv4, або у "
+-"шістнадцятковому форматі IPv6. Можна додати необов'язковий номер порту "
++"назв DNS або IP-адрес або у форматі чисел, які відокремлено крапками, IPv4, "
++"або у шістнадцятковому форматі IPv6. Можна додати необов'язковий номер порту "
+ "наприкінці, відокремивши його від решти запису двокрапкою. У цьому випадку, "
+ "як завжди, адресу IPv6 слід взяти у квадратні дужки. Коректними вважаються "
+ "такі записи:"
+@@ -9417,12 +9404,12 @@ msgstr ""
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:58
+ msgid "kdc.example.com"
+-msgstr ""
++msgstr "kdc.example.com"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:59
+ msgid "kdc.example.com:321"
+-msgstr ""
++msgstr "kdc.example.com:321"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+ #: sssd_krb5_locator_plugin.8.xml:60
+@@ -9512,20 +9499,16 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd_krb5_locator_plugin.8.xml:100
+-#, fuzzy
+-#| msgid ""
+-#| "If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value "
+-#| "the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the "
+-#| "caller."
+ msgid ""
+ "If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to "
+ "any value plugin will try to resolve all DNS names in kdcinfo file. By "
+ "default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on "
+ "first DNS resolving failure."
+ msgstr ""
+-"Якщо встановлено будь-яке значення для змінної середовища "
+-"SSSD_KRB5_LOCATOR_DISABLE, додаток буде вимкнено і поверне функції виклику "
+-"лише KRB5_PLUGIN_NO_HANDLE."
++"Якщо встановлено будь-яке значення змінної середовища "
++"SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES, додаток спробує визначити усі назви "
++"DNS у файлі kdcinfo. Типово, додаток повертає функції виклику "
++"KRB5_PLUGIN_NO_HANDLE негайно після першої ж невдалої спроби визначення DNS."
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+ #: sssd-simple.5.xml:10 sssd-simple.5.xml:16
+@@ -12462,17 +12445,13 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:435
+-#, fuzzy
+-#| msgid "Default: 5 (seconds)"
+ msgid "Default: False (seconds)"
+-msgstr "Типове значення: 5 (секунд)"
++msgstr "Типове значення: False (секунди)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:441
+-#, fuzzy
+-#| msgid "ad_enable_gc (boolean)"
+ msgid "ad_gpo_ignore_unreadable (boolean)"
+-msgstr "ad_enable_gc (булеве значення)"
++msgstr "ad_gpo_ignore_unreadable (булеве значення)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ad.5.xml:444
+@@ -12483,6 +12462,11 @@ msgid ""
+ "policies if their attributes in group policy containers are not readable for "
+ "SSSD."
+ msgstr ""
++"Зазвичай, якщо певні контейнери правил групи (об'єкта AD) відповідних "
++"об'єктів правил груп є непридатним до читання з SSSD, доступ користувачам "
++"буде заборонено. За допомогою цього параметра можна проігнорувати контейнери "
++"правил груп та пов'язані із ними правила, якщо їхні атрибути у контейнерах "
++"правил груп є непридатним до читання з SSSD."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ad.5.xml:461
+@@ -13522,7 +13506,7 @@ msgstr ""
+ "також систему придатних для під’єднання модулів для встановлення з’єднання з "
+ "декількома різними джерелами даних щодо облікових записів та інтерфейс D-"
+ "Bus. <command>SSSD</command> також є основою для систем перевірки "
+-"клієнтських систем та служб обслуговування правил доступу для проектів, "
++"клієнтських систем та служб обслуговування правил доступу для проєктів, "
+ "подібних до FreeIPA. <command>SSSD</command> надає стійкішу базу даних для "
+ "збереження записів локальних користувачів, а також додаткових даних щодо "
+ "користувачів."
+@@ -15041,27 +15025,22 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:505
+-#, fuzzy
+-#| msgid "krb5_confd_path (string)"
+ msgid "krb5_kdcinfo_lookahead (string)"
+-msgstr "krb5_confd_path (рядок)"
++msgstr "krb5_kdcinfo_lookahead (рядок)"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:508
+-#, fuzzy
+-#| msgid ""
+-#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+-#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
+-#| "more information on the locator plugin."
+ msgid ""
+ "When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
+ "handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  This might be "
+ "helpful when there are too many servers discovered using SRV record."
+ msgstr ""
+-"Див. сторінку підручника (man) <citerefentry> "
++"Якщо для krb5_use_kdcinfo встановлено значення true, ви можете обмежити "
++"кількість серверів, які буде передано <citerefentry> "
+ "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
+-"manvolnum> </citerefentry>, щоб дізнатися більше про додаток пошуку."
++"manvolnum> </citerefentry>. Це може бути корисним, якщо за допомогою запису "
++"SRV виявляється надто багато серверів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:518
+@@ -15070,30 +15049,27 @@ msgid ""
+ "The first number represents number of primary servers used and the second "
+ "number specifies the number of backup servers."
+ msgstr ""
++"Параметр krb5_kdcinfo_lookahead містить два числа, які відокремлено "
++"двокрапкою. Перше число визначає кількість основних серверів, а друге — "
++"кількість резервних серверів."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:524
+-#, fuzzy
+-#| msgid ""
+-#| "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+-#| "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for "
+-#| "more information on the locator plugin."
+ msgid ""
+ "For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
+ "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+ "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>.  but no backup "
+ "servers."
+ msgstr ""
+-"Див. сторінку підручника (man) <citerefentry> "
+-"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</"
+-"manvolnum> </citerefentry>, щоб дізнатися більше про додаток пошуку."
++"Наприклад, <emphasis>10:0</emphasis> означає «буде передано до 10 основних "
++"серверів до <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
++"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>», але не буде "
++"передано резервні сервери."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "Типове значення: 3"
++msgstr "Типове значення: 3:1"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+@@ -16737,18 +16713,7 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><programlisting>
+ #: idmap_sss.8.xml:50
+-#, fuzzy, no-wrap
+-#| msgid ""
+-#| "[global]\n"
+-#| "security = ads\n"
+-#| "workgroup = &lt;AD-DOMAIN-SHORTNAME&gt;\n"
+-#| "\n"
+-#| "idmap config &lt;AD-DOMAIN-SHORTNAME&gt; : backend        = sss\n"
+-#| "idmap config &lt;AD-DOMAIN-SHORTNAME&gt; : range          = 200000-2147483647\n"
+-#| "\n"
+-#| "idmap config * : backend        = tdb\n"
+-#| "idmap config * : range          = 100000-199999\n"
+-#| "        "
++#, no-wrap
+ msgid ""
+ "[global]\n"
+ "security = domain\n"
+@@ -16759,14 +16724,11 @@ msgid ""
+ "        "
+ msgstr ""
+ "[global]\n"
+-"security = ads\n"
+-"workgroup = &lt;AD-DOMAIN-SHORTNAME&gt;\n"
+-"\n"
+-"idmap config &lt;AD-DOMAIN-SHORTNAME&gt; : backend        = sss\n"
+-"idmap config &lt;AD-DOMAIN-SHORTNAME&gt; : range          = 200000-2147483647\n"
++"security = domain\n"
++"workgroup = MAIN\n"
+ "\n"
+-"idmap config * : backend        = tdb\n"
+-"idmap config * : range          = 100000-199999\n"
++"idmap config * : backend        = sss\n"
++"idmap config * : range          = 200000-2147483647\n"
+ "        "
+ 
+ #. type: Content of: <reference><refentry><refnamediv><refname>
+@@ -16910,12 +16872,6 @@ msgstr "Типове значення: /etc/group"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:59
+-#, fuzzy
+-#| msgid ""
+-#| "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+-#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+-#| "citerefentry> manual page for details on the configuration of an SSSD "
+-#| "domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgid ""
+ "In addition to the options listed below, generic SSSD domain options can be "
+ "set where applicable.  Refer to the section <quote>DOMAIN SECTIONS</quote> "
+@@ -16923,10 +16879,13 @@ msgid ""
+ "manvolnum> </citerefentry> manual page for details on the configuration of "
+ "an SSSD domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+ msgstr ""
+-"Зверніться до розділу «РОЗДІЛИ ДОМЕНІВ» сторінки довідника (man) "
+-"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+-"manvolnum> </citerefentry>, щоб дізнатися більше про налаштування домену "
+-"SSSD. <placeholder type=\"variablelist\" id=\"0\"/>"
++"Окрім параметрів із наведеного нижче списку, засіб надання даних файлів не "
++"має власних специфічних параметрів. Втім, можна використовувати загальні "
++"параметри доменів SSSD там, де це є доречним. Зверніться до розділу «РОЗДІЛИ "
++"ДОМЕНІВ» сторінки довідника (man) <citerefentry> <refentrytitle>sssd.conf</"
++"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, щоб дізнатися "
++"більше про налаштування домену SSSD. <placeholder type=\"variablelist\" id="
++"\"0\"/>"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-files.5.xml:105
+@@ -17003,7 +16962,7 @@ msgid ""
+ "them transparently routed to a local or a remote key management store like "
+ "IPA Vault for storage, escrow and recovery."
+ msgstr ""
+-"Проект <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
++"Проєкт <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+ "було створено для урегулювання цієї проблеми у хмароподібних середовищах, "
+ "але нам ця ідея здалася вартою уваги навіть на рівні окремої ізольованої "
+ "системи. Як служба захисту, SSSD є ідеальним місцем для реалізації такої "
+@@ -18084,7 +18043,7 @@ msgstr ""
+ "На цій сторінці підручника описано налаштування засобу керування кешем "
+ "Kerberos SSSD (Kerberos Cache Manager або KCM). KCM є процесом, який "
+ "зберігає, стежить і керує кешем реєстраційних даних Kerberos. Ідея створення "
+-"засобу походить із проекту Heimdal Kerberos, хоча у бібліотеці Kerberos MIT "
++"засобу походить із проєкту Heimdal Kerberos, хоча у бібліотеці Kerberos MIT "
+ "також надається підтримка з боку клієнта для кешу реєстраційних даних KCM "
+ "(докладніше про це нижче)."
+ 
+@@ -18254,31 +18213,18 @@ msgstr "СХОВИЩЕ КЕШУ РЕЄСТРАЦІЙНИХ ДАНИХ"
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><programlisting>
+ #: sssd-kcm.8.xml:131
+-#, fuzzy, no-wrap
+-#| msgid ""
+-#| "systemctl start sssd-kcm.socket\n"
+-#| "systemctl enable sssd-kcm.socket\n"
+-#| "            "
++#, no-wrap
+ msgid ""
+ "systemctl start sssd-secrets.socket\n"
+ "systemctl enable sssd-secrets.socket\n"
+ "            "
+ msgstr ""
+-"systemctl start sssd-kcm.socket\n"
+-"systemctl enable sssd-kcm.socket\n"
++"systemctl start sssd-secrets.socket\n"
++"systemctl enable sssd-secrets.socket\n"
+ "            "
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-kcm.8.xml:124
+-#, fuzzy
+-#| msgid ""
+-#| "Finally, make sure the SSSD KCM server can be contacted.  The KCM service "
+-#| "is typically socket-activated by <citerefentry> <refentrytitle>systemd</"
+-#| "refentrytitle> <manvolnum>1</manvolnum> </citerefentry>.  Unlike other "
+-#| "SSSD services, it cannot be started by adding the <quote>kcm</quote> "
+-#| "string to the <quote>service</quote> directive.  <placeholder type="
+-#| "\"programlisting\" id=\"0\"/> Please note your distribution may already "
+-#| "configure the units for you."
+ msgid ""
+ "The credential caches are stored in the SSSD secrets service (see "
+ "<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</"
+@@ -18287,14 +18233,13 @@ msgid ""
+ "<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should "
+ "already set the dependencies between the services."
+ msgstr ""
+-"Нарешті, переконайтеся, що з сервером KCM SSSD можна встановити зв'язок. "
+-"Типово, служба KCM вмикається за допомогою сокета з <citerefentry> "
+-"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+-"citerefentry>. На відміну від інших служб SSSD, її не можна запустити "
+-"додаванням рядка <quote>kcm</quote> до інструкції <quote>service</quote>.  "
+-"<placeholder type=\"programlisting\" id=\"0\"/> Будь ласка, зауважте, що "
+-"відповідні налаштування модулів вже могло бути виконано засобами вашого "
+-"дистрибутива."
++"Кеші реєстраційних даних зберігаються у сховищі служби реєстраційних даних "
++"SSSD (докладніший опис наведено на сторінці підручника <citerefentry> "
++"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </"
++"citerefentry>). Тому важливо, щоб було увімкнено службу sssd-secrets, а її "
++"сокет був доступним: <placeholder type=\"programlisting\" id=\"0\"/> "
++"Відповідні залежності між цими службами вже мало бути встановлено засобами "
++"вашого дистрибутива."
+ 
+ #. type: Content of: <reference><refentry><refsect1><para>
+ #: sssd-kcm.8.xml:141
+@@ -19826,56 +19771,6 @@ msgstr ""
+ 
+ #. type: Content of: <refsect1><para>
+ #: include/seealso.xml:4
+-#, fuzzy
+-#| msgid ""
+-#| "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</"
+-#| "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
+-#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+-#| "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </"
+-#| "citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
+-#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+-#| "<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </"
+-#| "citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</"
+-#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+-#| "<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </"
+-#| "citerefentry>, <citerefentry> <refentrytitle>sssd-files</"
+-#| "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase condition="
+-#| "\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+-#| "<manvolnum>5</manvolnum> </citerefentry>, </phrase> <phrase condition="
+-#| "\"with_secrets\"> <citerefentry> <refentrytitle>sssd-secrets</"
+-#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> "
+-#| "<citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> "
+-#| "<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+-#| "<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </"
+-#| "citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</"
+-#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition="
+-#| "\"enable_local_provider\"> <citerefentry> <refentrytitle>sss_groupadd</"
+-#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+-#| "<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> </"
+-#| "citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
+-#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+-#| "<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
+-#| "citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
+-#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+-#| "<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
+-#| "citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
+-#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, </phrase> "
+-#| "<citerefentry> <refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</"
+-#| "manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_seed</"
+-#| "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+-#| "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</"
+-#| "manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> "
+-#| "<citerefentry> <refentrytitle>sss_ssh_authorizedkeys</refentrytitle> "
+-#| "<manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+-#| "<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</"
+-#| "manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> "
+-#| "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</"
+-#| "manvolnum> </citerefentry>, </phrase> <citerefentry> "
+-#| "<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </"
+-#| "citerefentry>.  <citerefentry> <refentrytitle>sss_rpcidmapd</"
+-#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> <phrase condition="
+-#| "\"with_stap\"> <citerefentry> <refentrytitle>sssd-systemtap</"
+-#| "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> </phrase>"
+ msgid ""
+ "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </"
+ "citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
+@@ -19933,17 +19828,15 @@ msgstr ""
+ "citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</"
+ "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+ "<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </"
+-"citerefentry>, <citerefentry> <refentrytitle>sssd-files</"
+-"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase condition="
+-"\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+-"<manvolnum>5</manvolnum> </citerefentry>, </phrase> <phrase condition="
+-"\"with_secrets\"> <citerefentry> <refentrytitle>sssd-secrets</refentrytitle> "
+-"<manvolnum>5</manvolnum> </citerefentry>, </phrase> <citerefentry> "
+-"<refentrytitle>sssd-session-recording</refentrytitle> <manvolnum>5</"
+-"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_cache</"
++"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> "
++"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> "
++"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </"
++"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-"
++"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, "
++"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</"
++"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</"
+ "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+-"<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> </"
+-"citerefentry>, <phrase condition=\"enable_local_provider\"> <citerefentry> "
+ "<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </"
+ "citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
+ "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+@@ -19954,7 +19847,7 @@ msgstr ""
+ "citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
+ "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+ "<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
+-"citerefentry>, </phrase> <citerefentry> <refentrytitle>sss_obfuscate</"
++"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</"
+ "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
+ "<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </"
+ "citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
+@@ -20382,565 +20275,3 @@ msgstr "ldap_group_objectsid = ipaNTSecurityIdentifier"
+ #: include/ipa_modified_defaults.xml:118
+ msgid "ldap_group_external_member = ipaExternalMember"
+ msgstr "ldap_group_external_member = ipaExternalMember"
+-
+-#~ msgid ""
+-#~ "The background refresh will process users, groups and netgroups in the "
+-#~ "cache."
+-#~ msgstr ""
+-#~ "Під час фонового оновлення виконуватиметься обробка записів користувачів, "
+-#~ "груп та мережевих груп у кеші."
+-
+-#~ msgid ""
+-#~ "For POSIX subdomains, setting the option in the main domain is inherited "
+-#~ "in the subdomain."
+-#~ msgstr ""
+-#~ "Для піддоменів POSIX встановлення для цього параметра значення головного "
+-#~ "домену успадковується у піддомені."
+-
+-#~ msgid ""
+-#~ "For ID-mapping subdomains, auto_private_groups is already enabled for the "
+-#~ "subdomains and setting it to false will not have any effect for the "
+-#~ "subdomain."
+-#~ msgstr ""
+-#~ "Для піддоменів із прив'язкою за ідентифікатором auto_private_groups вже "
+-#~ "увімкнено для піддоменів, встановлення для нього значення false ніяк не "
+-#~ "впливатиме на піддомен."
+-
+-#~ msgid ""
+-#~ "You can turn off dereference lookups completely by setting the value to 0."
+-#~ msgstr ""
+-#~ "Ви можете повністю вимкнути пошуки з отриманням значення об’єкта "
+-#~ "(розіменуванням), якщо вкажете значення 0."
+-
+-#~ msgid ""
+-#~ "(OpenSSL version) This option is currently ignored. All needed "
+-#~ "certificates must be available in the PEM file given by pam_cert_db_path."
+-#~ msgstr ""
+-#~ "(Версія з OpenSSL) У поточній версії програма ігнорує цей параметр. Усі "
+-#~ "потрібні сертифікати мають бути у файлі PEM, який вказано параметром "
+-#~ "pam_cert_db_path."
+-
+-#~ msgid "crl_file=/PATH/TO/CRL/FILE"
+-#~ msgstr "crl_file=/ШЛЯХ/ДО/ФАЙЛА/CRL"
+-
+-#~ msgid ""
+-#~ "(NSS Version) This option is ignored, please see <citerefentry> "
+-#~ "<refentrytitle>crlutil</refentrytitle> <manvolnum>1</manvolnum> </"
+-#~ "citerefentry> how to import a Certificate Revocation List (CRL) into a "
+-#~ "NSS database."
+-#~ msgstr ""
+-#~ "(Версія з NSS) Цей параметр буде проігноровано, будь ласка, див. "
+-#~ "<citerefentry> <refentrytitle>crlutil</refentrytitle> <manvolnum>1</"
+-#~ "manvolnum> </citerefentry>, щоб дізнатися про те, як імпортувати список "
+-#~ "відкликання сертифікатів (CRL) до бази даних NSS."
+-
+-#~ msgid ""
+-#~ "(OpenSSL Version) Use the Certificate Revocation List (CRL) from the "
+-#~ "given file during the verification of the certificate. The CRL must be "
+-#~ "given in PEM format, see <citerefentry> <refentrytitle>crl</"
+-#~ "refentrytitle> <manvolnum>1ssl</manvolnum> </citerefentry> for details."
+-#~ msgstr ""
+-#~ "(Версія з OpenSSL) Використовувати список відкликання сертифікатів (CRL) "
+-#~ "з вказаного файла під час перевірки сертифіката. CRL має бути вказано у "
+-#~ "форматі PEM, див. <citerefentry> <refentrytitle>crl</refentrytitle> "
+-#~ "<manvolnum>1ssl</manvolnum> </citerefentry>, щоб дізнатися більше."
+-
+-#~ msgid "p11_wait_for_card_timeout (integer)"
+-#~ msgstr "p11_wait_for_card_timeout (ціле число)"
+-
+-#~ msgid ""
+-#~ "If Smartcard authentication is required how many extra seconds in "
+-#~ "addition to p11_child_timeout should the PAM responder wait until a "
+-#~ "Smartcard is inserted."
+-#~ msgstr ""
+-#~ "Якщо обов'язковим є розпізнавання за смарткарткою, кількість додаткових "
+-#~ "секунд, які буде додано до p11_child_timeout, протягом яких відповідача "
+-#~ "PAM має чекати на вставлення смарткартки."
+-
+-#~ msgid "p11_uri (string)"
+-#~ msgstr "p11_uri (рядок)"
+-
+-#~ msgid ""
+-#~ "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the "
+-#~ "selection of devices used for Smartcard authentication. By default SSSD's "
+-#~ "p11_child will search for a PKCS#11 slot (reader)  where the 'removable' "
+-#~ "flags is set and read the certificates from the inserted token from the "
+-#~ "first slot found. If multiple readers are connected p11_uri can be use to "
+-#~ "tell p11_child to use a specific reader."
+-#~ msgstr ""
+-#~ "Адреса PKCS#11 (докладніший опис можна знайти у RFC-7512), якою можна "
+-#~ "скористатися для обмеження переліку пристроїв, які використовуються для "
+-#~ "розпізнавання за допомогою смарткартки. Типово, p11_child зі складу SSSD "
+-#~ "виконуватиме пошук слоту PKCS#11 (зчитувача), для якого встановлено "
+-#~ "прапорці «removable» («портативний») і читатиме сертифікати із першого "
+-#~ "знайденого слоту вставленого ключа. Якщо з комп'ютером буде з'єднано "
+-#~ "декілька зчитувачів, можна скористатися p11_uri для повідомлення "
+-#~ "p11_child про те, що слід використовувати вказаний зчитувач."
+-
+-#~ msgid ""
+-#~ "p11_uri = slot-description=My%20Smartcar%20Reader\n"
+-#~ "                            "
+-#~ msgstr ""
+-#~ "p11_uri = slot-description=My%20Smartcar%20Reader\n"
+-#~ "                            "
+-
+-#~ msgid ""
+-#~ "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n"
+-#~ "                            "
+-#~ msgstr ""
+-#~ "p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2\n"
+-#~ "                            "
+-
+-#~ msgid ""
+-#~ "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder "
+-#~ "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the "
+-#~ "debug output of p11_child. As an alternative the GnuTLS utility 'p11tool' "
+-#~ "with e.g. the '--list-all' will show PKCS#11 URIs as well."
+-#~ msgstr ""
+-#~ "Приклади: <placeholder type=\"programlisting\" id=\"0\"/> або "
+-#~ "<placeholder type=\"programlisting\" id=\"1\"/> Для визначення "
+-#~ "відповідної адреси, ознайомтеся із файлом діагностичних даних p11_child. "
+-#~ "Крім того, можна скористатися програмою GnuTLS p11tool, наприклад, із "
+-#~ "параметром --list-all, який покаже і адреси PKCS#11."
+-
+-#~ msgid "CERTIFICATE MAPPING SECTION"
+-#~ msgstr "РОЗДІЛ ПРИВ'ЯЗКИ СЕРТИФІКАТІВ"
+-
+-#~ msgid ""
+-#~ "To allow authentication with Smartcards and certificates SSSD must be "
+-#~ "able to map certificates to users. This can be done by adding the full "
+-#~ "certificate to the LDAP object of the user or to a local override. While "
+-#~ "using the full certificate is required to use the Smartcard "
+-#~ "authentication feature of SSH (see <citerefentry> "
+-#~ "<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>8</"
+-#~ "manvolnum> </citerefentry> for details) it might be cumbersome or not "
+-#~ "even possible to do this for the general case where local services use "
+-#~ "PAM for authentication."
+-#~ msgstr ""
+-#~ "Щоб уможливити розпізнавання за смарткартками та сертифікатами, SSSD "
+-#~ "повинна мати можливість пов'язувати сертифікати із записами користувачів. "
+-#~ "Забезпечити таку можливість можна додаванням повного сертифіката до "
+-#~ "об'єкта LDAP користувача або локальним перевизначенням. Хоча використання "
+-#~ "повного сертифіката є обов'язковим для використання можливості "
+-#~ "розпізнавання за смарткарткою у (див. <citerefentry> "
+-#~ "<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>8</"
+-#~ "manvolnum> </citerefentry>, щоб дізнатися більше), додавання таких "
+-#~ "сертифікатів може бути марудною або навіть неможливою справою для "
+-#~ "загального випадку, коли локальні служби використовують для розпізнавання "
+-#~ "PAM."
+-
+-#~ msgid ""
+-#~ "To make the mapping more flexible mapping and matching rules were added "
+-#~ "to SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
+-#~ "<manvolnum>5</manvolnum> </citerefentry> for details)."
+-#~ msgstr ""
+-#~ "Для додавання гнучкості прив'язкам у SSSD додано правила прив'язки і "
+-#~ "встановлення відповідності (докладніше про це у розділі <citerefentry> "
+-#~ "<refentrytitle>sss-certmap</refentrytitle> <manvolnum>5</manvolnum> </"
+-#~ "citerefentry>)."
+-
+-#~ msgid ""
+-#~ "A mapping and matching rule can be added to the SSSD configuration in a "
+-#~ "section on its own with a name like <quote>[certmap/"
+-#~ "<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</"
+-#~ "replaceable>]</quote>.  In this section the following options are allowed:"
+-#~ msgstr ""
+-#~ "Правила пов'язування та відповідності можна додати до налаштувань SSSD у "
+-#~ "окремий розділ із назвою, подібною до <quote>[certmap/"
+-#~ "<replaceable>НАЗВА_ДОМЕНУ</replaceable>/<replaceable>НАЗВА_ПРАВИЛА</"
+-#~ "replaceable>]</quote>. У цьому розділі можна використовувати такі "
+-#~ "параметри:"
+-
+-#~ msgid "matchrule (string)"
+-#~ msgstr "matchrule (рядок)"
+-
+-#~ msgid ""
+-#~ "Only certificates from the Smartcard which matches this rule will be "
+-#~ "processed, all others are ignored."
+-#~ msgstr ""
+-#~ "Буде виконано обробку лише тих сертифікатів зі смарткартки, які "
+-#~ "відповідають цьому правилу. Усі інші сертифікати буде проігноровано."
+-
+-#~ msgid ""
+-#~ "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have "
+-#~ "the Extended Key Usage <quote>clientAuth</quote>"
+-#~ msgstr ""
+-#~ "Типове значення: KRB5:&lt;EKU&gt;clientAuth, тобто лише сертифікати, у "
+-#~ "яких Extended Key Usage (розширене використання ключа) дорівнює "
+-#~ "<quote>clientAuth</quote>"
+-
+-#~ msgid "maprule (string)"
+-#~ msgstr "maprule (рядок)"
+-
+-#~ msgid "Defines how the user is found for a given certificate."
+-#~ msgstr "Визначає спосіб пошуку користувача для вказаного сертифіката."
+-
+-#~ msgid ""
+-#~ "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
+-#~ "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
+-#~ msgstr ""
+-#~ "LDAP:(userCertificate;binary={cert!bin})  для заснованих на LDAP "
+-#~ "надавачів даних, зокрема <quote>ldap</quote>, <quote>AD</quote> та "
+-#~ "<quote>ipa</quote>."
+-
+-#~ msgid ""
+-#~ "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
+-#~ "user with the same name."
+-#~ msgstr ""
+-#~ "RULE_NAME для надавача даних <quote>files</quote>, який намагається "
+-#~ "знайти запис користувача і такою самою назвою."
+-
+-#~ msgid "domains (string)"
+-#~ msgstr "domains (рядок)"
+-
+-#~ msgid ""
+-#~ "Comma separated list of domain names the rule should be applied. By "
+-#~ "default a rule is only valid in the domain configured in sssd.conf. If "
+-#~ "the provider supports subdomains this option can be used to add the rule "
+-#~ "to subdomains as well."
+-#~ msgstr ""
+-#~ "Список відокремлених комами назв доменів, до яких слід застосовувати "
+-#~ "правило. Типово, правило стосуватиметься лише домену, який налаштовано у "
+-#~ "sssd.conf. Якщо для надавача даних передбачено підтримку піддоменів, цей "
+-#~ "параметр можна використати і для додавання правила до піддоменів."
+-
+-#~ msgid "Default: the configured domain in sssd.conf"
+-#~ msgstr "Типове значення: домен, який налаштовано у sssd.conf"
+-
+-#~ msgid "priority (integer)"
+-#~ msgstr "priority (ціле число)"
+-
+-#~ msgid ""
+-#~ "Unsigned integer value defining the priority of the rule. The higher the "
+-#~ "number the lower the priority.  <quote>0</quote> stands for the highest "
+-#~ "priority while <quote>4294967295</quote> is the lowest."
+-#~ msgstr ""
+-#~ "Ціле невід'ємне значення, яке визначає пріоритетність правила. Чим "
+-#~ "більшим є значення, тим нижчою є пріоритетність. <quote>0</quote> — "
+-#~ "найвища пріоритетність, а <quote>4294967295</quote> — найнижча."
+-
+-#~ msgid "Default: the lowest priority"
+-#~ msgstr "Типове значення: найнижча пріоритетність"
+-
+-#~ msgid ""
+-#~ "To make the configuration simple and reduce the amount of configuration "
+-#~ "options the <quote>files</quote> provider has some special properties:"
+-#~ msgstr ""
+-#~ "Щоб спростити налаштовування із зменшити кількість параметрів "
+-#~ "налаштовування, у надавачі даних <quote>files</quote> передбачено "
+-#~ "декілька спеціальних властивостей:"
+-
+-#~ msgid ""
+-#~ "if maprule is not set the RULE_NAME name is assumed to be the name of the "
+-#~ "matching user"
+-#~ msgstr ""
+-#~ "якщо не встановлено maprule, припускається, що значенням RULE_NAME є "
+-#~ "назва відповідного облікового запису користувача"
+-
+-#~ msgid ""
+-#~ "if a maprule is used both a single user name or a template like "
+-#~ "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e."
+-#~ "g. <quote>(username)</quote> or <quote>({subject_rfc822_name."
+-#~ "short_name})</quote>"
+-#~ msgstr ""
+-#~ "якщо maprule використовує обидва, назву облікового запису окремого "
+-#~ "користувача або шаблон, подібний до <quote>{назва_об'єкта_rfc822."
+-#~ "коротка_назва}</quote>, слід брати у дужки, наприклад "
+-#~ "<quote>(користувач)</quote> або <quote>({назва_об'єкта_rfc822."
+-#~ "коротка_назва})</quote>"
+-
+-#~ msgid "the <quote>domains</quote> option is ignored"
+-#~ msgstr "параметр <quote>domains</quote> буде проігноровано"
+-
+-#~ msgid ""
+-#~ "[certmap/my.domain/rule_name]\n"
+-#~ "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$\n"
+-#~ "maprule = (userCertificate;binary={cert!bin})\n"
+-#~ "domains = my.domain, your.domain\n"
+-#~ "priority = 10\n"
+-#~ "\n"
+-#~ "[certmap/files/myname]\n"
+-#~ "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;"
+-#~ "^CN=User.Name,DC=MY,DC=DOMAIN$\n"
+-#~ msgstr ""
+-#~ "[certmap/my.domain/rule_name]\n"
+-#~ "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$\n"
+-#~ "maprule = (userCertificate;binary={cert!bin})\n"
+-#~ "domains = my.domain, your.domain\n"
+-#~ "priority = 10\n"
+-#~ "\n"
+-#~ "[certmap/files/myname]\n"
+-#~ "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;"
+-#~ "^CN=User.Name,DC=MY,DC=DOMAIN$\n"
+-
+-#~ msgid ""
+-#~ "3. The following example shows the configuration for two certificate "
+-#~ "mapping rules. The first is valid for the configured domain <quote>my."
+-#~ "domain</quote> and additionally for the subdomains <quote>your.domain</"
+-#~ "quote> and uses the full certificate in the search filter. The second "
+-#~ "example is valid for the domain <quote>files</quote> where it is assumed "
+-#~ "the files provider is used for this domain and contains a matching rule "
+-#~ "for the local user <quote>myname</quote>.  <placeholder type="
+-#~ "\"programlisting\" id=\"0\"/>"
+-#~ msgstr ""
+-#~ "3. У наведеному нижче прикладі показано налаштування для двох правил "
+-#~ "пов'язування сертифікатів. Перше є чинним для налаштованого домену "
+-#~ "<quote>my.domain</quote> і, додатково, для піддоменів <quote>your.domain</"
+-#~ "quote> і використовує повний сертифікат у фільтрі пошуку. Другий приклад "
+-#~ "є чинним для домену <quote>files</quote>, де припускається, що для цього "
+-#~ "домену використовується засіб надання даних файлів, і містить правило "
+-#~ "відповідності для локального користувача <quote>myname</quote>.  "
+-#~ "<placeholder type=\"programlisting\" id=\"0\"/>"
+-
+-#~ msgid ""
+-#~ "Using wildcard is an operation that is very costly to evaluate on the "
+-#~ "LDAP server side!"
+-#~ msgstr ""
+-#~ "Використання символів-замінників є дуже обчислювально вартісною операцією "
+-#~ "для сервера LDAP!"
+-
+-#~ msgid "<option>try_cert_auth</option>"
+-#~ msgstr "<option>try_cert_auth</option>"
+-
+-#~ msgid ""
+-#~ "Try to use certificate based authentication, i.e.  authentication with a "
+-#~ "Smartcard or similar devices. If a Smartcard is available and the service "
+-#~ "is allowed for Smartcard authentication the use will be prompted for a "
+-#~ "PIN and the certificate based authentication will continue"
+-#~ msgstr ""
+-#~ "Спробувати скористатися розпізнаванням на основі сертифікатів, тобто "
+-#~ "розпізнаванням за допомогою смарткартки або подібного пристрою. Якщо "
+-#~ "доступною є смарткартка і уможливлено розпізнавання за смарткарткою для "
+-#~ "служби, система надішле запит щодо пін-коду і буде продовжено процедуру "
+-#~ "розпізнавання за сертифікатом."
+-
+-#~ msgid ""
+-#~ "If no Smartcard is available or certificate based authentication is not "
+-#~ "allowed for the current service PAM_AUTHINFO_UNAVAIL is returned."
+-#~ msgstr ""
+-#~ "Якщо смарткартка виявиться недоступною або розпізнавання за сертифікатом "
+-#~ "буде заборонено для поточної служби, буде повернуто PAM_AUTHINFO_UNAVAIL."
+-
+-#~ msgid "<option>require_cert_auth</option>"
+-#~ msgstr "<option>require_cert_auth</option>"
+-
+-#~ msgid ""
+-#~ "Do certificate based authentication, i.e.  authentication with a "
+-#~ "Smartcard or similar devices. If a Smartcard is not available the user "
+-#~ "will be prompted to insert one. SSSD will wait for a Smartcard until the "
+-#~ "timeout defined by p11_wait_for_card_timeout passed, please see "
+-#~ "<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+-#~ "manvolnum></citerefentry> for details."
+-#~ msgstr ""
+-#~ "Виконати розпізнавання на основі сертифікатів, тобто розпізнавання за "
+-#~ "допомогою смарткартки або подібного пристрою. Якщо смарткартка виявиться "
+-#~ "недоступною, система попросить користувача вставити її. SSSD чекатиме на "
+-#~ "смарткартку, аж доки не завершиться час очікування, визначений переданим "
+-#~ "значенням p11_wait_for_card_timeout. Див. "
+-#~ "<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+-#~ "manvolnum></citerefentry>, щоб дізнатися більше."
+-
+-#~ msgid ""
+-#~ "If no Smartcard is available after the timeout or certificate based "
+-#~ "authentication is not allowed for the current service "
+-#~ "PAM_AUTHINFO_UNAVAIL is returned."
+-#~ msgstr ""
+-#~ "Якщо смарткартка виявиться недоступною на момент завершення часу "
+-#~ "очікування або розпізнавання за сертифікатом буде заборонено для поточної "
+-#~ "служби, буде повернуто PAM_AUTHINFO_UNAVAIL."
+-
+-#~ msgid "dyndns_update_per_family (boolean)"
+-#~ msgstr "dyndns_update_per_family (булеве значення)"
+-
+-#~ msgid ""
+-#~ "DNS update is by default performed in two steps - IPv4 update and then "
+-#~ "IPv6 update. In some cases it might be desirable to perform IPv4 and IPv6 "
+-#~ "update in single step."
+-#~ msgstr ""
+-#~ "Оновлення DNS, типово, виконується у два кроки — оновлення IPv4, а потім "
+-#~ "оновлення IPv6. Іноді бажаним є виконання оновлення IPv4 і IPv6 за один "
+-#~ "крок."
+-
+-#~ msgid "<option>-g</option>,<option>--genconf</option>"
+-#~ msgstr "<option>-g</option>,<option>--genconf</option>"
+-
+-#~ msgid ""
+-#~ "Do not start the SSSD, but refresh the configuration database from the "
+-#~ "contents of <filename>/etc/sssd/sssd.conf</filename> and exit."
+-#~ msgstr ""
+-#~ "Не запускати SSSD, а лише оновити базу даних налаштувань на основі вмісту "
+-#~ "<filename>/etc/sssd/sssd.conf</filename> і завершити роботу."
+-
+-#~ msgid "<option>-s</option>,<option>--genconf-section</option>"
+-#~ msgstr "<option>-s</option>,<option>--genconf-section</option>"
+-
+-#~ msgid ""
+-#~ "Similar to <quote>--genconf</quote>, but only refresh a single section "
+-#~ "from the configuration file.  This option is useful mainly to be called "
+-#~ "from systemd unit files to allow socket-activated responders to refresh "
+-#~ "their configuration without requiring the administrator to restart the "
+-#~ "whole SSSD."
+-#~ msgstr ""
+-#~ "Подібний до <quote>--genconf</quote>, але наказує програмі освіжити лише "
+-#~ "окремий розділу на основі файла налаштувань. Цей параметр корисний, в "
+-#~ "основному, для виклику з файлів модулів systemd з метою дозволити "
+-#~ "відповідачам, які активуються з сокетів, освіжати налаштування без "
+-#~ "потреби у перезапуску адміністратором усього SSSD."
+-
+-#~ msgid ""
+-#~ "Please replace &lt;AD-DOMAIN-SHORTNAME&gt; with the NetBIOS domain name "
+-#~ "of the AD domain. If multiple AD domains should be used each domain needs "
+-#~ "an <literal>idmap config</literal> line with <literal>backend = sss</"
+-#~ "literal> and a line with a suitable <literal>range</literal>."
+-#~ msgstr ""
+-#~ "Будь ласка, замініть &lt;AD-DOMAIN-SHORTNAME&gt; на назву домену у "
+-#~ "NetBIOS домену AD. Якщо має бути використано декілька доменів AD, для "
+-#~ "кожного домену потрібен рядок <literal>idmap config</literal> із "
+-#~ "<literal>backend = sss</literal> і рядок із відповідним <literal>range</"
+-#~ "literal>."
+-
+-#~ msgid ""
+-#~ "Since Winbind requires a writeable default backend and idmap_sss is read-"
+-#~ "only the example includes <literal>backend = tdb</literal> as default."
+-#~ msgstr ""
+-#~ "Оскільки для Winbind потрібен придатний до запису типовий модуль, а "
+-#~ "idmap_sss є придатним лише для читання, до прикладу включено як типовий "
+-#~ "модуль <literal>backend = tdb</literal>."
+-
+-#~ msgid ""
+-#~ "Another reason is to provide efficient caching of local users and groups."
+-#~ msgstr ""
+-#~ "Іншою причиною може бути потреба у забезпеченні ефективного кешування "
+-#~ "даних локальних користувачів і груп."
+-
+-#~ msgid ""
+-#~ "Please note that some distributions enable the files domain "
+-#~ "automatically, prepending the domain before any explicitly configured "
+-#~ "domains.  See enable_files_domain in <citerefentry> <refentrytitle>sssd."
+-#~ "conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+-#~ msgstr ""
+-#~ "Будь ласка, зауважте, що у деяких дистрибутивах домен files увімкнено "
+-#~ "автоматично, оскільки цей домен додано до будь-якого із явно визначених "
+-#~ "доменів. Див. enable_files_domain у <citerefentry> <refentrytitle>sssd."
+-#~ "conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+-
+-#~ msgid ""
+-#~ "SSSD never handles resolution of user/group \"root\". Also resolution of "
+-#~ "UID/GID 0 is not handled by SSSD. Such requests are passed to next NSS "
+-#~ "module (usually files)."
+-#~ msgstr ""
+-#~ "SSSD ніколи не виконує визначення для користувача або групи «root». Крім "
+-#~ "того, SSSD не обробляє запити щодо визначення UID/GID 0. Такі запити "
+-#~ "передаються наступному модулю NSS (зазвичай, files)."
+-
+-#~ msgid ""
+-#~ "When SSSD is not running or responding, nss_sss returns the UNAVAIL code "
+-#~ "which causes the request to be passed to the next module."
+-#~ msgstr ""
+-#~ "Якщо SSSD не запущено або програма не відповідає, nss_sss повертає код "
+-#~ "UNAVAIL, що спричиняє передавання запиту наступному модулю."
+-
+-#~ msgid ""
+-#~ "In addition to the options listed below, generic SSSD domain options can "
+-#~ "be set where applicable.  Refer to the section <quote>DOMAIN SECTIONS</"
+-#~ "quote> of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+-#~ "<manvolnum>5</manvolnum> </citerefentry> manual page for details on the "
+-#~ "configuration of an SSSD domain. But the purpose of the files provider is "
+-#~ "to expose the same data as the UNIX files, just through the SSSD "
+-#~ "interfaces. Therefore not all generic domain options are supported. "
+-#~ "Likewise, some global options, such as overriding the shell in the "
+-#~ "<quote>nss</quote> section for all domains has no effect on the files "
+-#~ "domain unless explicitly specified per-domain.  <placeholder type="
+-#~ "\"variablelist\" id=\"0\"/>"
+-#~ msgstr ""
+-#~ "Окрім параметрів із наведеного нижче списку, можна встановлювати, де це є "
+-#~ "відповідним, загальні параметри домену SSSD. Зверніться до розділу "
+-#~ "<quote>РОЗДІЛИ ДОМЕНІВ</quote> сторінки підручника <citerefentry> "
+-#~ "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+-#~ "citerefentry>, щоб дізнатися більше про налаштовування домені SSSD. Втім, "
+-#~ "призначенням надавача даних files є надання тих самих даних, які "
+-#~ "встановлюються для файлів UNIX, просто за допомогою інтерфейсів SSSD. "
+-#~ "Тому передбачено підтримку не усіх загальних параметрів доменів. Так "
+-#~ "само, деякі загальні параметри, зокрема перевизначення командної оболонки "
+-#~ "у розділі <quote>nss</quote> для усіх доменів, ні на що не впливають у "
+-#~ "домені files, якщо їх не вказано явним чином для окремих доменів. "
+-#~ "<placeholder type=\"variablelist\" id=\"0\"/>"
+-
+-#~ msgid ""
+-#~ "To leverage caching of local users and groups by SSSD nss_sss module must "
+-#~ "be listed before nss_files module in /etc/nsswitch.conf."
+-#~ msgstr ""
+-#~ "Для балансування кешування даних локальних користувачів та груп у SSSD "
+-#~ "модуль nss_sss має перебувати у списку файла /etc/nsswitch.conf вище за "
+-#~ "модуль nss_files."
+-
+-#~ msgid ""
+-#~ "passwd:     sss files\n"
+-#~ "group:      sss files\n"
+-#~ msgstr ""
+-#~ "passwd:     sss files\n"
+-#~ "group:      sss files\n"
+-
+-#~ msgid ""
+-#~ "The credential caches are stored in a database, much like SSSD caches "
+-#~ "user or group entries. The database is typically located at <quote>/var/"
+-#~ "lib/sss/secrets</quote>."
+-#~ msgstr ""
+-#~ "Кеші реєстраційних даних зберігаються у базі даних, дуже подібно до кешів "
+-#~ "записів користувачів і груп SSSD. Типово, база даних зберігається у "
+-#~ "<quote>/var/lib/sss/secrets</quote>."
+-
+-#~ msgid "OBTAINING DEBUG LOGS"
+-#~ msgstr "ОТРИМАННЯ ДІАГНОСТИЧНОГО ЖУРНАЛУ"
+-
+-#~ msgid ""
+-#~ "[kcm]\n"
+-#~ "debug_level = 10\n"
+-#~ "            "
+-#~ msgstr ""
+-#~ "[kcm]\n"
+-#~ "debug_level = 10\n"
+-#~ "            "
+-
+-#~ msgid ""
+-#~ "systemctl restart sssd-kcm.service\n"
+-#~ "            "
+-#~ msgstr ""
+-#~ "systemctl restart sssd-kcm.service\n"
+-#~ "            "
+-
+-#~ msgid ""
+-#~ "The sssd-kcm service is typically socket-activated <citerefentry> "
+-#~ "<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+-#~ "citerefentry>. To generate debug logs, add the following either to the "
+-#~ "<filename>/etc/sssd/sssd.conf</filename> file directly or as a "
+-#~ "configuration snippet to <filename>/etc/sssd/conf.d/</filename> "
+-#~ "directory: <placeholder type=\"programlisting\" id=\"0\"/> Then, restart "
+-#~ "the sssd-kcm service: <placeholder type=\"programlisting\" id=\"1\"/> "
+-#~ "Finally, run whatever use-case doesn't work for you. The KCM logs will be "
+-#~ "generated at <filename>/var/log/sssd/sssd_kcm.log</filename>. It is "
+-#~ "recommended to disable the debug logs when you no longer need the "
+-#~ "debugging to be enabled as the sssd-kcm service can generate quite a "
+-#~ "large amount of debugging information."
+-#~ msgstr ""
+-#~ "Типово, служба sssd-kcm активує крізь сокет <citerefentry> "
+-#~ "<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+-#~ "citerefentry>. Для створення діагностичних журналів додайте вказані нижче "
+-#~ "рядки або безпосередньо до файла <filename>/etc/sssd/sssd.conf</"
+-#~ "filename>, або як фрагмент налаштувань до каталогу <filename>/etc/sssd/"
+-#~ "conf.d/</filename>: <placeholder type=\"programlisting\" id=\"0\"/> Далі, "
+-#~ "перезапустіть службу sssd-kcm: <placeholder type=\"programlisting\" id="
+-#~ "\"1\"/> Нарешті, виконайте дії, які не призводять до бажаних для вас "
+-#~ "наслідків. Журнал KCM буде записано до <filename>/var/log/sssd/sssd_kcm."
+-#~ "log</filename>. Рекомендуємо вимкнути ведення діагностичного журналу, "
+-#~ "якщо вам не потрібні діагностичні дані, оскільки служба sssd-kcm може "
+-#~ "породжувати доволі великий обсяг діагностичних даних."
+-
+-#~ msgid ""
+-#~ "Please note that configuration snippets are, at the moment, only "
+-#~ "processed if the main configuration file at <filename>/etc/sssd/sssd."
+-#~ "conf</filename> exists at all."
+-#~ msgstr ""
+-#~ "Будь ласка, зауважте, що у поточній версії фрагменти налаштувань буде "
+-#~ "оброблено, лише якщо взагалі існує основний файл налаштувань <filename>/"
+-#~ "etc/sssd/sssd.conf</filename>."
+diff --git a/src/man/po/zh_CN.po b/src/man/po/zh_CN.po
+index 3af09c050..ebf5c535c 100644
+--- a/src/man/po/zh_CN.po
++++ b/src/man/po/zh_CN.po
+@@ -6,9 +6,9 @@
+ # Christopher Meng <cickumqt@gmail.com>, 2012
+ msgid ""
+ msgstr ""
+-"Project-Id-Version: sssd-docs 2.0.99\n"
++"Project-Id-Version: sssd-docs 1.16.4\n"
+ "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+-"POT-Creation-Date: 2019-10-07 11:33+0200\n"
++"POT-Creation-Date: 2019-11-07 14:51+0100\n"
+ "PO-Revision-Date: 2014-12-15 12:16+0000\n"
+ "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+ "Language-Team: Chinese (China) (http://www.transifex.com/projects/p/sssd/"
+@@ -4402,10 +4402,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-ldap.5.xml:241
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: exop"
+-msgstr "默认: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-ldap.5.xml:247
+@@ -12046,10 +12044,8 @@ msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+ #: sssd-krb5.5.xml:533
+-#, fuzzy
+-#| msgid "Default: 3"
+ msgid "Default: 3:1"
+-msgstr "默认: 3"
++msgstr ""
+ 
+ #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+ #: sssd-krb5.5.xml:539
+-- 
+2.20.1
+
diff --git a/SOURCES/0102-autofs-delete-possible-duplicate-of-an-autofs-entry.patch b/SOURCES/0102-autofs-delete-possible-duplicate-of-an-autofs-entry.patch
new file mode 100644
index 0000000..ff42f3d
--- /dev/null
+++ b/SOURCES/0102-autofs-delete-possible-duplicate-of-an-autofs-entry.patch
@@ -0,0 +1,186 @@
+From 41606494979da8cb7fb09170687131a556a643c7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Mon, 11 Nov 2019 13:56:34 +0100
+Subject: [PATCH 102/103] autofs: delete possible duplicate of an autofs entry
+
+Steps to reproduce:
+1. Create the following autofs objects
+```ldif
+dn: ou=auto.master,ou=autofs,dc=ldap,dc=vm
+objectClass: automountMap
+objectClass: top
+ou: auto.master
+
+dn: automountKey=/home,ou=auto.master,ou=autofs,dc=ldap,dc=vm
+objectClass: automount
+objectClass: top
+automountInformation: auto.home
+automountKey: /home
+
+dn: ou=auto.home,ou=autofs,dc=ldap,dc=vm
+objectClass: automountMap
+objectClass: top
+ou: auto.home
+
+dn: automountKey=/home1,ou=auto.home,ou=autofs,dc=ldap,dc=vm
+objectClass: automount
+objectClass: top
+automountInformation: home1
+automountKey: /home1
+```
+
+2. Use e.g. the test tool to fetch the maps:
+```
+  ./autofs_test_client auto.master
+  ./autofs_test_client auto.home -n /home1
+```
+
+3. Change automountInformation of /home1
+```
+dn: automountKey=/home1,ou=auto.home,ou=autofs,dc=ldap,dc=vm
+objectClass: automount
+objectClass: top
+automountInformation: home1_1
+automountKey: /home1
+```
+
+4. Run the test tool again:
+```
+  ./autofs_test_client auto.master
+  ./autofs_test_client auto.home -n /home1
+  > error happens
+```
+
+It is important the `get entry by name is called` thus the `-n` parameter.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/4116
+(cherry picked from commit 14b44e721c52207fd17e449cc6ae0a75fbb05369)
+---
+ src/providers/ldap/sdap_async_autofs.c | 93 ++++++++++++++++++++------
+ 1 file changed, 74 insertions(+), 19 deletions(-)
+
+diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c
+index 232d0c34a..6f37b1c84 100644
+--- a/src/providers/ldap/sdap_async_autofs.c
++++ b/src/providers/ldap/sdap_async_autofs.c
+@@ -1337,6 +1337,12 @@ static void sdap_autofs_get_entry_connect_done(struct tevent_req *subreq)
+     tevent_req_set_callback(subreq, sdap_autofs_get_entry_done, req);
+ }
+ 
++static errno_t sdap_autofs_save_entry(struct sss_domain_info *domain,
++                                      struct sdap_options *opts,
++                                      struct sysdb_attrs *newentry,
++                                      const char *mapname,
++                                      const char *entryname);
++
+ static void sdap_autofs_get_entry_done(struct tevent_req *subreq)
+ {
+     struct tevent_req *req;
+@@ -1365,31 +1371,18 @@ static void sdap_autofs_get_entry_done(struct tevent_req *subreq)
+         return;
+     }
+ 
+-    if (reply_count == 0) {
+-        ret = sysdb_del_autofsentry_by_key(state->id_ctx->be->domain,
+-                                           state->mapname, state->entryname);
+-        if (ret != EOK) {
+-            DEBUG(SSSDBG_MINOR_FAILURE, "Cannot delete entry %s:%s\n",
+-                  state->mapname, state->entryname);
+-            tevent_req_error(req, ret);
+-            return;
+-        }
+-
+-        tevent_req_done(req);
+-        return;
+-    }
+-
+-    ret = add_autofs_entry(state->id_ctx->be->domain, state->mapname,
+-                           state->opts, reply[0], time(NULL));
++    ret = sdap_autofs_save_entry(state->id_ctx->be->domain,
++                                 state->opts,
++                                 reply_count != 0 ? reply[0] : NULL,
++                                 state->mapname,
++                                 state->entryname);
+     if (ret != EOK) {
+-        DEBUG(SSSDBG_OP_FAILURE,
+-             "Cannot save autofs entry %s:%s [%d]: %s\n",
+-              state->mapname, state->entryname, ret, strerror(ret));
+         tevent_req_error(req, ret);
+         return;
+     }
+ 
+     tevent_req_done(req);
++    return;
+ }
+ 
+ errno_t sdap_autofs_get_entry_recv(struct tevent_req *req,
+@@ -1405,3 +1398,65 @@ errno_t sdap_autofs_get_entry_recv(struct tevent_req *req,
+ 
+     return EOK;
+ }
++
++static errno_t sdap_autofs_save_entry(struct sss_domain_info *domain,
++                                      struct sdap_options *opts,
++                                      struct sysdb_attrs *newentry,
++                                      const char *mapname,
++                                      const char *entryname)
++{
++    bool in_transaction = false;
++    errno_t ret;
++    int tret;
++
++    ret = sysdb_transaction_start(domain->sysdb);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot start sysdb transaction [%d]: %s\n",
++              ret, sss_strerror(ret));
++        goto done;
++    }
++    in_transaction = true;
++
++    /* Delete existing entry to cover case where new entry has the same key
++     * but different automountInformation. Because the dn is created from the
++     * combination of key and information it would be possible to end up with
++     * two entries with same key but different information otherwise.
++     */
++    ret = sysdb_del_autofsentry_by_key(domain, mapname, entryname);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Cannot delete entry %s:%s\n",
++              mapname, entryname);
++        goto done;
++    }
++
++    if (newentry != NULL) {
++        ret = add_autofs_entry(domain, mapname, opts, newentry, time(NULL));
++        if (ret != EOK) {
++            DEBUG(SSSDBG_OP_FAILURE,
++                  "Cannot save autofs entry %s:%s [%d]: %s\n",
++                  mapname, entryname, ret, sss_strerror(ret));
++            goto done;
++        }
++    }
++
++    ret = sysdb_transaction_commit(domain->sysdb);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit sysdb transaction [%d]: %s\n",
++              ret, sss_strerror(ret));
++        goto done;
++    }
++    in_transaction = false;
++
++    ret = EOK;
++
++done:
++    if (in_transaction) {
++        tret = sysdb_transaction_cancel(domain->sysdb);
++        if (tret != EOK) {
++            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot cancel sysdb transaction "
++                  "[%d]: %s\n", ret, sss_strerror(ret));
++        }
++    }
++
++    return ret;
++}
+-- 
+2.20.1
+
diff --git a/SOURCES/0103-ipa-use-the-right-context-for-autofs.patch b/SOURCES/0103-ipa-use-the-right-context-for-autofs.patch
new file mode 100644
index 0000000..e42b878
--- /dev/null
+++ b/SOURCES/0103-ipa-use-the-right-context-for-autofs.patch
@@ -0,0 +1,53 @@
+From a967afdd0a099d9b4d76bbbda7d37a001f583bbf Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 4 Nov 2019 16:50:16 +0100
+Subject: [PATCH 103/103] ipa: use the right context for autofs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Related to https://pagure.io/SSSD/sssd/issue/4111
+
+(cherry picked with changes from commit 9ba136ce27308e8b0b8ec921c135433da8569531)
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ipa/ipa_autofs.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_autofs.c b/src/providers/ipa/ipa_autofs.c
+index 5f72d60cd..144d12781 100644
+--- a/src/providers/ipa/ipa_autofs.c
++++ b/src/providers/ipa/ipa_autofs.c
+@@ -48,16 +48,22 @@ errno_t ipa_autofs_init(TALLOC_CTX *mem_ctx,
+     }
+ 
+     dp_set_method(dp_methods, DPM_AUTOFS_ENUMERATE,
+-                  sdap_autofs_enumerate_handler_send, sdap_autofs_enumerate_handler_recv, id_ctx,
+-                  struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
++                  sdap_autofs_enumerate_handler_send,
++                  sdap_autofs_enumerate_handler_recv,
++                  id_ctx->sdap_id_ctx, struct sdap_id_ctx,
++                  struct dp_autofs_data, struct dp_reply_std);
+ 
+     dp_set_method(dp_methods, DPM_AUTOFS_GET_MAP,
+-                  sdap_autofs_get_map_handler_send, sdap_autofs_get_map_handler_recv, id_ctx,
+-                  struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
++                  sdap_autofs_get_map_handler_send,
++                  sdap_autofs_get_map_handler_recv,
++                  id_ctx->sdap_id_ctx, struct sdap_id_ctx,
++                  struct dp_autofs_data, struct dp_reply_std);
+ 
+     dp_set_method(dp_methods, DPM_AUTOFS_GET_ENTRY,
+-                  sdap_autofs_get_entry_handler_send, sdap_autofs_get_entry_handler_recv, id_ctx,
+-                  struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std);
++                  sdap_autofs_get_entry_handler_send,
++                  sdap_autofs_get_entry_handler_recv,
++                  id_ctx->sdap_id_ctx, struct sdap_id_ctx,
++                  struct dp_autofs_data, struct dp_reply_std);
+ 
+     return ret;
+ }
+-- 
+2.20.1
+
diff --git a/SOURCES/0104-ipa-add-failover-to-override-lookups.patch b/SOURCES/0104-ipa-add-failover-to-override-lookups.patch
new file mode 100644
index 0000000..15e8685
--- /dev/null
+++ b/SOURCES/0104-ipa-add-failover-to-override-lookups.patch
@@ -0,0 +1,48 @@
+From 4897063996b624b71823e61c73916f47832f103a Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 29 Oct 2019 12:16:40 +0100
+Subject: [PATCH 104/105] ipa: add failover to override lookups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In the ipa_id_get_account_info request failover handling was missing.
+
+Related to https://pagure.io/SSSD/sssd/issue/4114
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+(cherry picked from commit b9a53cfca91c9db51b1e32ac2cb0965db3ccf05b)
+---
+ src/providers/ipa/ipa_id.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
+index 94d5f9d90..9253514a3 100644
+--- a/src/providers/ipa/ipa_id.c
++++ b/src/providers/ipa/ipa_id.c
+@@ -640,7 +640,22 @@ static void ipa_id_get_account_info_got_override(struct tevent_req *subreq)
+     ret = ipa_get_ad_override_recv(subreq, &dp_error, state,
+                                    &state->override_attrs);
+     talloc_zfree(subreq);
++
+     if (ret != EOK) {
++        ret = sdap_id_op_done(state->op, ret, &dp_error);
++
++        if (dp_error == DP_ERR_OK && ret != EOK) {
++            /* retry */
++            subreq = sdap_id_op_connect_send(state->op, state, &ret);
++            if (subreq == NULL) {
++                DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed.\n");
++                goto fail;
++            }
++            tevent_req_set_callback(subreq, ipa_id_get_account_info_connected,
++                                    req);
++            return;
++        }
++
+         DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret);
+         goto fail;
+     }
+-- 
+2.20.1
+
diff --git a/SOURCES/0105-ipa-add-failover-to-access-checks.patch b/SOURCES/0105-ipa-add-failover-to-access-checks.patch
new file mode 100644
index 0000000..7d9c105
--- /dev/null
+++ b/SOURCES/0105-ipa-add-failover-to-access-checks.patch
@@ -0,0 +1,61 @@
+From a4dd1eb5087c2f8a3a9133f42efa025221edc1c9 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 30 Oct 2019 14:23:12 +0100
+Subject: [PATCH 105/105] ipa: add failover to access checks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While reading the different components of the HBAC rules failover
+handling was missing. Since the access control is typically the second
+step after authentication SSSD would have already switched to a working
+server or into offline mode during authentication. But if e.g. ssh keys
+are used for authentication and user data are read from cache the HABC
+rule searches might have to handle failover as well.
+
+Related to https://pagure.io/SSSD/sssd/issue/4114
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+(cherry picked from commit 707fdf0406644de08cfb7f59fa4eec393be5c62a)
+---
+ src/providers/ipa/ipa_access.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
+index de9f68170..375b6f885 100644
+--- a/src/providers/ipa/ipa_access.c
++++ b/src/providers/ipa/ipa_access.c
+@@ -296,6 +296,7 @@ static void ipa_fetch_hbac_hostinfo_done(struct tevent_req *subreq)
+     struct ipa_fetch_hbac_state *state = NULL;
+     struct tevent_req *req = NULL;
+     errno_t ret;
++    int dp_error;
+ 
+     req = tevent_req_callback_data(subreq, struct tevent_req);
+     state = tevent_req_data(req, struct ipa_fetch_hbac_state);
+@@ -308,7 +309,22 @@ static void ipa_fetch_hbac_hostinfo_done(struct tevent_req *subreq)
+     state->hosts->entry_subdir = HBAC_HOSTS_SUBDIR;
+     state->hosts->group_subdir = HBAC_HOSTGROUPS_SUBDIR;
+     talloc_zfree(subreq);
++
+     if (ret != EOK) {
++        /* Only call sdap_id_op_done in case of an error to trigger a
++         * failover. In general changing the tevent_req layout would be better
++         * so that all searches are in another sub-request so that we can
++         * error out at any step and the parent request can call
++         * sdap_id_op_done just once. */
++        ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
++        if (dp_error == DP_ERR_OK && ret != EOK) {
++            /* retry */
++            ret = ipa_fetch_hbac_retry(req);
++            if (ret != EAGAIN) {
++                goto done;
++            }
++            return;
++        }
+         goto done;
+     }
+ 
+-- 
+2.20.1
+
diff --git a/SOURCES/0106-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch b/SOURCES/0106-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
new file mode 100644
index 0000000..9cc1aaa
--- /dev/null
+++ b/SOURCES/0106-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
@@ -0,0 +1,57 @@
+From 44e76055d4413e56a33a90185161b6cfa4062d03 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 26 Sep 2019 20:24:34 +0200
+Subject: [PATCH 106/109] ad: allow booleans for ad_inherit_opts_if_needed()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently ad_inherit_opts_if_needed() can only handle strings. With this
+patch it can handle boolean options as well.
+
+Related to https://pagure.io/SSSD/sssd/issue/4131
+
+(cherry picked from commit 3dadb248440f2e7a02c68049001f848459dd1bdf)
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ad/ad_common.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
+index 1b8b1df19..ca4d0665d 100644
+--- a/src/providers/ad/ad_common.c
++++ b/src/providers/ad/ad_common.c
+@@ -1466,9 +1466,26 @@ errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts,
+     const char *parent_val = NULL;
+     char *dummy = NULL;
+     char *option_list[2] = { NULL, NULL };
+-
+-    parent_val = dp_opt_get_cstring(parent_opts, opt_id);
+-    if (parent_val != NULL) {
++    bool is_default = true;
++
++    switch (parent_opts[opt_id].type) {
++    case DP_OPT_STRING:
++        parent_val = dp_opt_get_cstring(parent_opts, opt_id);
++        break;
++    case DP_OPT_BOOL:
++        /* For booleans it is hard to say if the option is set or not since
++         * both possible values are valid ones. So we check if the value is
++         * different from the default and skip if it is the default. In this
++         * case the sub-domain option would either be the default as well or
++         * manully set and in both cases we do not have to change it. */
++        is_default = (parent_opts[opt_id].val.boolean
++                                == parent_opts[opt_id].def_val.boolean);
++        break;
++    default:
++        DEBUG(SSSDBG_TRACE_FUNC, "Unsupported type, skipping.\n");
++    }
++
++    if (parent_val != NULL || !is_default) {
+         ret = confdb_get_string(cdb, NULL, subdom_conf_path,
+                                 parent_opts[opt_id].opt_name, NULL, &dummy);
+         if (ret != EOK) {
+-- 
+2.20.1
+
diff --git a/SOURCES/0107-ad-add-ad_use_ldaps.patch b/SOURCES/0107-ad-add-ad_use_ldaps.patch
new file mode 100644
index 0000000..9bf28f1
--- /dev/null
+++ b/SOURCES/0107-ad-add-ad_use_ldaps.patch
@@ -0,0 +1,440 @@
+From b2aca1f7d7aa4a11f86d977ad00481aeb1f9a436 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 26 Sep 2019 20:27:09 +0200
+Subject: [PATCH 107/109] ad: add ad_use_ldaps
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+With this new boolean option the AD provider should only use the LDAPS
+port 636 and the Global Catalog port 3629 which is TLS protected as
+well.
+
+Related to https://pagure.io/SSSD/sssd/issue/4131
+
+(cherry picked from commit 33c8757087b8649926e53cf494e2a775ad100302)
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/config/SSSDConfig/__init__.py.in      |  1 +
+ src/config/cfg_rules.ini                  |  1 +
+ src/config/etc/sssd.api.d/sssd-ad.conf    |  1 +
+ src/man/sssd-ad.5.xml                     | 20 +++++++++++++++++++
+ src/providers/ad/ad_common.c              | 24 +++++++++++++++++++----
+ src/providers/ad/ad_common.h              |  8 +++++++-
+ src/providers/ad/ad_init.c                |  8 +++++++-
+ src/providers/ad/ad_opts.c                |  1 +
+ src/providers/ad/ad_srv.c                 | 16 ++++++++++++---
+ src/providers/ad/ad_srv.h                 |  3 ++-
+ src/providers/ad/ad_subdomains.c          | 21 ++++++++++++++++++--
+ src/providers/ipa/ipa_subdomains_server.c |  4 ++--
+ 12 files changed, 94 insertions(+), 14 deletions(-)
+
+diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
+index a7de476a1..00e588f1c 100644
+--- a/src/config/SSSDConfig/__init__.py.in
++++ b/src/config/SSSDConfig/__init__.py.in
+@@ -247,6 +247,7 @@ option_strings = {
+     'ad_site' : _('a particular site to be used by the client'),
+     'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
+     'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),
++    'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'),
+ 
+     # [provider/krb5]
+     'krb5_kdcip' : _('Kerberos server address'),
+diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
+index 3976ec4e1..c3d8bd88f 100644
+--- a/src/config/cfg_rules.ini
++++ b/src/config/cfg_rules.ini
+@@ -454,6 +454,7 @@ option = ad_machine_account_password_renewal_opts
+ option = ad_maximum_machine_account_password_age
+ option = ad_server
+ option = ad_site
++option = ad_use_ldaps
+ 
+ # IPA provider specific options
+ option = ipa_anchor_uuid
+diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
+index e3c8140b8..48522437f 100644
+--- a/src/config/etc/sssd.api.d/sssd-ad.conf
++++ b/src/config/etc/sssd.api.d/sssd-ad.conf
+@@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false
+ ad_site = str, None, false
+ ad_maximum_machine_account_password_age = int, None, false
+ ad_machine_account_password_renewal_opts = str, None, false
++ad_use_ldaps = bool, None, false
+ ldap_uri = str, None, false
+ ldap_backup_uri = str, None, false
+ ldap_search_base = str, None, false
+diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
+index b14f07f7f..9e9e52eb3 100644
+--- a/src/man/sssd-ad.5.xml
++++ b/src/man/sssd-ad.5.xml
+@@ -903,6 +903,26 @@ ad_gpo_map_deny = +my_pam_service
+                     </listitem>
+                 </varlistentry>
+ 
++                <varlistentry>
++                    <term>ad_use_ldaps (bool)</term>
++                    <listitem>
++                        <para>
++                            By default SSSD uses the plain LDAP port 389 and the
++                            Global Catalog port 3628. If this option is set to
++                            True SSSD will use the LDAPS port 636 and Global
++                            Catalog port 3629 with LDAPS protection. Since AD
++                            does not allow to have multiple encryption layers on
++                            a single connection and we still want to use
++                            SASL/GSSAPI or SASL/GSS-SPNEGO for authentication
++                            the SASL security property maxssf is set to 0 (zero)
++                            for those connections.
++                        </para>
++                        <para>
++                            Default: False
++                        </para>
++                    </listitem>
++                </varlistentry>
++
+                 <varlistentry>
+                     <term>dyndns_update (boolean)</term>
+                     <listitem>
+diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
+index ca4d0665d..de8a0c8bb 100644
+--- a/src/providers/ad/ad_common.c
++++ b/src/providers/ad/ad_common.c
+@@ -729,6 +729,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
+                  const char *ad_gc_service,
+                  const char *ad_domain,
+                  bool use_kdcinfo,
++                 bool ad_use_ldaps,
+                  size_t n_lookahead_primary,
+                  size_t n_lookahead_backup,
+                  struct ad_service **_service)
+@@ -746,6 +747,16 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
+         goto done;
+     }
+ 
++    if (ad_use_ldaps) {
++        service->ldap_scheme = "ldaps";
++        service->port = LDAPS_PORT;
++        service->gc_port = AD_GC_LDAPS_PORT;
++    } else {
++        service->ldap_scheme = "ldap";
++        service->port = LDAP_PORT;
++        service->gc_port = AD_GC_PORT;
++    }
++
+     service->sdap = talloc_zero(service, struct sdap_service);
+     service->gc = talloc_zero(service, struct sdap_service);
+     if (!service->sdap || !service->gc) {
+@@ -914,7 +925,8 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
+         goto done;
+     }
+ 
+-    new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name);
++    new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme,
++                                                        srv_name);
+     if (!new_uri) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n");
+         ret = ENOMEM;
+@@ -922,7 +934,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
+     }
+     DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri);
+ 
+-    sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);
++    sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port);
+     if (sockaddr == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n");
+         ret = EIO;
+@@ -938,8 +950,12 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
+     talloc_zfree(service->gc->uri);
+     talloc_zfree(service->gc->sockaddr);
+     if (sdata && sdata->gc) {
+-        new_port = fo_get_server_port(server);
+-        new_port = (new_port == 0) ? AD_GC_PORT : new_port;
++        if (service->gc_port == AD_GC_LDAPS_PORT) {
++            new_port = service->gc_port;
++        } else {
++            new_port = fo_get_server_port(server);
++            new_port = (new_port == 0) ? service->gc_port : new_port;
++        }
+ 
+         service->gc->uri = talloc_asprintf(service->gc, "%s:%d",
+                                            new_uri, new_port);
+diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
+index 44369288e..54245b9f8 100644
+--- a/src/providers/ad/ad_common.h
++++ b/src/providers/ad/ad_common.h
+@@ -29,7 +29,8 @@
+ #define AD_SERVICE_NAME    "AD"
+ #define AD_GC_SERVICE_NAME "AD_GC"
+ /* The port the Global Catalog runs on */
+-#define AD_GC_PORT      3268
++#define AD_GC_PORT         3268
++#define AD_GC_LDAPS_PORT   3269
+ 
+ #define AD_AT_OBJECT_SID "objectSID"
+ #define AD_AT_DNS_DOMAIN "DnsDomain"
+@@ -67,6 +68,7 @@ enum ad_basic_opt {
+     AD_KRB5_CONFD_PATH,
+     AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE,
+     AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS,
++    AD_USE_LDAPS,
+ 
+     AD_OPTS_BASIC /* opts counter */
+ };
+@@ -82,6 +84,9 @@ struct ad_service {
+     struct sdap_service *sdap;
+     struct sdap_service *gc;
+     struct krb5_service *krb5_service;
++    const char *ldap_scheme;
++    int port;
++    int gc_port;
+ };
+ 
+ struct ad_options {
+@@ -147,6 +152,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx,
+                  const char *ad_gc_service,
+                  const char *ad_domain,
+                  bool use_kdcinfo,
++                 bool ad_use_ldaps,
+                  size_t n_lookahead_primary,
+                  size_t n_lookahead_backup,
+                  struct ad_service **_service);
+diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
+index f5aea8904..09397852b 100644
+--- a/src/providers/ad/ad_init.c
++++ b/src/providers/ad/ad_init.c
+@@ -138,6 +138,7 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
+     char *ad_servers = NULL;
+     char *ad_backup_servers = NULL;
+     char *ad_realm;
++    bool ad_use_ldaps = false;
+     errno_t ret;
+ 
+     ad_sasl_initialize();
+@@ -154,12 +155,14 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
+     ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
+     ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
+     ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);
++    ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
+ 
+     /* Set up the failover service */
+     ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
+                            ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME,
+                            dp_opt_get_string(ad_options->basic, AD_DOMAIN),
+                            false, /* will be set in ad_get_auth_options() */
++                           ad_use_ldaps,
+                            (size_t) -1,
+                            (size_t) -1,
+                            &ad_options->service);
+@@ -184,11 +187,13 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
+     const char *ad_site_override;
+     bool sites_enabled;
+     errno_t ret;
++    bool ad_use_ldaps;
+ 
+     hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);
+     ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
+     ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
+     sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES);
++    ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
+ 
+ 
+     if (!sites_enabled) {
+@@ -205,7 +210,8 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
+     srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
+                                      default_host_dbs, ad_options->id,
+                                      hostname, ad_domain,
+-                                     ad_site_override);
++                                     ad_site_override,
++                                     ad_use_ldaps);
+     if (srv_ctx == NULL) {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
+         return ENOMEM;
+diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
+index 9bd705445..cd898cbd2 100644
+--- a/src/providers/ad/ad_opts.c
++++ b/src/providers/ad/ad_opts.c
+@@ -54,6 +54,7 @@ struct dp_option ad_basic_opts[] = {
+     { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
+     { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER },
+     { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING },
++    { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+     DP_OPTION_TERMINATOR
+ };
+ 
+diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c
+index 5fd25f60e..ca15d3715 100644
+--- a/src/providers/ad/ad_srv.c
++++ b/src/providers/ad/ad_srv.c
+@@ -244,6 +244,7 @@ struct ad_get_client_site_state {
+     enum host_database *host_db;
+     struct sdap_options *opts;
+     const char *ad_domain;
++    bool ad_use_ldaps;
+     struct fo_server_info *dcs;
+     size_t num_dcs;
+     size_t dc_index;
+@@ -264,6 +265,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,
+                                            enum host_database *host_db,
+                                            struct sdap_options *opts,
+                                            const char *ad_domain,
++                                           bool ad_use_ldaps,
+                                            struct fo_server_info *dcs,
+                                            size_t num_dcs)
+ {
+@@ -288,6 +290,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,
+     state->host_db = host_db;
+     state->opts = opts;
+     state->ad_domain = ad_domain;
++    state->ad_use_ldaps = ad_use_ldaps;
+     state->dcs = dcs;
+     state->num_dcs = num_dcs;
+ 
+@@ -331,8 +334,11 @@ static errno_t ad_get_client_site_next_dc(struct tevent_req *req)
+     subreq = sdap_connect_host_send(state, state->ev, state->opts,
+                                     state->be_res->resolv,
+                                     state->be_res->family_order,
+-                                    state->host_db, "ldap", state->dc.host,
+-                                    state->dc.port, false);
++                                    state->host_db,
++                                    state->ad_use_ldaps ? "ldaps" : "ldap",
++                                    state->dc.host,
++                                    state->ad_use_ldaps ? 636 : state->dc.port,
++                                    false);
+     if (subreq == NULL) {
+         ret = ENOMEM;
+         goto done;
+@@ -491,6 +497,7 @@ struct ad_srv_plugin_ctx {
+     const char *ad_domain;
+     const char *ad_site_override;
+     const char *current_site;
++    bool ad_use_ldaps;
+ };
+ 
+ struct ad_srv_plugin_ctx *
+@@ -501,7 +508,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
+                        struct sdap_options *opts,
+                        const char *hostname,
+                        const char *ad_domain,
+-                       const char *ad_site_override)
++                       const char *ad_site_override,
++                       bool ad_use_ldaps)
+ {
+     struct ad_srv_plugin_ctx *ctx = NULL;
+     errno_t ret;
+@@ -515,6 +523,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
+     ctx->be_res = be_res;
+     ctx->host_dbs = host_dbs;
+     ctx->opts = opts;
++    ctx->ad_use_ldaps = ad_use_ldaps;
+ 
+     ctx->hostname = talloc_strdup(ctx, hostname);
+     if (ctx->hostname == NULL) {
+@@ -714,6 +723,7 @@ static void ad_srv_plugin_dcs_done(struct tevent_req *subreq)
+                                      state->ctx->host_dbs,
+                                      state->ctx->opts,
+                                      state->discovery_domain,
++                                     state->ctx->ad_use_ldaps,
+                                      dcs, num_dcs);
+     if (subreq == NULL) {
+         ret = ENOMEM;
+diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h
+index e553d594d..8e410ec26 100644
+--- a/src/providers/ad/ad_srv.h
++++ b/src/providers/ad/ad_srv.h
+@@ -31,7 +31,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
+                        struct sdap_options *opts,
+                        const char *hostname,
+                        const char *ad_domain,
+-                       const char *ad_site_override);
++                       const char *ad_site_override,
++                       bool ad_use_ldaps);
+ 
+ struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx,
+                                        struct tevent_context *ev,
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index f0b5d59d2..bc10da5bc 100644
+--- a/src/providers/ad/ad_subdomains.c
++++ b/src/providers/ad/ad_subdomains.c
+@@ -282,6 +282,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
+     bool use_kdcinfo = false;
+     size_t n_lookahead_primary = SSS_KRB5_LOOKAHEAD_PRIMARY_DEFAULT;
+     size_t n_lookahead_backup = SSS_KRB5_LOOKAHEAD_BACKUP_DEFAULT;
++    bool ad_use_ldaps = false;
+ 
+     realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);
+     hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);
+@@ -312,6 +313,21 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
+         return ENOMEM;
+     }
+ 
++    ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic,
++                                    ad_options->basic,
++                                    be_ctx->cdb, subdom_conf_path,
++                                    AD_USE_LDAPS);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              "Failed to inherit option [%s] to sub-domain [%s]. "
++              "This error is ignored but might cause issues or unexpected "
++              "behavior later on.\n",
++              id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name,
++              subdom->name);
++
++        return ret;
++    }
++
+     ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
+                                     ad_options->id->basic,
+                                     be_ctx->cdb, subdom_conf_path,
+@@ -344,6 +360,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
+ 
+     servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
+     backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
++    ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
+ 
+     if (id_ctx->ad_options->auth_ctx != NULL
+             && id_ctx->ad_options->auth_ctx->opts != NULL) {
+@@ -362,7 +379,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
+ 
+     ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers,
+                            subdom->realm, service_name, gc_service_name,
+-                           subdom->name, use_kdcinfo,
++                           subdom->name, use_kdcinfo, ad_use_ldaps,
+                            n_lookahead_primary,
+                            n_lookahead_backup,
+                            &ad_options->service);
+@@ -386,7 +403,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
+                                      ad_id_ctx->ad_options->id,
+                                      hostname,
+                                      ad_domain,
+-                                     ad_site_override);
++                                     ad_site_override, ad_use_ldaps);
+     if (srv_ctx == NULL) {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
+         return ENOMEM;
+diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
+index d0e89a4f9..e2037b59d 100644
+--- a/src/providers/ipa/ipa_subdomains_server.c
++++ b/src/providers/ipa/ipa_subdomains_server.c
+@@ -319,7 +319,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
+     ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
+                            subdom->realm,
+                            service_name, gc_service_name,
+-                           subdom->name, use_kdcinfo,
++                           subdom->name, use_kdcinfo, false,
+                            n_lookahead_primary, n_lookahead_backup,
+                            &ad_options->service);
+     if (ret != EOK) {
+@@ -344,7 +344,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
+                                      ad_id_ctx->ad_options->id,
+                                      id_ctx->server_mode->hostname,
+                                      ad_domain,
+-                                     ad_site_override);
++                                     ad_site_override, false);
+     if (srv_ctx == NULL) {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
+         return ENOMEM;
+-- 
+2.20.1
+
diff --git a/SOURCES/0108-ldap-add-new-option-ldap_sasl_maxssf.patch b/SOURCES/0108-ldap-add-new-option-ldap_sasl_maxssf.patch
new file mode 100644
index 0000000..b6b813d
--- /dev/null
+++ b/SOURCES/0108-ldap-add-new-option-ldap_sasl_maxssf.patch
@@ -0,0 +1,201 @@
+From 07d19249a88d90135dce21e3d112caf70629ef02 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 27 Sep 2019 11:49:59 +0200
+Subject: [PATCH 108/109] ldap: add new option ldap_sasl_maxssf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There is already the ldap_sasl_minssf option. To be able to control the
+maximal security strength factor (ssf) e.g. when using SASL together
+with TLS the option ldap_sasl_maxssf is added as well.
+
+Related to https://pagure.io/SSSD/sssd/issue/4131
+
+(cherry picked from commit 3b95c39819591428b1e535e5dc874268cf5630c5)
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/config/SSSDConfig/__init__.py.in       |  1 +
+ src/config/cfg_rules.ini                   |  1 +
+ src/config/etc/sssd.api.d/sssd-ad.conf     |  1 +
+ src/config/etc/sssd.api.d/sssd-ipa.conf    |  1 +
+ src/config/etc/sssd.api.d/sssd-ldap.conf   |  1 +
+ src/man/sssd-ldap.5.xml                    | 16 ++++++++++++++++
+ src/providers/ad/ad_opts.c                 |  1 +
+ src/providers/ipa/ipa_opts.c               |  1 +
+ src/providers/ldap/ldap_opts.c             |  1 +
+ src/providers/ldap/sdap.h                  |  1 +
+ src/providers/ldap/sdap_async_connection.c | 14 ++++++++++++++
+ 11 files changed, 39 insertions(+)
+
+diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
+index 00e588f1c..703dee0a5 100644
+--- a/src/config/SSSDConfig/__init__.py.in
++++ b/src/config/SSSDConfig/__init__.py.in
+@@ -300,6 +300,7 @@ option_strings = {
+     'ldap_sasl_authid' : _('Specify the sasl authorization id to use'),
+     'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'),
+     'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'),
++    'ldap_sasl_maxssf' : _('Specify the maximal SSF for LDAP sasl authorization'),
+     'ldap_krb5_keytab' : _('Kerberos service keytab'),
+     'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'),
+     'ldap_referrals' : _('Follow LDAP referrals'),
+diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
+index c3d8bd88f..bab9b4541 100644
+--- a/src/config/cfg_rules.ini
++++ b/src/config/cfg_rules.ini
+@@ -655,6 +655,7 @@ option = ldap_sasl_authid
+ option = ldap_sasl_canonicalize
+ option = ldap_sasl_mech
+ option = ldap_sasl_minssf
++option = ldap_sasl_maxssf
+ option = ldap_schema
+ option = ldap_pwmodify_mode
+ option = ldap_search_base
+diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
+index 48522437f..c53c08f37 100644
+--- a/src/config/etc/sssd.api.d/sssd-ad.conf
++++ b/src/config/etc/sssd.api.d/sssd-ad.conf
+@@ -41,6 +41,7 @@ ldap_tls_reqcert = str, None, false
+ ldap_sasl_mech = str, None, false
+ ldap_sasl_authid = str, None, false
+ ldap_sasl_minssf = int, None, false
++ldap_sasl_maxssf = int, None, false
+ krb5_kdcip = str, None, false
+ krb5_server = str, None, false
+ krb5_backup_server = str, None, false
+diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
+index 5b17de345..514e8b136 100644
+--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
++++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
+@@ -32,6 +32,7 @@ ldap_tls_reqcert = str, None, false
+ ldap_sasl_mech = str, None, false
+ ldap_sasl_authid = str, None, false
+ ldap_sasl_minssf = int, None, false
++ldap_sasl_maxssf = int, None, false
+ krb5_kdcip = str, None, false
+ krb5_server = str, None, false
+ krb5_backup_server = str, None, false
+diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
+index a911b1977..40746f8ff 100644
+--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
++++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
+@@ -35,6 +35,7 @@ ldap_page_size = int, None, false
+ ldap_deref_threshold = int, None, false
+ ldap_sasl_canonicalize = bool, None, false
+ ldap_sasl_minssf = int, None, false
++ldap_sasl_maxssf = int, None, false
+ ldap_connection_expire_timeout = int, None, false
+ ldap_disable_paging = bool, None, false
+ ldap_disable_range_retrieval = bool, None, false
+diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
+index 3e769038b..311203523 100644
+--- a/src/man/sssd-ldap.5.xml
++++ b/src/man/sssd-ldap.5.xml
+@@ -1591,6 +1591,22 @@
+                     </listitem>
+                 </varlistentry>
+ 
++                <varlistentry>
++                    <term>ldap_sasl_maxssf (integer)</term>
++                    <listitem>
++                        <para>
++                            When communicating with an LDAP server using SASL,
++                            specify the maximal security level necessary to
++                            establish the connection. The values of this
++                            option are defined by OpenLDAP.
++                        </para>
++                        <para>
++                            Default: Use the system default (usually specified
++                            by ldap.conf)
++                        </para>
++                    </listitem>
++                </varlistentry>
++
+                 <varlistentry>
+                     <term>ldap_deref_threshold (integer)</term>
+                     <listitem>
+diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
+index cd898cbd2..f181e5073 100644
+--- a/src/providers/ad/ad_opts.c
++++ b/src/providers/ad/ad_opts.c
+@@ -105,6 +105,7 @@ struct dp_option ad_def_ldap_opts[] = {
+     { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+     { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+     { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
++    { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
+     { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+     { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+     /* use the same parm name as the krb5 module so we set it only once */
+diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
+index 600b9ec4b..c43b21778 100644
+--- a/src/providers/ipa/ipa_opts.c
++++ b/src/providers/ipa/ipa_opts.c
+@@ -113,6 +113,7 @@ struct dp_option ipa_def_ldap_opts[] = {
+     { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+     { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+     { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = 56 }, NULL_NUMBER },
++    { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
+     { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+     { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+     /* use the same parm name as the krb5 module so we set it only once */
+diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
+index 9b4a277d0..b0e903f62 100644
+--- a/src/providers/ldap/ldap_opts.c
++++ b/src/providers/ldap/ldap_opts.c
+@@ -74,6 +74,7 @@ struct dp_option default_basic_opts[] = {
+     { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+     { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+     { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
++    { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
+     { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+     { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+     /* use the same parm name as the krb5 module so we set it only once */
+diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
+index 126cb10d4..0bf4fe12b 100644
+--- a/src/providers/ldap/sdap.h
++++ b/src/providers/ldap/sdap.h
+@@ -192,6 +192,7 @@ enum sdap_basic_opt {
+     SDAP_SASL_AUTHID,
+     SDAP_SASL_REALM,
+     SDAP_SASL_MINSSF,
++    SDAP_SASL_MAXSSF,
+     SDAP_KRB5_KEYTAB,
+     SDAP_KRB5_KINIT,
+     SDAP_KRB5_KDC,
+diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
+index 6bc271a91..afa31ea0f 100644
+--- a/src/providers/ldap/sdap_async_connection.c
++++ b/src/providers/ldap/sdap_async_connection.c
+@@ -148,6 +148,8 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
+     const char *sasl_mech;
+     int sasl_minssf;
+     ber_len_t ber_sasl_minssf;
++    int sasl_maxssf;
++    ber_len_t ber_sasl_maxssf;
+ 
+     ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd);
+     talloc_zfree(subreq);
+@@ -291,6 +293,18 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
+                 goto fail;
+             }
+         }
++
++        sasl_maxssf = dp_opt_get_int(state->opts->basic, SDAP_SASL_MAXSSF);
++        if (sasl_maxssf >= 0) {
++            ber_sasl_maxssf = (ber_len_t)sasl_maxssf;
++            lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_SSF_MAX,
++                                   &ber_sasl_maxssf);
++            if (lret != LDAP_OPT_SUCCESS) {
++                DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP MAX SSF option "
++                                            "to %d\n", sasl_maxssf);
++                goto fail;
++            }
++        }
+     }
+ 
+     /* if we do not use start_tls the connection is not really connected yet
+-- 
+2.20.1
+
diff --git a/SOURCES/0109-ad-set-min-and-max-ssf-for-ldaps.patch b/SOURCES/0109-ad-set-min-and-max-ssf-for-ldaps.patch
new file mode 100644
index 0000000..4e1360f
--- /dev/null
+++ b/SOURCES/0109-ad-set-min-and-max-ssf-for-ldaps.patch
@@ -0,0 +1,93 @@
+From 9b875b87fda7dab1c92022b5c2e3b11cd5fffa4f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 27 Sep 2019 13:45:13 +0200
+Subject: [PATCH 109/109] ad: set min and max ssf for ldaps
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+AD does not allow to use encryption in the TLS and SASL layer at the
+same time. To be able to use ldaps this patch sets min and max ssf to 0
+if ldaps should be used.
+
+Related to https://pagure.io/SSSD/sssd/issue/4131
+
+(cherry picked from commit 50a92f65c4823d272240ef416f2b05874b2b7918)
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ad/ad_common.c     | 21 +++++++++++++++++++++
+ src/providers/ad/ad_common.h     |  2 ++
+ src/providers/ad/ad_subdomains.c |  4 ++++
+ 3 files changed, 27 insertions(+)
+
+diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
+index de8a0c8bb..4e46da7f2 100644
+--- a/src/providers/ad/ad_common.c
++++ b/src/providers/ad/ad_common.c
+@@ -1008,6 +1008,23 @@ done:
+     return;
+ }
+ 
++void ad_set_ssf_for_ldaps(struct sdap_options *id_opts)
++{
++    int ret;
++
++    DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n");
++    ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              "Failed to set SASL minssf for ldaps usage, ignored.\n");
++    }
++    ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              "Failed to set SASL maxssf for ldaps usage, ignored.\n");
++    }
++}
++
+ static errno_t
+ ad_set_sdap_options(struct ad_options *ad_opts,
+                     struct sdap_options *id_opts)
+@@ -1066,6 +1083,10 @@ ad_set_sdap_options(struct ad_options *ad_opts,
+         goto done;
+     }
+ 
++    if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) {
++        ad_set_ssf_for_ldaps(id_opts);
++    }
++
+     /* Warn if the user is doing something silly like overriding the schema
+      * with the AD provider
+      */
+diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
+index 54245b9f8..753394832 100644
+--- a/src/providers/ad/ad_common.h
++++ b/src/providers/ad/ad_common.h
+@@ -177,6 +177,8 @@ errno_t
+ ad_get_dyndns_options(struct be_ctx *be_ctx,
+                       struct ad_options *ad_opts);
+ 
++void ad_set_ssf_for_ldaps(struct sdap_options *id_opts);
++
+ struct ad_id_ctx *
+ ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx);
+ 
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index bc10da5bc..f94936102 100644
+--- a/src/providers/ad/ad_subdomains.c
++++ b/src/providers/ad/ad_subdomains.c
+@@ -328,6 +328,10 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
+         return ret;
+     }
+ 
++    if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) {
++        ad_set_ssf_for_ldaps(ad_options->id);
++    }
++
+     ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
+                                     ad_options->id->basic,
+                                     be_ctx->cdb, subdom_conf_path,
+-- 
+2.20.1
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 4608e75..758ef2a 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -48,7 +48,7 @@
 
 Name: sssd
 Version: 1.16.4
-Release: 21%{?dist}.3
+Release: 37%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -92,11 +92,80 @@ Patch0032: 0032-Translation-Update-japanese-translation.patch
 Patch0033: 0033-Translation-Add-missing-newlines-in-the-ja-po-file.patch
 Patch0034: 0034-TESTS-Add-a-unit-test-for-UPNs-stored-by-sss_ncache_.patch
 Patch0035: 0035-negcache-add-fq-usernames-of-know-domains-to-all-UPN.patch
-Patch0036: 0036-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch
-Patch0037: 0037-Add-TCP-level-timeout-to-LDAP-services.patch
-Patch0038: 0038-sss_sockets-pass-pointer-instead-of-integer.patch
-Patch0039: 0039-ipa-add-failover-to-override-lookups.patch
-Patch0040: 0040-ipa-add-failover-to-access-checks.patch
+Patch0036: 0036-CACHE-SSSD-doesn-t-clear-cache-entries.patch
+Patch0037: 0037-IPA-Allow-paging-when-fetching-external-groups.patch
+Patch0038: 0038-ad-remove-subdomain-that-has-been-disabled-through-a.patch
+Patch0039: 0039-sysdb-add-sysdb_domain_set_enabled.patch
+Patch0040: 0040-ad-set-enabled-false-attribute-for-subdomains-that-n.patch
+Patch0041: 0041-sysdb-read-and-interpret-domain-s-enabled-attribute.patch
+Patch0042: 0042-sysdb-add-sysdb_list_subdomains.patch
+Patch0043: 0043-ad-remove-all-subdomains-if-only-master-domain-is-en.patch
+Patch0044: 0044-ad-make-ad_enabled_domains-case-insensitive.patch
+Patch0045: 0045-SYSDB-Add-sysdb_search_with_ts_attr.patch
+Patch0046: 0046-BE-search-with-sysdb_search_with_ts_attr.patch
+Patch0047: 0047-BE-Enable-refresh-for-multiple-domains.patch
+Patch0048: 0048-BE-Make-be_refresh_ctx_init-set-up-the-periodical-ta.patch
+Patch0049: 0049-BE-LDAP-Call-be_refresh_ctx_init-in-the-provider-lib.patch
+Patch0050: 0050-BE-Pass-in-attribute-to-look-up-with-instead-of-hard.patch
+Patch0051: 0051-BE-Change-be_refresh_ctx_init-to-return-errno-and-se.patch
+Patch0052: 0052-BE-LDAP-Split-out-a-helper-function-from-sdap_refres.patch
+Patch0053: 0053-BE-Pass-in-filter_type-when-creating-the-refresh-acc.patch
+Patch0054: 0054-BE-Send-refresh-requests-in-batches.patch
+Patch0055: 0055-BE-Extend-be_ptask_create-with-control-when-to-sched.patch
+Patch0056: 0056-BE-Schedule-the-refresh-interval-from-the-finish-tim.patch
+Patch0057: 0057-AD-Implement-background-refresh-for-AD-domains.patch
+Patch0058: 0058-IPA-Implement-background-refresh-for-IPA-domains.patch
+Patch0059: 0059-BE-IPA-AD-LDAP-Add-inigroups-refresh-support.patch
+Patch0060: 0060-BE-IPA-AD-LDAP-Initialize-the-refresh-callback-from-.patch
+Patch0061: 0061-IPA-AD-SDAP-BE-Generate-refresh-callbacks-with-a-mac.patch
+Patch0062: 0062-MAN-Amend-the-documentation-for-the-background-refre.patch
+Patch0063: 0063-DP-SYSDB-Move-the-code-to-set-initgrExpireTimestamp-.patch
+Patch0064: 0064-IPA-AD-LDAP-Increase-the-initgrExpireTimestamp-after.patch
+Patch0065: 0065-sss_ptr_hash-add-sss_ptr_get_value-to-make-it-useful.patch
+Patch0066: 0066-sss_ptr_hash-keep-value-pointer-when-destroying-spy.patch
+Patch0067: 0067-autofs-fix-typo-in-test-tool.patch
+Patch0068: 0068-sysdb-add-expiration-time-to-autofs-entries.patch
+Patch0069: 0069-sysdb-add-sysdb_get_autofsentry.patch
+Patch0070: 0070-sysdb-add-enumerationExpireTimestamp.patch
+Patch0071: 0071-sysdb-store-enumeration-expiration-time-in-autofs-ma.patch
+Patch0072: 0072-sysdb-store-original-dn-in-autofs-map.patch
+Patch0073: 0073-sysdb-add-sysdb_del_autofsentry_by_key.patch
+Patch0074: 0074-autofs-move-data-provider-functions-to-responder-com.patch
+Patch0075: 0075-cache_req-add-autofs-map-entries-plugin.patch
+Patch0076: 0076-cache_req-add-autofs-map-by-name-plugin.patch
+Patch0077: 0077-cache_req-add-autofs-entry-by-name-plugin.patch
+Patch0078: 0078-autofs-convert-code-to-cache_req.patch
+Patch0079: 0079-autofs-use-cache_req-to-obtain-single-entry-in-geten.patch
+Patch0080: 0080-autofs-use-cache_req-to-obtain-map-in-setent.patch
+Patch0081: 0081-dp-replace-autofs-handler-with-enumerate-method.patch
+Patch0082: 0082-dp-add-additional-autofs-methods.patch
+Patch0083: 0083-ldap-add-base_dn-to-sdap_search_bases.patch
+Patch0084: 0084-ldap-rename-sdap_autofs_get_map-to-sdap_autofs_enume.patch
+Patch0085: 0085-ldap-implement-autofs-get-map.patch
+Patch0086: 0086-ldap-implement-autofs-get-entry.patch
+Patch0087: 0087-autofs-allow-to-run-only-setent-without-enumeration-.patch
+Patch0088: 0088-autofs-always-refresh-auto.master.patch
+Patch0089: 0089-sysdb-invalidate-also-autofs-entries.patch
+Patch0090: 0090-sss_cache-invalidate-also-autofs-entries.patch
+Patch0091: 0091-CONFDB-Files-domain-if-activated-without-.conf.patch
+Patch0092: 0092-TESTS-adapt-tests-to-enabled-default-files-domain.patch
+PAtch0093: 0093-utils-extend-some-find_domain_-calls-to-search-disab.patch
+Patch0094: 0094-ipa-support-disabled-domains.patch
+Patch0095: 0095-ipa-ignore-objects-from-disabled-domains-on-the-clie.patch
+Patch0096: 0096-sysdb-add-sysdb_subdomain_content_delete.patch
+Patch0097: 0097-ipa-delete-content-of-disabled-domains.patch
+Patch0098: 0098-ipa-use-LDAP-not-extdom-to-lookup-IPA-users-and-grou.patch
+Patch0099: 0099-providers-ipa-add_v1_user_data-amended.patch
+Patch0100: 0100-zanata-Initial-push-to-rhel-7-branch.patch 
+Patch0101: 0101-zanata-Pull-new-translations-for-7.8-branch.patch
+Patch0102: 0102-autofs-delete-possible-duplicate-of-an-autofs-entry.patch
+Patch0103: 0103-ipa-use-the-right-context-for-autofs.patch
+Patch0104: 0104-ipa-add-failover-to-override-lookups.patch
+Patch0105: 0105-ipa-add-failover-to-access-checks.patch
+Patch0106: 0106-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
+Patch0107: 0107-ad-add-ad_use_ldaps.patch
+Patch0108: 0108-ldap-add-new-option-ldap_sasl_maxssf.patch
+Patch0109: 0109-ad-set-min-and-max-ssf-for-ldaps.patch
 
 #This patch should not be removed in RHEL-7
 Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -636,7 +705,9 @@ autoreconf -ivf
     %{?with_idmap_version}
 
 make %{?_smp_mflags} all docs
-make -C po ja.gmo # TODO: Rebuild all gmo files all remove this in next rebase
+
+# Update only languages that were requested by PM
+make -C po ja.gmo
 
 %check
 export CK_TIMEOUT_MULTIPLIER=10
@@ -1254,17 +1325,69 @@ systemctl try-restart sssd >/dev/null 2>&1 || :
 }
 
 %changelog
-* Sun Mar 01 2020 Alexey Tikhonov <atikhono@redhat.com> - 1.16.4-21.3
-- Resolves: rhbz#1807934 - sssd failover leads to delayed and failed logins
-                           [rhel-7.7.z]
+* Tue Jan 15 2020 Michal Židek <mzidek@redhat.com> - 1.16.4-37
+- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider
+- just bumping the version to fix generated dates in man pages
+
+* Tue Jan 14 2020 Michal Židek <mzidek@redhat.com> - 1.16.4-36
+- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider
+
+* Mon Dec 2 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-35
+- Resolves: rhbz#1769755 - sssd failover leads to delayed and failed logins
+
+* Wed Nov 20 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-34
+- Resolves: rhbz#1768404 - automount on RHEL7 gives the message
+                           'lookup(sss): setautomntent: No such file or
+                           directory'
+
+* Thu Nov 7 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-33
+- Resolves: rhbz#1734056 - [sssd] RHEL 7.8 Tier 0 Localization
+
+* Sun Sep 29 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-32
+- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa
+                           trustdomain-disable
+
+* Sun Sep 29 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-31
+- Resolves: rhbz#1746878 - Let IPA client read IPA objects via LDAP and not
+                           a extdom plugin when resolving trusted users and
+                           groups
+
+* Fri Sep 20 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-30
+- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using
+                           ipa trustdomain-disable
+
+* Fri Sep 20 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-29
+- Resolves: rhbz#1713352 - Implicit files domain gets activated when no
+                           sssd.conf present and sssd is started
+
+* Thu Sep 19 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-28
+- Resolves: rhbz#1206221 - sssd should not always read entire autofs map from
+                           ldap
+
+* Thu Sep 19 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-27
+- Resolves: rhbz#1657978 - SSSD is not refreshing cached user data for the
+                           ipa sub-domain in a IPA/AD trust
+
+* Thu Sep 5 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-26
+- Resolves: rhbz#1541172 - ad_enabled_domains does not disable old subdomain
+                           after a restart until a timer removes it
+
+* Thu Sep 5 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-25
+- Resolves: rhbz#1738674 - Paging not enabled when fetching external groups,
+                           limits the number of external groups to 2000
+
+* Thu Sep 5 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-24
+- Resolves: rhbz#1650018 - SSSD doesn't clear cache entries for IDs
+                           below min_id
 
-* Thu Feb 13 2020 Michal Židek <mzidek@redhat.com> - 1.16.4-21.2
-- Resolves: rhbz#1801207 - id command taking 1+ minute for returning user
-                           information [rhel-7.7.z] (
+* Thu Sep 5 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-23
+- Resolves: rhbz#1724088 - negative cache does not use values from
+                           'filter_users' config option for known domains
 
-* Wed Oct 09 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-21.1
-- Resolves: rhbz#1758566 - negative cache does not use values from 'filter_users'
-                           config option for known domains [rhel-7.7.z]
+* Wed Aug 14 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-22
+- Resolves: rhbz#1422618 - sssd does not failover to another IPA
+                           server if just the KDC service fails 
+- Just bumping the version to work around "build already exists"
 
 * Fri Jun 07 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-21
 - Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization